This constant barrage of FUD from the cybersecurity community is exhausting. The real story here is that a combination of misconfigurations resulted in a system being exposed to remote exploitation. Until we in security move away from producing this noise about the latest clickbaity hack and start professionally addressing underlying hygiene, root causes, and config laziness at scale, we will never drive the conversation forward. But that doesn't get your talk accepted at Black Hat.
The point is not to deliver a measured and realistic view into the specific security threats, for the entertainment of experts. The point is to show the broad public what the logical extremes of vulnerability are, so that the public exerts some market pressure, and seeks out the help of third parties to insure that things within this realm do not happen in their cars.
We have to acknowledge that the underlying issues here won't ever be understood by the broader public. These kinds of "here's what happens when..." stories are among the most important ways that we can get your message across.
Many hardware manufacturers simply don't understand the danger of using software willy-nilly. You can tell them all day long about using sane defaults, but they won't listen.
Malfunctioning hardware that physically damages their customers' property, on the other hand, is something the significance of which they will understand immediately. A few lawsuits here and there, a few percents off of their stock price -- these are the language they speak, and we must learn to speak it too if we want to encourage them to do something.
Same issues as those faced in the field of scientific research, really. Pressure to put out something flashy coupled with sensational journalism adding even more fantastical hype over the top.
Question is, what did we used to have that drove research efforts in the more beneficial ways we used to see?
Sure but I mean - What was the secret sauce that drove us to have PARC and Bell? What motivations were there then that have gone away now? Can we get them back?
Well, yes. But at the same time what other mechanism would you suggest to educate the large segment of the population that has absolutely no inkling of the mechanics of security? I don't see any and stories like this illustrate in a way that is accessible to all what the consequences of lax security could be. As such I think it serves a valid purpose, even if to those more knowledgeable like you it comes across as FUD.
And even within the security community there is a shift in the last couple of years with sexy names and bespoke websites for specific vulnerabilities. Apparently there is a need to get security out of the technical realm and into the public eye for reasons that transcend FUD.
If there is no scenario the public can understand the problems will just be waved away using arguments such as 'I don't care, I don't have anything to hide', 'Perfect security is impossible, it's good enough' etc.
This view is increasingly outdated. The public view/ed the internet as something harmless but the moment they are real world consequences they will inform and take things seriously very quickly. Self preservation is universal.
Given that the state of the situation now is often "learn one password, pwn the entire class of devices", a default that was vulnerable to literally any other vector of attack seems like a marked improvement. Its easier to protect against a brute force or dictionary attack on any individual device than it is to protect against a single magic default admin credential being discovered - rate limit password submissions, lock outs after subsequent failures, etc.
Sure, if someone can look at the sticker on the bottom of my router and see the serial number and learn the default password that way without having to attack it iteratively, thats still a problem. But a random default password would have to be communicated to the end user somewhere, too... and as with most things, by the time an attacker has physical device access you've already lost.
While i agree there's a lot of clickbait from cybersecurity that really has to stop because some of them are really ridiculous and causes the cry wolf syndrome. Like the ones where "Researchers can find out what you are thinking by just listening to scans of your brain from your wifi router!!1". Where they conveniently leave out the detail that they first require physical access to your wifi router to implant a special program, then a training set targeting exactly you built up over 10 years in a perfectly controlled environment, then the attack must be performed in this exact environment, they have just identified one type of thought and that they only managed to repeat the attack once where the result was more likely to be a fluke than deliberate.
But i don't think this looks one of them, they seem have a very easy and reproducible attack entry point open for everyone and the consequences are very tangible.
