That's because most have simplistic security, like all being outfitted with the same password when leaving the factory, or having no password at all.
A new California law would make it illegal to manufacture or sell internet-connected devices that aren't equipped with a unique password, or a feature that forces the consumer to set a personal password when the device is first used. It will take effect on Jan. 1, 2020.
The range of devices that the law covers is incredibly broad: It's any device that connects to the internet, directly or indirectly, and has an IP address or Bluetooth address.
The tactic that California is trying to employ could eventually lessen the severity of some of the most destructive cyberattacks. Unsecured routers and IoT devices are routinely accessed and controlled by hackers, who send millions of compromised devices to ping a certain server and overwhelm it. This is called a distributed denial of service, or DDoS attack, and has brought down services like Amazon, Twitter, and Netflix.