It has been revealed that a previously disclosed serious vulnerability in D-Link IoT devices including baby monitors could affect more than 120 products around the world.
The stack overflow bug can be exploited “with a single command which contains custom assembly code and a string crafted to exercise the overflow,” security firm Senrio claimed last month.
It allows an attacker to set their own password for an affected device, effectively giving them remote access.
“Instead of setting a new password as the exploit, an attacker could just as easily add a new user with administrator access, download firmware or otherwise re-configure this device,” Senrio added.
This would give a hacker virtual carte blanche to spy on internet traffic, install backdoors and more.
According to Security Week, D-Link is still working on a fix for the bug, having determined it affects over 120 of its products, including routers, cameras, modems and more.
That equates to a massive 414,949 devices worldwide potentially at risk – with most of them in the United States.
With a bug potentially affecting this many devices there are concerns that black hats could look to mass infections in order to coral them into a botnet capable of launching DDoS attacks.
Last month, security firm Sucuri claimed that it had discovered a DDoS attack against a small business launched from over 25,000 internet-connected CCTV cameras.
Network infrastructure firm Nominum warned as far back as February 2015 that DNS-based DDoS attacks are likely to rise as a result of home routers and IoT devices being compromised.
It claimed there was a 100-fold rise in such attacks during 2014, adding that just 100 compromised devices took down one million subscriber networks that year.
IoT devices are perfect for cyber-criminals as they’re always switched on, are connected to the mains so won’t run out of battery, and are connected to the internet.