FTC Sues D-Link Citing Security Flaws in Routers, Cameras

The FTC filed suit against home networking gear maker D-Link alleging the company’s products are insecure. (Image courtesy of D-Link.)

In-brief: The FTC filed suit against home networking gear maker D-Link alleging the company’s products are insecure and pose a danger to consumers. (Editor’s note: updated to include D-Link’s official statement on the FTC case. – PFR 1/10/2017)

The U.S. Federal Trade Commission (FTC) has filed a complaint against consumer device maker D-Link, charging that broadband routers and Internet connected cameras the company makes put consumers’ privacy at risk.


LEARN TO SECURE THE INDUSTRIAL INTERNET OF THINGS 

Trusted Computing Group has how-to and demos with Microsoft, GE, Infineon, OnBoard Security, Wibu-Systems at IoT Solutions World Congress. Get your free expo pass code 111B9B47 or discount conference pass code 526E24AF


The complaint, filed on Thursday in U.S. District Court for the Northern District of California, alleges that D-Link and its U.S. subsidiary, D-Link Systems, used “inadequate security measures” to protect its products, leaving its wireless routers and Internet cameras “vulnerable to hackers.” That put “U.S. consumers’ privacy at risk,” the complaint says. All the while, the company promoted its products as having “advanced network security” and being “easy to secure,” claims that the FTC says were not supported by the facts.

The security of routers and IP enabled cameras has become a pressing security concern. Malware targeting vulnerable cameras and broadband routers that are exposed to the public Internet is increasingly common. Recently, the Mirai botnet launched crippling distributed denial of service attacks against web sites using a global network of cameras, home routers, digital video recorders and other consumer devices. Vulnerabilities in the software (or “firmware”) running on the devices and the absence of strong passwords was blamed for leaving them open to compromise.

Similar problems were found with D-Link devices and the FTC is alleging that the company failed to take steps to address well-known and easily preventable security flaws. Among the identified flaws were “hard-coded” login credentials integrated into D-Link camera software, such as the username “guest” and the password “guest” that could allow anyone who knew the Internet address of the camera to gain access to its live feed.

Other problems were identified, as well. D-Link cameras contain a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet. A private key used to sign D-Link software updates was left exposed on a public website without any security for six months, allowing anyone to create a malicious software update that would be accepted as legitimate by the company’s products. A D-Link mobile application stored user names and passwords in clear text.

The vulnerabilities could be exploited in a number of ways. Compromised home routers could be modified to direct users to malicious or fraudulent websites, or could be used to attack other computers connected to the same network. Hacked cameras could be used to spy on the movements and actions of the camera’s owners, or could be enlisted in larger, criminal botnets to carry out attacks on web sites and applications.

The FTC alleges that D-Link’s promotional materials misrepresent the security of its products and put U.S. consumers at risk of “substantial injury to consumers in the United States.” The Commission is seeking a permanent injunction to prevent D-Link from further violating the FTC Act.

The announcement comes at an awkward time. The annual Consumer Electronics Show (CES) kicked off on Thursday in Las Vegas. D-Link has a major presence at the show, announcing a range of new wi-fi cameras for indoor and outdoor use. It is unclear whether the company’s latest products are also affected by the security issues named in the complaint. D-Link did not respond to an email request for comment prior to publication of this story.

In a statement, D-Link Systems said it would vigorously defend itself against the FTC’s charges, which the company called “unwarranted and baseless.”

“D-Link Systems rejects the FTC’s allegations and firmly believes that its processes and procedures related to security were more than reasonable. D-Link Systems maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IoT) devices,” the company said.