D-Link case alleges inadequate Internet of Things security practices

Thanks to the Internet of Things, consumers can easily share a photo with family or watch from the office what’s going on at home. But share a tax return with a hacker, have some creep silently gaze at the live feed from your family room, or have your personal conversations remotely recorded? (Shudder.) A lawsuit the FTC filed against D-Link, a global manufacturer of computer networking equipment and other connected devices, alleges that the company made deceptive claims about the security of its products and engaged in unfair practices that put consumers’ privacy at risk.

D-Link Corporation and D-Link Systems, Inc., develop and sell routers, IP cameras, baby monitors and other products designed to integrate consumers’ home networks. If the company’s ads are any indication, D-Link was well aware of consumers’ concern about keeping those networks secure. Promising “Advanced Network Security,” D-Link’s promotional materials assured buyers that their routers “support[] the latest wireless security features to help prevent unauthorized access, be it from a wireless network or from the Internet.” Other ads touted a D-Link product as “not only one of the finest routers available, it’s also one of the safest.” Even the package for D-Link’s Digital Baby Monitor featured a lock icon with the phrase “Secure Connection” next to a picture of an adorable baby. The company repeated many of those security promises in the interactive interfaces consumers used to set up their D-Link products.

D-Link further touted its practices in a Security Event Response Policy, posted after some highly-publicized security flaws were found to affect the company’s products. According to the company:

D-Link prohibits at all times, including during product development by D-Link or its affiliates, any intentional product features or behaviors which allow unauthorized access to the device or network, including but not limited to undocumented account credentials, covert communication channels, “backdoors” or undocumented traffic diversion. All such features and behaviors are considered serious and will be given the highest priority.

The complaint alleges that many of D-Link’s claims in its Security Event Response Policy and in promotional materials and interfaces for its routers and cameras were false or deceptive. But that’s not all.

According to the FTC, D-Link also failed to take reasonable steps to address well-known and easily preventable security flaws. You’ll want to read the complaint for the specifics, but here are a few examples of the choices D-Link made that the FTC says unfairly put consumers’ privacy at risk:

  • D-Link allegedly hard-coded login credentials into D-Link camera software that could allow unauthorized access to cameras’ live feed.
  • D-Link allegedly left users’ login credentials for its mobile app unsecured in clear, readable text on consumers’ devices.
  • D-Link allegedly mishandled its own private key code used to sign into D-Link software and as a result, it was publicly available online for six months.
  • D-Link allegedly failed to take reasonable steps to prevent command injection, a known vulnerability that lets attackers take control of people’s routers and send them unauthorized commands.

The FTC filed suit in federal court in California. The case comes on the heels of several recent incidents involving the Internet of Things, including numerous distributed denial-of-service (DdoS) attacks and privacy issues raised by connected toys. Even at this early stage, companies involved in the Internet of Things will want to follow what’s happening. (One suggestion: Read Careful Connections: Building Security in the Internet of Things.)

 

Comments

I had been hacked while using a D-Link plug in internet connection prior to having them built in. They hacked my msn account and told people I was stuck in Europe with a stolen passport and nothing but the cloths on my back. They then went on to change my return address and I could not let people know this was a fake. I dropped my msn account and had changed it to a completely different server. I don't know how to be a part of this claim but I had to really fix a huge mess because of them. I do not trust D-Link and refuse to use any of their products at ever again

Better to upgrade your security codes software hard to hack information and so on try old English letter or latain words for the software

What shall be do now with our d-link routers?
Shall be throw them out and buy a new secure one?
Please, advise.

Buy a router that runs open firmware. DD-WRT is probably the largest and most active project and it runs on a very wide variety of off the shelf routers, particularly those from ASUS and Buffalo, as well a quite a few from D-Link. The problem isn't the router, per se, but rather the firmware running on it. Change the firmware and you can eliminate the cause for concern. I've been using routers with after-market firmware for over a decade and I used an old 486 running Linux prior to that.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.