"Allow 5 tries, then lock everyone out for 10 minutes" is a rate limiter. If you're talking about an arbitrarily complex one: either you're able to be locked out too, or a botnet allows near-arbitrary retries. A botnet of insecure cameras, perhaps.
It's all a tradeoff. But a smart rate limiter is complex, and rarely necessary when you can be expected to have physical access to the device. Plus, these things haven't even managed basic security, why should we expect them to implement a good rate limiter?
It's all a tradeoff. But a smart rate limiter is complex, and rarely necessary when you can be expected to have physical access to the device. Plus, these things haven't even managed basic security, why should we expect them to implement a good rate limiter?