The Federal Trade Commission acknowledged on Thursday that it takes the security of the so-called internet of things seriously when it leveraged a complaint against one of the more popular router manufacturers.
The lawsuit, filed at the U.S. District Court for the Northern District of California, alleges that D-Link neglected to adequately secure its wireless routers and IP cameras, something that may have potentially put its customers’ data at risk of compromise.
Filed by David Shonka, FTC’s Principal Deputy General Counsel, the 31-page complaint (.PDF) said the company failed to reasonably fulfill many of the claims it touted on its website regarding security.
The complaint alleges the company’s cameras suffered from hard-coded login credentials – “username:guest/password:guest” – something that may have allowed access to the cameras’ live feed. It also claims many of the company’s routers were plagued by command injection vulnerabilities that could have let remote attackers take over routers
The FTC also alleges that D-Link left a private key code, something that could have been used to sign into the company’s software, on a site, publicly available for six months. The complaint also claims that D-Link failed to properly secure users’ login credentials when they logged into via the company’s mobile app, “even though there is free software available to secure the information.”
“Hackers are increasingly targeting consumer routers and IP cameras–and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection said in a press release, “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
The company put consumers at “significant risk of harm in a variety of ways” according to the complaint. For instance, the FTC warns that an attacker could have compromised an individual’s tax returns if they were stored on the router’s attached storage device or targeted individuals or their children by spying on them through the camera vulnerabilities.
The FTC especially took issue with D-Link’s statements that their routers were “EASY TO SECURE” and offered what it called “ADVANCED NETWORK SECURITY.”
The agency is asking the company to fix their security to “prevent future violations.” It’s also asking D-Link to cover the costs of bringing the action, “as well as such other and additional relief as the Court may determine to be just and proper.”
The hits keep coming for D-Link, which last summer dealt with seemingly endless headlines about vulnerabilities in its products. An unpatched flaw in its Wi-Fi cameras which eventually extended to 120 products was found to be remotely exploitable in June. Later that month it was forced to patch weak SSL implementations in its mydlink devices. At the end of summer, in September, a researcher said one of the company’s routers, DWE-932B, was so broken that consumers that own them should simply throw them away.
When reached for comment Thursday D-Link denied the allegations and said it would be defending the action.
“D-Link Systems, Inc. is aware of the complaint filed by the FTC,” it said, “D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers private data is always our top priority.”
In a second statement, forwarded to Threatpost late Thursday, D-Link pointed out that the FTC complaint doesn’t allege a breach of a D-Link device. Furthermore D-Link says the complaint fails to allege “that actual customers suffered or are likely to suffer actual substantial injuries.”
“The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted,” William Brown, chief information security officer, D-Link Systems, Inc. said in a statement. “We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems’ products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices.”
It was almost two years ago that the FTC released a report urging companies to adopt best practices when it comes to manufacturing internet-connected devices. The report encouraged companies to build security into devices “at the outset, rather than an afterthought” and to “consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information.”
Earlier that month, FTC Chairwoman Edith Ramirez foreshadowed the announcement at Consumer Electronics Show in Las Vegas, stressing that companies should carry out a privacy and security risk assessment during their design processes.
The complaint, the FTC’s first of 2017, may act as somewhat of a warning shot to other manufacturers of internet-connected devices. It comes a day after the agency announced the kickoff for its IoT Home Inspector Challenge, a competition in which its soliciting help to come up with a better way to patch IoT devices.
Last February the FTC settled with another router manufacturer, Asus, over claims that some of its devices allowed hackers to access more than 12,000 users’ connected storage devices. Asus agreed to 20 years of periodic security audits and a $16,000 fine per incident – something that could add up to to $206 million in civil penalties.
The FTC most recently settled with operators of the dating site AshleyMadison.com following the 2015 data breach of 36 million of its users. The site agreed to pay a total of $1.6 million to settle charges it not only deceived consumers but failed to protect their information.