Opinion: IoT Security Is Security Theatre Until We Make Default Passwords Illegal

Written By Noel Bradford
Embed Block
Add an embed URL or code. Learn more

Right, I'm done being diplomatic about this. After 40 years of watching the same preventable disasters repeat themselves with different technology, I'm calling it: selling network-connected devices with default administrative credentials should be illegal in the UK.

Not "discouraged." Not "recommended against." Illegal. With criminal penalties for manufacturers and civil liability for distributors.

Pull up a chair. This intervention has been brewing for three decades.

We've Solved This Problem Before

In 1987, seatbelts became mandatory in UK vehicles. Manufacturers screamed about costs, complexity, and consumer choice. They insisted the market would self-regulate, that educated consumers would demand safety features, and that government mandates were unnecessary overreach.

They were wrong. Mandatory seatbelts saved thousands of lives. Nobody today argues we should let manufacturers sell cars without seatbelts because "consumers can install them themselves if they want."

Network security is the same. Default credentials kill businesses. We know this. We've known this for decades. And we keep pretending market forces will magically solve the problem.

They won't. They haven't. They're not going to start now.

The Free Market Has Failed IoT Security

Let's be brutally honest about what the free market has delivered for IoT security:

Printers that ship with admin/admin as default credentials and store unencrypted copies of every printed document. CCTV systems accessible from the internet with password/1234 protecting your premises surveillance. Smart thermostats with no authentication requirements whatsoever. Door access control systems use a password/password to control physical security.

This isn't free market innovation. This is corporate negligence wrapped in consumer choice rhetoric.

HP, Hikvision, Nest, every manufacturer shipping devices with default credentials: you're not providing "flexibility for customer configuration." You're providing attack vectors for criminals.

And you know it. Your own security teams have told you. Your bug bounty researchers have demonstrated it. Your insurance actuaries have priced it.

You ship vulnerable products anyway because there's no consequence for your negligence until someone gets breached, and even then, you hide behind disclaimers and limited liability.

The "It's the User's Responsibility" Lie

Here's the standard manufacturer defence: "We ship devices with default credentials clearly documented in manuals. It's the user's responsibility to change them during installation. We can't be held liable for user negligence."

Bollocks. Complete and utter bollocks.

When you design a product that requires security expertise to use safely, you're not selling a product. You're selling a liability disguised as office equipment.

Would we accept cars sold without brakes where manufacturers say "it's the driver's responsibility to install braking systems before use"? Would we tolerate medications sold with instructions to "add your own safety testing"?

No. We'd correctly identify that as corporate negligence and regulate it accordingly.

But somehow, with network security, we've accepted the absurd premise that business owners need cybersecurity expertise to safely use printers.

The Real Cost of Default Credentials

Let's talk about what default credentials actually cost the UK economy:

MediaForward, the Manchester marketing agency from Friday's case study: £43,000 direct costs, three lost clients, competitive disadvantage from leaked proposals. One printer with default credentials.

Multiply that across the thousands of UK SMBs breached through IoT devices annually. Add ransomware payments. Add regulatory fines. Add lost productivity. Add reputational damage.

We're talking hundreds of millions in annual economic damage from preventable vulnerabilities that manufacturers knowingly ship.

And that's just measurable financial costs. What about:

  • Medical practices breached through networked printers containing patient records

  • Law firms exposing client privilege through unsecured multifunction devices

  • Councils are leaking resident data through CCTV systems with default passwords

  • Small businesses destroyed by breaches they had no realistic chance of preventing

Every single one is preventable if manufacturers stopped shipping devices with default administrative credentials.

What Proper Regulation Would Look Like

I'm not talking about complicated EU-style directives requiring 200-page compliance documents. I'm talking about simple, enforceable requirements:

Requirement 1: Unique Default Credentials

Every device must ship with unique administrative credentials specific to that individual device. No more admin/admin. No more password/password. Generate random credentials during manufacturing, print them on device labels, and require a mandatory password change on first access.

Cost to manufacturers: Negligible. Random password generation during manufacturing costs effectively nothing. Label printing already happens.

Requirement 2: Mandatory Password Change on First Use

Devices must require an administrative password change before allowing normal operation. No "skip this step" option. No "remind me later" deferrals. Configure the device properly, or it doesn't work.

Cost to manufacturers: Trivial firmware change. Every consumer electronics device already does this for initial setup wizards.

Requirement 3: No Default Network Exposure

Administrative interfaces must not be accessible from the network until explicitly enabled by an authenticated administrator. Lock down remote access by default, and require a conscious decision to enable it.

Cost to manufacturers: Minimal configuration change in default firmware.

Requirement 4: Automatic Security Updates

Devices must support automatic firmware updates for a minimum of five years from the manufacturer's date. Security patches must be automatically deployed unless explicitly disabled by an administrator.

Cost to manufacturers: Infrastructure investment in updated distribution. Ongoing support costs. Actually taking security seriously.

