If they are connected to the internet, why not push out an update to fix the default password issue?
A hardware recall seems silly when it's clearly a software issue. Unless they didn't include any firmware updating system... which is likely the elephant in the room not being addressed with most insecure IoT devices. Android faced this problem as well and has recently made progress addressing it. Although a lot of phone companies get in the way and manufacturers have very short support lifespans.
This. We build IoT devices and frankly, we are late shipping while we are doing heavy duty testing on FOTA. Happy to ship late to avoid being part of a botnet and to make sure we can improve our products over time. Depending on the complexity of the product, FOTA can be rather complex and I don't expect budget device makers that aren't particularly branded to bother.
A hardware recall seems silly when it's clearly a software issue. Unless they didn't include any firmware updating system... which is likely the elephant in the room not being addressed with most insecure IoT devices. Android faced this problem as well and has recently made progress addressing it. Although a lot of phone companies get in the way and manufacturers have very short support lifespans.