How many pennies would've been needed to insert a simple page forcing you to change user/password combo and to choose a reasonably strong password after first boot ?

In the case of Mirai it's not even a cost issue, just lacking good practices.

"How many pennies would've been needed to insert a simple page forcing you to change user/password combo and to choose a reasonably strong password after first boot ?"

These are written by outsourced developers who don't know anything about security. They wouldn't even think to develop something as simple as that.

You are obviously unaware of how this works, companies would have to hire consultants/penetration testers to assess the product first. Then they would spend even more money making the changes suggested by the consultants. So it would cost a lot of pennies.. actually.

Ok, I am aware of how it works, but I'm not talking pentests or hardening. I'm talking simple, cheap design choices in this case, that could've eliminated the whole Mirai debauchery.

In your app you already have a setup wizard, right ? Add one more page to the end "Hey, we're almost done! We just need to make sure your device is secure. Please choose a username and (strong) password." Edit: Because if you have a login, you already have the components in place, you are not developing a new feature.

This one simple, design choice would have cost very little, both in terms of development time and increase in support costs, because Support is a cost center that scales with your user base and your knowledge base. Obviously not pennies, but still small costs.

There is the classical point of diminishing returns from security investments, problem is for most IoT products, we are significantly left, towards zero investments and, at this point, small investments and a few smart design choices would yield significant returns in security.

And with developers that's exactly what I don't get. How has it not become internalized that allowing users to run the default user/pass combo is very poor idea ? I'm not asking for much, I don't expect them to know a lot about security, but not even adhering to some basic good practices of security is killing me.

" Ok, I am aware of how it works, but I'm not talking pentests or hardening. I'm talking simple, cheap design choices in this case, that could've eliminated the whole Mirai debauchery."

Then you are not talking about the security industry or its failure to work are you? Its a failure in the development industry to have basic security awareness.

If you don't engage the security industry for pentests or consulting. You can't go any blame them when you get hacked.

>Its a failure in the development industry to have basic security awareness. //

Is that really it? Surely even a high-school level developer will realise that having a device connected to the wild web with a default user:pass will be hacked easily.

I'd have thought the problem is not wanting to support customer calls saying "we changed the password and now can't access our device". So default user:pass and no prompt to change it (and a backdoor just in case) means lower support costs.

No, that dev will say "It will be behind a NAT, so it's fine to have a default user:pass"

> I'm talking simple, cheap design choices in this case, that could've eliminated the whole Mirai debauchery.

This is utterly ignorant of the facts, Mirai took advantage of weak passwords to spread, but was not dependent upon them.

Anything that adds any interaction with the user will cost support time, thus dollars. Its easier for these companies to hard code a password in and have it "just work" with their mobile app or web interface than actually do security correctly.

Until there are regulations in place to make them do this, they will not care.

    > the IoT industry doesn't spend a penny on security,

Citation sorely needed [and not to be found].

So, "companies think that security is unnecessary" is a sign that the security industry is working?

nope it's a sign of the strong market for lemons in IT products.

There's no adequate way for consumers to differentiate between well secured products and badly secured products (every company will tell you "security is their top priority" if you ask them).

TBF the comparison is against a well defended server of which there is a great many examples.