Are they really this daft to leave default manufacturer passwords in this day and age?
Strangely, the article is titled "Weak Passwords", but discusses default/shared passwords. No mention of length, complexity, multi-factor, etc.
Personally, I think that password-strength is the wrong discussion. IoT devices have poor patch availability, little interest in maintenance, and are in places where one does not "care" much about the individual device. With a lifecycle of "run them till they die", our focus really should be on limiting the ability of poorly managed devices to cause damage.
This might be as simple as putting lens caps on cameras and not bugging our own kids. Or, it could extend to requiring manufacturers to advertise the risks as strongly as they advertise the benefits (like the US FDA does with drugs) and requiring recalls when flaws put consumer safety at risk (including loss of privacy).
From a technological perspective, we might consider switches that isolate IoT devices from each other on the home network, routers that are able to limit their Internet access to a curated list of sites and not exposing login/admin pages from untrusted networks. At work, we have technologies capable of doing this, but commoditization, simplification and automation is needed to make these capabilities accessible on $100 home routers.
@denbestenI think they were concentrating on the fact the manufacturer was leaving default passwords, which could be looked up angle. I think they were relating this to the next direction of Ransomware, by exploit because we simply made it too easy for the other party to access the organisation's systems.
I think some of this points back to security awareness of the public, and probably in terms of them asking the right questions - whether or not the sales person actually knows or not, but they should do. Or perhaps the local consumer legislation would be come into play in terms of not fit for purpose or hidden features sets.
Unfortunately, the USA or some states may be thinking about this,and acting upon it, but other nationalities are very slow on the pick up and even slower in terms of getting the respective law machines actually churning to good effect. Even slower are politicians who should be debating these issues up front, but who looks at implications these days?
CyberHub published this not long ago. The table was based on a Brute force only.
I think I might disagree with some of their time frames (I believe some are too long i.e. 46 days to crack a 15 character password.....I think it would be much faster).