I'm not too sure. I have heard that the attack also fixed the security vulnerability (changing the default root password) after installing the back door so other people cannot use it.
Although the source code is out there, those will not be able to control all those devices.
I'm not sure. Maybe that's the case for the passwords which can be changed via the administrative app but I read many of these are in firmware and not able to be disabled or changed:
“The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present.
