Thanks to the Internet of Things, consumers can easily share a photo with family or watch from the office what’s going on at home. But share a tax return with a hacker, have some creep silently gaze at the live feed from your family room, or have your personal conversations remotely recorded? (Shudder.) A lawsuit the FTC filed against D-Link, a global manufacturer of computer networking equipment and other connected devices, alleges that the company made deceptive claims about the security of its products and engaged in unfair practices that put consumers’ privacy at risk.
D-Link Corporation and D-Link Systems, Inc., develop and sell routers, IP cameras, baby monitors and other products designed to integrate consumers’ home networks. If the company’s ads are any indication, D-Link was well aware of consumers’ concern about keeping those networks secure. Promising “Advanced Network Security,” D-Link’s promotional materials assured buyers that their routers “support the latest wireless security features to help prevent unauthorized access, be it from a wireless network or from the Internet.” Other ads touted a D-Link product as “not only one of the finest routers available, it’s also one of the safest.” Even the package for D-Link’s Digital Baby Monitor featured a lock icon with the phrase “Secure Connection” next to a picture of an adorable baby. The company repeated many of those security promises in the interactive interfaces consumers used to set up their D-Link products.
D-Link further touted its practices in a Security Event Response Policy, posted after some highly-publicized security flaws were found to affect the company’s products. According to the company:
D-Link prohibits at all times, including during product development by D-Link or its affiliates, any intentional product features or behaviors which allow unauthorized access to the device or network, including but not limited to undocumented account credentials, covert communication channels, “backdoors” or undocumented traffic diversion. All such features and behaviors are considered serious and will be given the highest priority.
The complaint alleges that many of D-Link’s claims in its Security Event Response Policy and in promotional materials and interfaces for its routers and cameras were false or deceptive. But that’s not all.
According to the FTC, D-Link also failed to take reasonable steps to address well-known and easily preventable security flaws. You’ll want to read the complaint for the specifics, but here are a few examples of the choices D-Link made that the FTC says unfairly put consumers’ privacy at risk:
- D-Link allegedly hard-coded login credentials into D-Link camera software that could allow unauthorized access to cameras’ live feed.
- D-Link allegedly left users’ login credentials for its mobile app unsecured in clear, readable text on consumers’ devices.
- D-Link allegedly mishandled its own private key code used to sign into D-Link software and as a result, it was publicly available online for six months.
- D-Link allegedly failed to take reasonable steps to prevent command injection, a known vulnerability that lets attackers take control of people’s routers and send them unauthorized commands.
The FTC filed suit in federal court in California. The case comes on the heels of several recent incidents involving the Internet of Things, including numerous distributed denial-of-service (DdoS) attacks and privacy issues raised by connected toys. Even at this early stage, companies involved in the Internet of Things will want to follow what’s happening. (One suggestion: Read Careful Connections: Building Security in the Internet of Things.)