"Seriously, this needs shooting in the head now."
Worth mentioning, if it has a NETWORK STACK, but uses TELNET, someone didn't go far enough with the firmware implementation. If it's got ROOM in the NVRAM for the network stack, it's got room for SSH and/or other reasonable security. And non-guessable user names [unlike 'root' or 'admin']. And force the user to change the user/pass credentials before the device will function. And press a button on the device to reset it if you forget your user/password. And so on.
not rocket science, just LAZINESS and CLUELESSNESS on the part of the IoT developers.
LIABILITY applies, In My Bombastic Opinion.