DVR devices are insane. I do regular surveys of random IP addresses and find these devices everywhere. They're easily identified by the headers that the embedded servers respond with.
Typically they're cheap devices from China using the same tech just with slightly different branding.
They usually have default passwords like admin:admin that users aren't required to change and often have vulnerabilities that grant access to the rest of the network. And people expose the ports for these things to the entire internet. Maybe people just assume nobody will happen upon their IP address?
The irony, of course, is that people install these for security.
Remember when wifi devices rarely had passwords and you could use your neighbors internet? What caused the change to the modern practice of unique strong passwords by default? Was it consumer driven or was there some other factors? Whatever happened, we need that for IoT devices too.
A big factor might have been ISP-provided routers coming with random passwords printed on the underside of the router instead of uniform defaults. The same tactic would work with many IoT devices but the incentive isn't there.
The pressure was probably from the ISP side. This is easy to make for the ISP, just one extra line in the request for tender.
For IoT devices it is harder to push through, there are no real incentives to spend on security except the potential for bad marketing once systems are compromised. In my company we usually have unique device and server generated public/private keys so compromising one device will not make the whole fleet vulnerable. This is just one of the methods. In most cases security is really hard to sell to the project managers at early stage of R&D unless they have had prior unpleasant experience or market mandated stringent requirements themselves. After all, making systems more secure is usually going to make projects longer and more costly on the paper. "Security is not part of the MVP and we will worry about it later" is way too common reaction.
I wonder if we'll someday see ISP-issued modems and routers gently probing their customers' local networks, and sending out emails when they identify known vulnerable devices.
Torrenting and child porn, I would guess. I remember the slow transition from people using open networks to securing the shit out of them, and there was this big fear that someone could use your network to download copyright-protected and/or illegal material, and it would be tied to your IP.
Indeed, 10-15 years ago in almost any area with a population you could easily find an open network to get onto the Internet when you wanted to. I could check email and lookup some quick things even while riding public transit, without needing mobile data. There was also a grassroots movement of sorts to "share your WiFi", and even a well-known security professional opened his: https://www.schneier.com/blog/archives/2008/01/my_open_wirel....
Now there's almost none of those left, and what places do advertise "free WiFi" are captive/login portals. It was more free and open back then, I actually quite miss those days...
I suspect it was the ISPs who made the decision, not the manufacturers. Removing the common excuse of "my network is open, who knows who did it!" for torrenting may be the reason. Another could be to make open/easily accessible networks rarer as they started selling Wi-Fi via the provided routers.
could be ISPs trying to improve user security generally to prevent lots of their customers becoming DDOS zombies resulting in more contention & customer complaints.
I don't know what happened at scale, but here in Germany what happened is that you are legally responsible for what happens via your router, so better take care you are the only one using it.
Typically they're cheap devices from China using the same tech just with slightly different branding.
They usually have default passwords like admin:admin that users aren't required to change and often have vulnerabilities that grant access to the rest of the network. And people expose the ports for these things to the entire internet. Maybe people just assume nobody will happen upon their IP address?
The irony, of course, is that people install these for security.
Remember when wifi devices rarely had passwords and you could use your neighbors internet? What caused the change to the modern practice of unique strong passwords by default? Was it consumer driven or was there some other factors? Whatever happened, we need that for IoT devices too.