|
Ok, I am aware of how it works, but I'm not talking pentests or hardening. I'm talking simple, cheap design choices in this case, that could've eliminated the whole Mirai debauchery. In your app you already have a setup wizard, right ? Add one more page to the end "Hey, we're almost done! We just need to make sure your device is secure. Please choose a username and (strong) password."
Edit: Because if you have a login, you already have the components in place, you are not developing a new feature. This one simple, design choice would have cost very little, both in terms of development time and increase in support costs, because Support is a cost center that scales with your user base and your knowledge base. Obviously not pennies, but still small costs. There is the classical point of diminishing returns from security investments, problem is for most IoT products, we are significantly left, towards zero investments and, at this point, small investments and a few smart design choices would yield significant returns in security. And with developers that's exactly what I don't get. How has it not become internalized that allowing users to run the default user/pass combo is very poor idea ? I'm not asking for much, I don't expect them to know a lot about security, but not even adhering to some basic good practices of security is killing me. |
Then you are not talking about the security industry or its failure to work are you? Its a failure in the development industry to have basic security awareness.
If you don't engage the security industry for pentests or consulting. You can't go any blame them when you get hacked.