FTC Files Complaint Against D-Link Over Router, Camera Security Issues

Printer-friendly version Email this CRN article

The U.S. Federal Trade Commission on Thursday filed a complaint alleging that lax security in D-Link's routers and cameras was a risk to consumer privacy.

The FTC Thursday filed a complaint in the Northern District of California against D-Link, charging that the Taiwan-based company failed to take "reasonable steps to secure its routers and Internet Protocol (IP) cameras" and possibly compromising sensitive consumer information "including live video and audio feeds from D-Link IP cameras."

This is not the FTC's first complaint related to connected device security and internet of things (IoT) products.  security. The organization last February settled with Taiwan-based ASUSTeK Computer over security flaws in routers that put hundreds of thousands of consumers at risk. It also settled with TRENDnet over allegations that the Torrance, Calif.-based company's SecurView cameras for home security and baby monitoring had faulty software that left them open to viewing or listening by anyone with the cameras' Internet address.

[Related: Distributed Denial of Service Attacks Increased In 2016, Spurred By IoT Vulnerabilities]

In both the ASUSTeK and TRENDnet cases, the settlements included agreements to have their products' security subject to independent audits for 20 years.

In the most recent complaint, a redacted copy of which is available online, the FTC accused D-Link of not properly securing its cameras and routers from unauthorized access and control, and of misrepresenting the security of its products in its promotional materials.

The FTC alleged D-Link failed to take steps to address "well-known and easily preventable security flaws," including hard-coding the username "guest" and password "guest" into some products, allowing the "command injection" software flaw that could let unauthorized users take control of routers, making a private key code for the D-Link software openly available on a public website for six months, and leaving users' login credentials for the company's mobile app unsecured.

In a prepared statement, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said, "Hackers are increasingly targeting consumer routers and IP cameras – and the consequences for consumers can include device compromise and exposure of their sensitive personal information. When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true."

D-Link Systems, the Fountain Valley, Calif.-based U.S. subsidiary of D-Link, in response to a CRN request for more information, emailed the following statement: "D-Link Systems, Inc. is aware of the complaint filed by the FTC. D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers' private data is always our top priority."

The company spokesperson, in the email, said D-Link would provide updates when they become available and plans to publish a "Q&A for consumers" on the company website soon.

Printer-friendly version Email this CRN article