Re: 3 Letters
Having been in this industry, time-to-market pressures and lack of experienced developers on what sounds like an embedded Linux device makes it likely this was a simple mistake. Cisco probably acquired the system or implemented it from scratch without adequate resourcing and review/oversight...it's common for developers to set a trivial root password to simplifiy development and testing. It's very easy to imagine that being overlooked when it came to release time.
Not that this is any excuse for operating in that way. But Cisco is so oversized at present that the left hand certainly don't know what the right hand is doing. I doubt they have any rigorourous and effective dedicated IoT security function that applies consistently and effectively aross their diverse product lines, some developed originally in-house and some acquired.
Believe me, this happens every day, not out of malice (though I don't rule that out) but simply because of organizational inertia.
Biting the hand that feeds IT
