Every device and software ships with a default configuration optimised for ease of setup — not security. Default configurations typically include: default admin credentials (admin/admin, admin/password), unnecessary services enabled (Telnet, FTP, SNMP v1/v2), permissive access controls, detailed error messages that reveal system information, and debug modes left on. Attackers actively scan the internet for default configurations. The Mirai botnet in 2016 compromised over 600,000 IoT devices using only default credentials — without any sophisticated exploit.