FTC Files lawsuit against D-Link for Inadequate Internet of Things Security Practices

Link to story:


Text of Story:

The Federal Trade Commission filed a complaint against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.

In a complaint filed in the Northern District of California, the FTC charged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.

The complaint filed today is part of the FTC’s efforts to protect consumers’ privacy and security in the Internet of Things (IoT), which includes cases the agency has brought against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras.

“Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:
* hard-coded” login credentials integrated into D-Link camera software -- such as the username “guest” and the password “guest” -- that could allow unauthorized access to the cameras’ live feed;
* a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
* the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
* leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.

The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.

The FTC has provided guidance to IoT companies on how to preserve privacy and security in their products while still innovating and growing IoT technology.

The Commission vote authorizing the staff to file the complaint against D-Link Corporation and California-based D-Link Systems, Inc. was 2-1, with Commissioner Maureen K. Ohlhausen voting no. The complaint was filed in the U.S. District Court for the Northern District of California.

PDF copy of the legal suit:

Why is this lawsuit important: IoT is hot right now in the tech field but the security protocols for IoT devices has been questionable or lacking in some cases.

Whats the likely outcome of this case: D-Link gets fined and has to recall or fix affected products.
How strong is the FTC case: Based on what FTC has presented the FTC has a very strong case against D-Link.

I'll keep an eye on this case and see what happens.

What do you guys think of this story?


My stance is that it hopefully sets a precedent for manufactures of IoT and internet connected devices to take a more in depth approach to security, because right now it is scary for many poorly designed internet devices are on the market that have no regard for security or privacy.

I know in some cases these devices are using embedded Linux with really old kernels which have no update procedure in place to fix security issues, it seems the trend now is to throw the devices on the market and forget about them in a couple of years. You see this with Android phones also, there is a huge quantity of very insecure Android phones on the market that have no upgrade path to fix these issues.


this is a good first step, but d-link alone aren't the only offenders. For now I would guess its going to stay business as usual for the majority of IoT vendors, at least until a harsh ruling has been filed. I would guess that if the companies were going to start supporting devices for their lifetime (however long they decide that will be, and it certainly wont be anything reasonable for an appliance), then they would have to make a pretty big structural changes in their company (a department for maintaining all of their devices basically), or just outsource the software maintenance to another firm. those kind of things are going to be costly, so I doubt that they are going to do one of those things until they are under a lot of pressure to do so.