Unfortunately, there isn't a simple solution to fix this widespread problem, Schloesser said. "The only way to improve the security of the embedded devices is for their manufacturers to take security more seriously and work with the research community to identify and address issues."
There are technical solutions to some of these problems and vendors are already using them, Schloesser said. "One could, for example, have devices pre-configured with random passwords and put appropriate stickers onto the devices. It requires a little investment before shipping them but is well worth it. Also approaches employing QR codes for 'initial setup URLs' could be a possibility. Everything is better than weak vendor-wide default passwords."
"It is the vendors' responsibility," the anonymous researcher said via email. "They can't expect users to log into telnet and change the password."
Botezatu agreed that vendors favor usability over security by shipping products with default passwords and don't force users to change them, but said that user education is also needed. It's ultimately the device owner who decides how the device is used, what services to expose to the Internet and what security controls to put in place, he said.
"Users should be instructed about the best practices of deploying Internet-connected devices, because it is their responsibility to secure access to them," he said.
Otherwise, as more and more devices, from cars to refrigerators and coffee makers, are being connected to the Internet, the problem will only get worse.
"These devices are as vulnerable and as exploitable as any computer," Botezatu said.