Shodan has turned up half a million D-Link devices exposed to the internet, and subject to easy hijacking using zero-day vulnerabilities.
The stack overflow vulnerabilities affect more than 120 D-Link products, from Wi-Fi cameras to routers and modems, and allow remote attackers to completely hijack the administer account of the devices to install backdoors and intercept traffic.
D-Link has been contacted for comment.
It takes only one command to exploit the flaw, according to Senrio researchers who published a proof-of-concept that changed administrator passwords.
"... the Senrio research team discovered and exploited a remote code execution vulnerability in the latest firmware of the D-Link DCS-930L Network Cloud Camera," the researchers say.
"While the thought of strangers watching your sleeping baby is disturbing, the implications for enterprise and infrastructure environments are downright scary."
Almost 140,000 of the devices are located in the US, with 23,442 in Canada, and 20,982 in Sweden.
Founder Stephen Ridley told Security Week attacking the 120-odd D-Link device models requires exploit tweaking to suit different firmware.
"An attacker would practically account for this difference in versions [and] devices by fingerprinting a device, and then changing the exploit payload based on the target," Ridley says.
The devices are most at risk of the development of suitable worms. Ridley told Vulture South the exploits can "almost certainly" be wormable, an attack which could compromise many thousands of devices.
@darrenpauli almost certainly.— Stephen A. Ridley (@s7ephen) July 8, 2016
Shodan reports some 2,500 D-Link webcams are exposed over the internet without any authentication.
Senrio researchers warn of what they describe as the "laughable state" of embedded device security, pointing to a knowledge gap in software and hardware skills.
D-Link will begin stripping trigger commands from devices starting with its much-exposed DCS cameras. ®