There may be far-reaching, long term implications of the Shellshock Bash Bug for IoT. With so many IoT devices running a linux-based kernel and exposing simple web services, it's possible there are already millions of devices out there that need patching in some way - think every Raspberry Pi, every Intel Beagle/Edison board, every Ardunio Yun, and many more. It's the "O" part of GPIO that scares me the most. It may be possible to exploit the bug to influence the physical world all too easily (change the traffic lights, open a flood gate, etc).
This is a great example of why security on IoT does matter, and why these devices cannot simply be "set and forget".
Are our “things” affected? This is where it gets interesting – we have a lot of “things” potentially running Bash. Of course when I use this term I’m referring to the “Internet of Things” (IoT) which is the increasing prevalence of whacking an IP address and a wireless adaptor into everything from our cutlery to our door locks to our light globes. Many IoT devices run embedded Linux distributions with Bash. These very same devices have already been shown to demonstrate serious security vulnerabilities in other areas, for example LIFX light globes just a couple of months ago were found to be leaking wifi credentials. Whilst not a Bash vulnerability like Shellshock, it shows us that by connecting our things we’re entering a whole new world of vulnerabilities in places that were never at risk before.