The only thing I've seen that makes sense is a comment on reddit saying that MITM certs like that are expected in China due to govt monitoring, so they didn't really think anything of it.
That might be the worst thing yet. This reads as "don't trust any products coming from China because they are culturally conditioned to be insecure."
Some of the software on these routers is atrocious. I don't just mean the awful grammar and spelling in the ASUS router I bought, but I wouldn't be surprised at all if password checking was just something like:
var password = document.getElementById('password').value,
correctPass = 'foobar';
if (password == correctPass) window.location.href = "/secure/index.html";
If everything bad was also illegal, maybe it would be different. But many bad things only get changed through social pressure, since they are legal or legal-ish and benefit someone in a position to enact policy.
It's like the old days of social engineering people to setup an .rhosts file with a wild card entry so you didn't need a login to get into the machine. You'd think people would learn host-based authentication (especially alone) isn't really good, but of course why would they learn? They never do.
I get super nostalgic about my old blue pancake and brick breaker. Wouldn't take it back full time as my only device if you paid me, but they still occupy a warm fuzzy place in my heart.
