Networking vendor D-Link, which this week was sued by the U.S. Federal Trade Commission (FTC) over alleged security issues in its routers and IP cameras, blasted the FTC for insinuating potential security issues rather than pointing out specific instances where customer privacy was breached.
The FTC filed a complaint in the Northern District of California on Thursday which charged Taiwan-based D-Link and D-Link Systems, its Fountain Valley, Calif.-based U.S. subsidiary, with failing to take "reasonable steps to secure its routers and Internet Protocol (IP) cameras" and possibly compromising sensitive consumer information "including live video and audio feeds from D-Link IP cameras."
According to the FTC, D-Link failed to take steps to address "well-known and easily preventable security flaws." Among the alleged missteps were hard-coding the username "guest" and password "guest" into some products, allowing a software flaw that could let unauthorized users take control of routers, making a private key code for the D-Link software openly available on a public website for six months, and leaving users' login credentials for the company's mobile app unsecured.
D-Link was unable to provide a company executive to discuss the FTC action, citing executive travel schedules related to CES 2017.
In a prepared statement, D-Link Systems said it rejects the FTC’s allegations and firmly believes it has "more than reasonable" security processes and procedures including procedures to address potential security issues, which the company said exist in all of its internet of things (IoT) devices.
The company also said the FTC did not allege any breach of a D-Link Systems device or actual instances of consumers suffering, but instead focused on the potential of being hacked.
The FTC charges against D-Link Systems are unwarranted, said William Brown, chief information security officer at D-Link Systems, in the statement.
"We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems' products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices.," Brown said.
D-Link late Thursday posted an online FAQ to address specific allegations in the FTC complaint.
In the FAQ, the company said it maintains procedures to address the kind of potential security issues that exist in all IoT devices and said the FTC must allege that actual consumers were harmed or could suffer actual injuries.
D-Link's response was what would be expected of a company facing allegations of delivering solutions which could impact the privacy of its customers, said Andrew Calore, vice president of BCI Computers, a West Warwick, R.I.-based solution provider who partners with D-Link to a limited extent.
With the average household having 14 connected devices and the increasing reliance on IoT, security flaws are to be expected, Calore told CRN.
"Nothing is perfect," he said. "For a company like D-Link, it sounds like they made a reasonable response to the FTC action."
However, Calore praised the FTC for raising the issue. Vendors, in general, are quick to promise certain features and capabilities but often slower to deliver them, he said.
"I agree the FTC should be involved," he said. "Routers and cameras get put in your home, your private area. They should be safe. Otherwise, someone could do something like use your camera to see if you're at home and then rob you."
When talking with the IT director at a business customer, it is easy to talk about VPNs and firewalls to protect the business, Calore said. "But at home, users rely on their ISPs or on store-bought routers for security," he said. "You can't load antivirus on your baby monitors and cameras."