The FTC has been keeping a close watch on the Internet of Things since the Internet of Things became a thing to watch. That includes law enforcement actions against companies alleged to have sold vulnerable connected devices that put consumers’ sensitive information at risk. Affected devices could even become – in effect – zombies that do the bidding of malicious botnets that threaten the Internet. The settlement of the FTC’s case against D-Link offers a reminder of both the threats that vulnerable IoT and smart home products pose to consumers and the practices that prudent IoT companies routinely implement.
Connected device seller D-Link promised consumers “advanced network security.” But according to the FTC’s complaint, the company failed Security 101. Vulnerabilities in D-Link routers and Internet-connected cameras left sensitive consumer information, including live video feeds, exposed to third parties and vulnerable to hackers. The complaint alleged that D-Link didn’t adequately test its products for well-known and easy-to-fix security flaws before putting the insecure devices into consumers’ hands and homes. D-Link’s software development shortcomings also failed to identify and eliminate hard-coded login credentials on its camera software that were easy to figure out. (It wouldn’t take a Bletchley Park codebreaker to deduce that it was “guest.”) D-Link also stored login credentials for its app in clear, readable text on users’ mobile devices.
All that will change under the settlement D-Link just signed. The proposed order requires the company to implement a comprehensive software security program, including specific steps to ensure its connected cameras and routers are secure. That means security planning, threat modeling, and testing and remediation before products hit the market. But security for IoT devices is an ongoing process, not a punch list of pre-release tasks. That’s why the proposed order requires D-Link to monitor its products for security flaws, automatically update firmware, and set up a system to accept vulnerability reports from security researchers.
And the FTC will be able to check D-Link’s work. D-Link must get independent, third-party assessments of its software security program every other year for the next decade from an assessor approved by the FTC. What’s more, the settlement requires the assessor to take a deep dive into D-Link’s security practices. He or she can’t just take management’s word for it. The order also spells out procedures to guarantee FTC access to the documents necessary to assess D-Link’s compliance – and to assess the assessor. And similar to other recent settlements, a senior manager must certify every year that the company is in compliance with the order.
In addition, the settlement includes protections for consumers who currently own devices covered by the order. D-Link must automatically push fixes to devices set up to receive them and must provide clear step-by-step instructions to all consumers explaining how to patch their devices themselves.
One notable feature of this order is D-Link’s option to have the assessor certify the company’s compliance with the International Electrotechnical Commission’s standard for the secure product development lifecycle. The order provides that if D-Link gets the necessary IEC compliance certifications, that will meet the requirement of a comprehensive software security program. Of course, that provision is a no-go if D-Link provides misleading information during the audit and assessment process.
What can other Internet of Things companies do to implement safer security practices? For starters, they can Start with Security, which advises companies to “Apply sound security practices when developing new products.” A few practical pointers:
- Train your engineers in secure coding.
- Verify that privacy and security features work.
- Test for (and remediate) common vulnerabilities.
Other tips to consider: the baker’s dozen basics detailed in the FTC brochure, Careful Connections: Building Security in the Internet of Things.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.