FTC Files Complaint Against D-Link Over Router, Camera Security Issues

The U.S. Federal Trade Commission on Thursday filed a complaint alleging that lax security in D-Link's routers and cameras was a risk to consumer privacy.

The FTC Thursday filed a complaint in the Northern District of California against D-Link, charging that the Taiwan-based company failed to take "reasonable steps to secure its routers and Internet Protocol (IP) cameras" and possibly compromising sensitive consumer information "including live video and audio feeds from D-Link IP cameras."

This is not the FTC's first complaint related to connected device security and internet of things (IoT) products. security. The organization last February settled with Taiwan-based ASUSTeK Computer over security flaws in routers that put hundreds of thousands of consumers at risk. It also settled with TRENDnet over allegations that the Torrance, Calif.-based company's SecurView cameras for home security and baby monitoring had faulty software that left them open to viewing or listening by anyone with the cameras' Internet address.

[Related: Distributed Denial of Service Attacks Increased In 2016, Spurred By IoT Vulnerabilities]

In both the ASUSTeK and TRENDnet cases, the settlements included agreements to have their products' security subject to independent audits for 20 years.

In the most recent complaint, a redacted copy of which is available online, the FTC accused D-Link of not properly securing its cameras and routers from unauthorized access and control, and of misrepresenting the security of its products in its promotional materials.

The FTC alleged D-Link failed to take steps to address "well-known and easily preventable security flaws," including hard-coding the username "guest" and password "guest" into some products, allowing the "command injection" software flaw that could let unauthorized users take control of routers, making a private key code for the D-Link software openly available on a public website for six months, and leaving users' login credentials for the company's mobile app unsecured.

In a prepared statement, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said, "Hackers are increasingly targeting consumer routers and IP cameras – and the consequences for consumers can include device compromise and exposure of their sensitive personal information. When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true."

D-Link Systems, the Fountain Valley, Calif.-based U.S. subsidiary of D-Link, in response to a CRN request for more information, emailed the following statement: "D-Link Systems, Inc. is aware of the complaint filed by the FTC. D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers' private data is always our top priority."

The company spokesperson, in the email, said D-Link would provide updates when they become available and plans to publish a "Q&A for consumers" on the company website soon.

Daniel Duffy, CEO and chief information officer at Valley Network Solutions, a Fresno, Calif.-based solution provider and D-Link partner, told CRN via email that, while continual innovation leads to "awesome new ideas and technology," it also can lead to disruption and new scenarios for security solutions and, often, new legislation.

"I think the actions and settlements are a good thing, generally speaking, because we know from the robber baron days that many capitalist companies left to their own devices won’t do the right thing," Duffy wrote.

However, Duffy wrote, while government helps keep such practices in check, it has yet to prove its ability to police its own security practices.

"I also believe that we’ve gotten to such a point of imbalance in this country, where the government has forgotten who they work for, and where the media that colludes with the government has forgotten that the people who butter their bread can actually think critically, that any new threats of legislation or action from the government have become a joke, because their own house is in such bad order," he wrote.

Duffy cited such issues as the hacking of Democratic Party emails and the decision of Hillary Clinton to use her own private email server as the kind of things that make it "ironic and laughable" for the government to pursue security actions against a commercial business.

"They need to get their priorities straight and start by looking in their collective mirrors, getting their own house in order and remembering that they work for us," he said.