While this is not exactly an “Internet Of Things” issue, it points out how long it takes to get things fixed and how the tail of a bug can live on forever. In the case of the Internet of things, people rarely patch their refrigerator, so that bug will live on until the refrigerator is in a landfill somewhere.
So here is the deal. Rompager is a piece of software that many device manufacturers use to provide a web interface on some device they sell – in this case an internet router. The bug, which I will describe in a minute, was introduced in 2002 and the developer found it and patched it in 2005. This is 2014 – 12 years after the bug was created and 9 years after the bug was patched and Checkpoint Software, the Israeli security firm, found 12 million vulnerable devices in 189 countries still have this buggy software – and likely this is not a complete list. And they were only looking at routers.
Why is that? Because device manufacturers don’t bother to update their software unless they have to. It seems to be working. People aren’t complaining. If they upgrade it they might break something, so they leave it alone.
Is it reasonable that the bad guys knew about this bug? Sure. They check out patches all the time. And since your internet router is the “responsibility” of your internet provider, unlike your laptop, you don’t worry about patching it. In fact, in many cases, your internet provider won’t let you into your router to see if it needs to be patched.
Is it reasonable that the spy guys knew about it? Sure. See the paragraph above!
The bug. Due to this bug, an attacker can send a cookie to your router and make it think the attacker is an administrator on your router and basically do whatever it wants. The bad news is that even if you turn off web administration from the outside for your router, the router still listens for update requests from your internet provider and this bug will still allow a hacker in.
The only way to stop this is to upgrade the buggy firmware on your router.
For more details and a list of suspected affected routers, see this article from Security Week