Found this in my research today: https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/
It's a start, I like how it requires a unique password for each device and for a password change after first logon.
So that law was passed in 2018, and was supposed to be enforced starting in 2020. Wonder how enforcement is going. I am pretty sure some of the gear I work with has default passwords, and don't force changes. Maybe they don't sell those in California.
-Otanx
Could be. I read more on it and both the USA and EU have guidelines that stop short of assessing fines. The UK, however, just passed a law that assesses fines for vendors that make gear with default passwords.
I hope that the legislation also extends to hard-coded root accounts.
Network engineer whose gear was pwned because attacker used a default root account:
:facepalm1: