What bothers me is not this particular instance, but the proof of concept it represents, in a world where everything from refrigerators to night lights phones home. Things present a very diffuse and low-reward attack surface individually, but as reflectors they provide a potential solar-furnace-like effect in the hands of a sophisticated attacker.
"Physical access is game over" so it may turn out that whoever owns the most Things wins after all.
Interesting points. I would take a small amount of exception to the idea that such Things are low-reward though. I mean, I guess it really depends on what you're looking for. 0wning a fat database server or web head farm is great, except its real public. People are going to be getting in there, doing upgrades, analyzing performance, and so on. There is always the outstanding chance that you'll get expunged, either because you get found, or because they upgrade hardware and/or software, and redeploy their work. Either way, its just a matter of time before you lose access. On the other hand, getting a set-top box, or some other embedded platform is a different story. No one is looking at those things. They are more-or-less completely off the radar. Root one, and you have it until the device goes offline. Set it up to listen on a Tor hidden service on startup, and you'll probably have access even if it hits the used market and switches physical owners. That may change some as IoT gets more attention, but for the near-to-mid future, this problem is only going to get worse.