-
I mean a scan from the router to devices on the customer network. If the IOT devices accepts a default password, block it.
This is illegal.
You cannot attempt to access a computer you do not have the right to access, and the act of trying a password is to do that.
Either you prevent the spread of malware to avoid becoming part of a botnet (by blocking inbound traffic to certain ports) or you prevent a machine from doing anything to another once part of a botnet (by blocking outbound traffic to anything that isn't configured to be open by an end user).
That's it. No other legal or practical solution exists.
The ISP is the only one who could do either of the above, but unfortunately they have no incentive to do either right now (legal, economic, etc).
Velocio-
Companies do it via vulnerability scans. Doesn't seem to be illegal there?
But that's a business employing people, with the business either owning the assets, or the user agreeing with the scans, not a business to consumer relation.
There's a whole discussion on The Reg on improving the devices itself, but as they're made internationally with varying standards that's probably near impossible.
Well who knows... the EU/USA/UK could pass laws on port blocking.. ;)
JWestland
Ah yeah I see what you mean...the routers can then be hacked or botnetted and we are no further.
With the password, I mean a scan from the router to devices on the customer network. If the IOT devices accepts a default password, block it.
That won't fix the issue a router can be botnetted though.
A lot of users are lazy, they won't try to break the router or fiddle with it if it's a big hassle. But yeah port blocking sounds a LOT easier and more secure.
So, eh, why are ISP not doing it yet...? :)