'Over the last few weeks, unknown hackers have launched some of the largest cyberattacks the internet has ever seen. These attacks weren’t notable just by their unprecedented size and power, but also because they were powered by a large zombie army of hacked cameras and other devices that fit into the category of Internet of Things, or IoT.' - Motherboard
What never ceases to amaze me is the list of default passwords that malware is using to get access and take control of IoT devices.
I can't decide which combination I love the most:‘admin, admin’ or ‘admin, password.’
I don't think it really matters if security professionals go to great lengths proposing frameworks or running penetration tests on IoT devices, so long as users and manufacturers keep using such a lame, no-security approach. Probably vendors should just get rid of passwords once and for all. There are so many good authentication products all around, just take this one here https://www.passbyme.com (PassByMe) that uses digitally signed (and legally binding) mobile platform based authentication to leave passwords for good.
Or the other obvious idea would be to use the same two-factor mobile-based authentication system Yahoo, Google, Facebook, Twitter and many others are using.
If you want to stay in the past, dear manufacturers, at least use hardware level "security", a label with randomly generated access and password. We know it's not that hard, just look at the default alphanumerical code for wifi networks.