Requirement 5: Criminal Penalties for Non-Compliance

Manufacturers shipping non-compliant devices in the UK market face criminal penalties. Directors are personally liable for knowing violations. No hiding behind corporate structures or offshore registration.

Civil Liability for Breaches:

Manufacturers liable for breach costs when default credential vulnerabilities contributed to incident. Can't disclaim liability for your own negligence.

"But This Will Increase Costs!"

Yes. Slightly. Marginally. Trivially compared to breach costs.

If your business model requires shipping insecure products to remain profitable, you don't have a viable business. You have corporate negligence subsidised by victim breach costs.

Car manufacturers didn't collapse when seatbelts became mandatory. They adapted. Prices increased marginally. Lives were saved.

Network device manufacturers won't collapse from mandatory security. They'll adapt. Prices might increase £10-20 per device. Businesses will be protected.

"But This Stifles Innovation!"

Does it bollocks. This is the same argument used against every safety regulation ever proposed.

Seatbelts don't stifle automotive innovation. Building codes don't prevent architectural creativity. Food safety standards don't destroy culinary arts.

Requiring basic security doesn't stifle innovation. It raises the baseline quality below which you're not allowed to sell dangerous products.

If your "innovation" depends on shipping vulnerable devices and hoping customers don't get breached, it's not innovation. It's negligence with marketing.

The NCSC Already Recommends This

Here's the kicker: the National Cyber Security Centre already publishes guidance recommending manufacturers eliminate default passwords. The UK government Code of Practice for Consumer IoT Security explicitly states that devices should not ship with universal default credentials.

These are recommendations. Not requirements. Not regulations. Not legally enforceable mandates.

Manufacturers can completely ignore them without consequence. And they do. Because recommendations without enforcement are worthless.

We Know What Works

Look at the EU Cyber Resilience Act: mandatory security requirements for network-connected products, manufacturer liability for vulnerabilities, and market surveillance ensuring compliance.

Look at California SB-327: banned default passwords on IoT devices sold in California, effective 2020. Manufacturers adapted. The industry didn't collapse. Products became slightly more secure.

We have working examples of effective IoT security regulation. We're choosing not to implement them because we've accepted corporate negligence as normal.

Personal Accountability for Directors

Here's my most controversial position: company directors should face personal criminal liability when their organisations sell network-connected devices with default credentials that contribute to breaches.

Not corporate fines, the company pays those. I am talking about Personal liability. Criminal records. Potential imprisonment for knowing violations.

This is how we handle other forms of corporate negligence causing harm. Health and safety violations. Environmental damage. Financial fraud.

Why are network security failures different? Why do we accept that directors can knowingly ship vulnerable products, profit from the sales, and face zero personal consequences when breaches happen?

If you're making money selling insecure devices, you should face consequences when those devices enable breaches.

The Objections I Already Anticipate

"This is regulatory overreach limiting free markets!"
No, this is preventing harm through minimum safety standards. Like every other product safety regulation.

"Small manufacturers can't afford compliance!"
If you can't afford to ship secure products, you can't afford to be in business. Your low prices are subsidised by victim breach costs.

"This will slow product development!"
Good. If your product development cycle can't accommodate basic security, slow down until it can.

"Users want flexibility and choice!"
Users want devices that work. They don't want to become cybersecurity experts to safely use printers. This isn't removing choice, it's removing dangerous options.

"International manufacturers won't comply!"
Then they don't sell in the UK market. Same as every other product safety standard. Comply or get out.

Where Do We Go From Here?

We can continue accepting preventable breaches as inevitable cost of doing business whilst manufacturers ship vulnerable products and hide behind disclaimer clauses.

Or we can demand proper regulation with teeth: mandatory security requirements, automatic updates, criminal penalties for violations, civil liability for negligence.

The technology to solve this exists. The economic incentive doesn't. Regulation creates the incentive.

I've spent 40 years watching the same patterns repeat: manufacturers ship insecure products, businesses get breached, everyone shakes their heads about how terrible it is, nothing changes, the cycle repeats.

I'm done pretending market forces will magically fix this. They won't. They haven't. They're designed not to.

Default credentials should be illegal. Manufacturers should face consequences. Directors should have personal liability.

Until that happens, IoT security is security theatre. We're performing protection whilst shipping vulnerability as standard equipment.

The Manchester marketing agency that lost £43,000 through a printer with default credentials? That's not their failure. That's our collective failure to regulate known dangers out of the market.

How many more “MediaForwards” do we need before we actually do something about it?

Reader Responses

Know someone who manufactures or distributes network-connected devices? Forward this to them. Let's have the uncomfortable conversation about liability and regulation.

Disagree with mandatory security requirements? Tell me why in the comments. Explain why shipping devices with default credentials is acceptable business practice.

Or better yet: tell me why I'm wrong that manufacturers should face liability when their negligent products enable breaches.

I'm genuinely interested in counterarguments that aren't corporate liability avoidance disguised as free market principles.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

When the Password Manager Fails at Passwords: The £1.2 Million LastPass Lesson