Over the weekend, yet another list of potentially vulnerable IoT devices was made public. It was viewed by over 20,000 people before Pastebin removed the list of devices that responded to Telnet sessions that were secured either with default credentials such as admin/admin or not secured with any authentication at all. Which begs the question, why do some people continually shoot themselves in the foot when it comes to securing these devices?
I get that security can be hard. If it were easy, we wouldn't see the number of successful attacks that are reported each month. But leaving devices open on the Internet smacks of carelessness.
There are two sides to this. Manufacturers should not ship equipment with easily guessed default passwords. The consumer router business has figured this out with many devices now shipping with unique passwords. The same ought to be true for any device being connected to an enterprise network. And only connection protocols that are essential for initial set up should be enabled. Everything else should be off.
If you're a technology buyer, out-of-the-box security needs to be near the top of your mandatory requirements list. What that means will be vary from business to business but at the very least it should mean that a device can't be accessed by an unauthorised party before you have completed some basic setup and testing.
For those deploying technology, before connecting a device to the network connect it to a sandboxed environment and verify that all unnecessary protocols and features are disabled and that all default usernames and passwords are changed.