The Federal Trade Commission acknowledged on Thursday that it takes the security of the so-called internet of things seriously when it leveraged a complaint against one of the more popular router manufacturers.

The lawsuit, filed at the U.S. District Court for the Northern District of California, alleges that D-Link neglected to adequately secure its wireless routers and IP cameras, something that may have potentially put its customers’ data at risk of compromise.

Filed by David Shonka, FTC’s Principal Deputy General Counsel, the 31-page complaint (.PDF) said the company failed to reasonably fulfill many of the claims it touted on its website regarding security.

The complaint alleges the company’s cameras suffered from hard-coded login credentials – “username:guest/password:guest” – something that may have allowed access to the cameras’ live feed. It also claims many of the company’s routers were plagued by command injection vulnerabilities that could have let remote attackers take over routers

The FTC also alleges that D-Link left a private key code, something that could have been used to sign into the company’s software, on a site, publicly available for six months. The complaint also claims that D-Link failed to properly secure users’ login credentials when they logged into via the company’s mobile app, “even though there is free software available to secure the information.”

“Hackers are increasingly targeting consumer routers and IP cameras–and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection said in a press release, “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

The company put consumers at “significant risk of harm in a variety of ways” according to the complaint. For instance, the FTC warns that an attacker could have compromised an individual’s tax returns if they were stored on the router’s attached storage device or targeted individuals or their children by spying on them through the camera vulnerabilities.

The FTC especially took issue with D-Link’s statements that their routers were “EASY TO SECURE” and offered what it called “ADVANCED NETWORK SECURITY.”

The agency is asking the company to fix their security to “prevent future violations.” It’s also asking D-Link to cover the costs of bringing the action, “as well as such other and additional relief as the Court may determine to be just and proper.”

The hits keep coming for D-Link, which last summer dealt with seemingly endless headlines about vulnerabilities in its products. An unpatched flaw in its Wi-Fi cameras which eventually extended to 120 products was found to be remotely exploitable in June. Later that month it was forced to patch weak SSL implementations in its mydlink devices. At the end of summer, in September, a researcher said one of the company’s routers, DWE-932B, was so broken that consumers that own them should simply throw them away.

When reached for comment Thursday D-Link denied the allegations and said it would be defending the action.

“D-Link Systems, Inc. is aware of the complaint filed by the FTC,” it said, “D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers private data is always our top priority.”

In a second statement, forwarded to Threatpost late Thursday, D-Link pointed out that the FTC complaint doesn’t allege a breach of a D-Link device. Furthermore D-Link says the complaint fails to allege “that actual customers suffered or are likely to suffer actual substantial injuries.”

“The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted,” William Brown, chief information security officer, D-Link Systems, Inc. said in a statement. “We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems’ products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices.”

It was almost two years ago that the FTC released a report urging companies to adopt best practices when it comes to manufacturing internet-connected devices. The report encouraged companies to build security into devices “at the outset, rather than an afterthought” and to “consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information.”

Earlier that month, FTC Chairwoman Edith Ramirez foreshadowed the announcement at Consumer Electronics Show in Las Vegas, stressing that companies should carry out a privacy and security risk assessment during their design processes.

The complaint, the FTC’s first of 2017, may act as somewhat of a warning shot to other manufacturers of internet-connected devices. It comes a day after the agency announced the kickoff for its IoT Home Inspector Challenge, a competition in which its soliciting help to come up with a better way to patch IoT devices.

Last February the FTC settled with another router manufacturer, Asus, over claims that some of its devices allowed hackers to access more than 12,000 users’ connected storage devices. Asus agreed to 20 years of periodic security audits and a $16,000 fine per incident – something that could add up to to $206 million in civil penalties.

The FTC most recently settled with operators of the dating site AshleyMadison.com following the 2015 data breach of 36 million of its users. The site agreed to pay a total of $1.6 million to settle charges it not only deceived consumers but failed to protect their information.

Categories: Government, IoT, Vulnerabilities

Comments (3)

  1. Michael Howard. HP's Chief Security Advisor
    1

    I am not sure this lawsuit will do very much, especially since — in the end — it was user inexperience and negligence that caused many of the breaches and, in the end, the Dyn DDoS attack. When you’ve got people who install devices and don’t reset (or even require) passwords and leave ports open, you’re going to end up with a problem. You’ve also got people out there — IT included — that allow automatic assigning of IP addresses, which makes it easy for anyone to take over a device.

    We’ve been advocating for our users to set strong passwords on all devices including and especially printers and turn off unused ports and protocols. We also remind our customers to update firmware consistently and implement processes and documentation to keep security consistent and measurable.

    Reply
    • Casey Rauth
      2

      I have a difficult time believing that anyone with experience in IT Security would ultimately blame the end-users for something as massive as Mirai. “In the end,” it was the business-as-usual reactive security mindset, from both sides, that caused the breaches and numerous record-setting DDoS attacks. Downplaying the manufacturers’ role in this is a poor stance to take.

      Manufacturers are concerned with profits and customers are concerned with usability. This isn’t a vitriolic diatribe; it is an immutable truth (thanks, Brian) of the world we operate in and have to work around. While end-user awareness is a necessity, it is useless when the manufacturer does not build a secure product to begin with. We, the security industry and the manufacturers, cannot expect end-users to uniformly understand and manage the requirements to obtain a secure environment, either. It is up to us to build a more secure infrastructure and product for them to use, with confidence that the security awareness given to them is meaningful.

      Reply
  2. msb
    3

    This is about more than just ignorant users. One of the key points in this argument is that DLink misrepresented the ease and quality of the security of their products. I hope this charge is successful and causes other manufacturers to start taking security seriously on their products. Hopefully this will also lead to a class action lawsuit that can see some of these poor people compensated for hours of frustration, cost of replacements, and the very real costs of excess usage due to router exploits, and tech support costs to diagnose and resolve these problems.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>