1/ If you care about IoT security, the thing you should be promoting isn't "no default passwords", but "randomized IPv6 addresses". I mention this because this is my current IPv6 configuration at this bar I'm at. One of the addresses is predictable.

2/ Typical IPv6 will give a device three addresses. It grabs the prefix (2603:3001:2d00:da00:: in my case) and creates a "static" address, a "temporary" address, and asks the router for a DHCPv6 assignment.

3/ The "temporary address" is used as the default address for creating outbound connection, and changes every few minutes. Even as I write these tweets, it's changed.

4/ The static "secured" address will accept incoming connections, but chances are you can never guess it. It's a 64-bit random number. The DHCPv6 "dynamic" address, though, can easily be guessed.

5/ That's a problem. You can reasonably scan Comcast's prefix space, and then scan the lower bits of the addresses. It's a lot of guesses, but combined, it's still fewer than the 32-bit address space we regularly scan for with IPv4.

6/ The various RFC recommend that your DHCPv6 servers don't do this, that they choose a random address to assign, but routers aren't following the recommendations. This is going to lead to security problems in the future.

7/ Anyway, since I'm at a bar, and not revealing my real addresses, I thought I'd document it.

Also, that's not my real MAC address, in case you google it and think it's a good reason to arrest me. :-)