The IoT provides a unique opportunity for manufacturers to build devices with the ability to communicate and perform specialized functions. However, because of the lack of rigorous testing, many devices have several insecure defaults that come preconfigured, such as the username and password. In many cases, the manufacturer has hard-coded these credentials and made them very difficult or impossible to remove. This can be dangerous, as once a malicious actor knows the type of device that is in use, they can then research the default username and password online. As a result, the team should research the default credentials for each IoT product you target during the PenTest. Section 12

Many IoT device manufacturers fail to change the default passwords, which makes them vulnerable to attack by malicious actors as they can easily gain access using the default password.

D is the correct answer

I think it's D based on this... https://www.networkworld.com/article/3332032/top-10-iot-vulnerabilities.html

The MOST common vulnerability associated with IoT devices that are directly connected to the Internet is option D: The existence of default passwords. Explanation: IoT devices that are directly connected to the Internet are often shipped with default passwords that are commonly known and easily guessable. Many users do not change these default passwords, leaving the devices vulnerable to unauthorized access by attackers. Option A, unsupported operating systems, is a vulnerability that can exist on some IoT devices, but it is not as common as default passwords. Option B, susceptibility to DDoS attacks, is a vulnerability that can affect IoT devices that are connected to the Internet, but it is not the most common vulnerability. Option C, inability to network, is not a common vulnerability for IoT devices that are designed to be connected to the Internet. Therefore, the most common vulnerability associated with IoT devices that are directly connected to the Internet is option D, the existence of default passwords.

D, all day long

How is unsupported OS related to a Vulnerability, I go for D

D for sure. Great article @mattmetallica

Internet of Things (IoT) devices often come with various security challenges, and among the listed options, the most common vulnerability is typically the existence of default passwords. Many manufacturers ship IoT devices with easily guessable default usernames and passwords, and if these credentials are not changed, attackers can easily gain unauthorized access to these devices. So the correct answer to this question would be: D. The existence of default passwords.

D is correct

According to CompTIA materials, the answer is A.

The MOST common vulnerability associated with IoT devices that are directly connected to the Internet is: D. The existence of default passwords Many IoT devices come with default usernames and passwords that are often not changed by the users, making these devices easy targets for attackers.

Via Fortinet: Top IoT vulnerabilities include: 1. Weak/Hardcoded Passwords. ... 2. Insecure Networks. ... 3. Insecure Ecosystem Interfaces. ... 4. Insecure Update Mechanisms. ... 5. Insecure or Outdated Components. ... 6. Lack of Proper Privacy Protection. ... 7. Insecure Data Transfer and Storage. ... 8. Improper Device Management.

vote for D

On October 21, 2016, a widespread distributed denial of service (DDoS) attack shut down large portions of the Internet, affecting services run by Amazon, The New York Times, Twitter, Box, and other providers. The attack came in waves over the course of the day and initially mystified technologists seeking to bring systems back online. Investigation later revealed that the outages occurred when Dyn, a global provider of DNS services, suffered a debilitating attack that prevented it from answering DNS queries. Dyn received massive amounts of traffic that overwhelmed its servers. The source of all of that traffic? Attackers used an IoT botnet named Mirai to leverage the bandwidth available to baby monitors, DVRs, security cameras, and other IoT devices in the homes of normal people. Those botnetted devices received instructions from a yet-unknown attacker to simultaneously bombard Dyn with requests, knocking it (and a good part of the Internet!) offline.