Over my career and as part of personal projects I have repeatedly scanned nearly all of the Internet's routable IPv4 space and some portion of IPv6 space. In one of those projects we were scanning multiple times a week. If you've never been in this space I can assure you that the amount of unpatched gear and software would surprise you. The amount of gear that is YEARS past EOL is substantial. The amount of services that should never be public facing is, to be blunt, inexcusable. Even after the publication of the ETERNALBLUE exploits and the WannaCry, NotPetya, and related worms it still took months to see any significant reduction in exposed SMB endpoints. Even then, IIRC, a significant % of that reduction was due to ISP action and not system owners clueing up. There are often reports of massive DDoS events sourced from compromised routers, cameras, DVRs, cable models, etc. The original Mirai botnet is an excellent example of how impactful a worm infecting cameras and routers just using default creds can be.
It is my personal opinion that in every international jurisdiction it should be both legal and protected from civil repercussions to wipe all data and render permanently inoperable(1) any device or service directly connected to the Internet and remotely accessible with a default (out of the box or in documentation) credential or has a publicly disclosed vulnerability older than 2(2) years old which enables the action.
- This doesn't include setting the device on fire, creating an explosion, etc. If it merely drops internet or power then I suspect someone's lawyers will have something to say to the party responsible for such a negligent implementation or management.
- Arbitrarily selected to allow controlled patch time, detection of oversight, etc. We could even start with something like 4 years and decrease the window over time. We could give folks a 1 year warning to get their house in order.
I believe that the initial result would be chaos but soon after the internet would be a "safer" place . I also think that perhaps there would be more pressure on vendors to improve the security of the device or service as well streamline and user proof the patching and hardening process.
For those who might be concerned that their gear, software, network, or services might be impacted I say:
Quit shitting up the internet for everyone!