Who should be held responsible for last week’s security breach that took out parts of the Internet?

That question is becoming more pressing as regulators and the public begin to grasp the implication of the first major “Internet of things” attack, in which hackers hijacked millions of everyday devices such as security cameras and printers, and cut off access to major websites like Amazon and Twitter for hours at a time.

Increasingly, the security community is focusing on the role of the device makers, whose products contained a major security flaw. Namely, the companies did not require consumers to change a default password, which is what made it so easy for hackers to conscript so many Internet-connected devices into the botnet army that carried out last week’s attack.

Some of the companies, which include little-known Chinese manufacturers but also familiar names like Panasonic and Xerox, have begun a recall of the devices. But for now, many of their products remain out in the wild with their software “unpatched.” That means they remain compromised. Worse, hackers have released the source code to control the botnet army, meaning future attacks using devices of this nature are all but certain.

This raises the question of whether the device makers should be held legally responsible. Even though they had no role in directing last week’s attack on the Internet, such an attack was not hard to foresee—especially since there have been reports of compromised cameras, and other Internet-enabled devices, for years.

According to Michael Zweiback, an attorney with Alston & Bird and a former cyber-crime prosecutor, legal action is most likely to come in the form of lawsuits, and investigations by the Federal Trade Commission and state attorneys general. In a phone interview with Fortune, he said the government agencies are in a position to sue the companies selling these devices for dangerous products and deceptive marketing.

Get Data Sheet, Fortune’s technology newsletter.

A harder question is whether U.S. consumers who purchased the compromised devices, which also include network routers and baby monitors, can bring lawsuits of their own.

While class action lawyers may be watching the situation closely, a legal victory would be no sure thing. Even though the companies appear to have been negligent by failing to introduce tougher password protection, consumers would still have to show they were harmed. And right now the test for showing harm is unclear.

We need to talk about cybersecurity:

According to Zweiback, courts are trying to make sense of a major Supreme Court privacy case last year called Spokeo, which held that consumers must show “concrete” harm to collect damages. In the case of a consumer who bought a security camera susceptible to hacking, it’s unclear if they would be able to collect.

The situation is different for Dyn, the Internet service company that was the direct target of last week’s attack by the millions of compromised devices, since the firm had to directly absorb the cost of the attack. Dyn did not reply to a voice message from Fortune about whether it plans to pursue legal action against the device makers.