FTC Sues D-Link over Lack of IofT Security

The Federal Trade Commission regulates unfair and deceptive trade practices and D-Link Corporation and D-Link Systems ran afoul of both through its routers, IP cameras, baby monitors and other products designed to integrate consumers’ home networks.

D-Link’s promotional materials assured buyers that their routers “support[] the latest wireless security features to help prevent unauthorized access, be it from a wireless network or from the Internet.” Other ads touted a D-Link product as “not only one of the finest routers available, it’s also one of the safest.” Even the package for D-Link’s Digital Baby Monitor featured a lock icon with the phrase “Secure Connection” next to a picture of an adorable baby. The company repeated many of those security promises in the interactive interfaces consumers used to set up their D-Link products.

In its complaint, the FTC alleges that many of these claims are false or deceptive.  Even worse, D-Link also unfairly failed to take reasonable steps to address well-known and easily preventable security flaws. For example:

  • D-Link allegedly hard-coded login credentials into D-Link camera software that could allow unauthorized access to cameras’ live feed.
  • D-Link allegedly left users’ login credentials for its mobile app unsecured in clear, readable text on consumers’ devices.
  • D-Link allegedly mishandled its own private key code used to sign into D-Link software and as a result, it was publicly available online for six months.
  • D-Link allegedly failed to take reasonable steps to prevent command injection, a known vulnerability that lets attackers take control of people’s routers and send them unauthorized commands.

According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.

The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.

While this is not the first data security case the FTC has brought, it is its first major Internet of Things (IofT) enforcement action.  The FTC has provided guidance to IoT companies on how to preserve privacy and security in their products while still innovating and growing IoT technology.