FTC goes after D-Link for security problems

FTC turns its eye towards D-Link's security problems

(Updated) The Federal Trade Commission (FTC) filed a complaint on Thursday against Taiwan’s D-Link and its U.S. subsidiary, D-Link Systems, Inc., alleging the company has put consumer privacy at risk with inadequate security measures.

The complaint cites a number of security problems D-Link has faced over the years, including a command injection vulnerability the company patched last summer, which impacted some 400,000 D-Link devices.

The FTC also singles out hardcoded credentials that can be used to view remote camera feeds, and the incident where code-signing keys were exposed to the public for at least six months.

Finally, the complaint references issues with D-Link’s mobile app, where user credentials were stored clear, readable text “even though there is free software available to secure the information,” the complaint explains.

“When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a prepared statement.

The FTC has filed similar complaints in the past, including one against ASUSTeK Computer, Inc. for flaws in their router control panels, such as the ones that were used in a 2015 series of attacks that redirected internet traffic for some customers.

Asked for an opinion on the FTC’s actions, Allison Nixon the Director of Security Research at Flashpoint said it was a good move by the FTC, adding that the IoT security space needs to shape up quickly.

"Unauthenticated remote takeover is considered a borderline scandalous vulnerability in any other area of application development, but in the IoT world it's routine. Vendors need to be held accountable because if they aren't, the rest of us will pay the price," Nixon said.

In a brief statement, a D-Link spokesperson sent Salted Hash the following:

“D-Link Systems, Inc. is aware of the complaint filed by the FTC. D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customer’s private data is always our top priority.”

The company is preparing a public FAQ on the matter that will be published to the D-Link website.

Update:

D-Link issued a response Friday morning, announcing that it will defend itself against the "unwarranted and baseless charges made by the Federal Trade Commission (FTC)."

Noting that the decision by the FTC to file the complaint was contested, D-Link says the charge fails to prove its point:

"The FTC complaint does not allege any breach of a D-Link Systems device. Instead, the FTC speculates that consumers were placed “at risk” to hacking, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries."

The company has published support article on the FTC's actions, which is available online.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful cybersecurity companies