The Federal Trade Commission yesterday (Jan. 5) sued D-Link, alleging that the Taiwanese company and its U.S. subsidiary allowed serious security flaws to exist in its home Wi-Fi routers and internet-connected security cameras, then misled consumers about the safety of the company's products.
The FTC lawsuit says D-Link put a hidden password in some of its cameras, granting remote access to anyone with the password; failed to protect the secret encryption key for software updates, with the result that the key was posted online; failed to protect routers against easily preventable attacks; and left user passwords in its MyDLink mobile app open to theft.
Many of those flaws were publicly documented by researchers and reported on in the technical press, but the FTC alleges that D-Link and its U.S. subsidiary falsely continued to tout their products' security.
In a statement emailed to Tom's Guide, D-Link's U.S. subsidiary said it would "vigorously defend itself against the unwarranted and baseless charges made by the Federal Trade Commission," adding that the subsidiary "firmly believes that its processes and procedures related to security were more than reasonable." The company further said that the FTC had not proven that any customers had actually been harmed.
Two months ago, the Department of Homeland Security warned against using eight models of D-Link Wi-Fi routers due to unfixed security flaws. Tom's Guide has recommended D-Link security cameras in the past, but may take these allegations into consideration for the future. It must be noted that most of the flaws cited in the lawsuit can be fixed if the user installs software updates available on the D-Link website.
"When manufacturers tell consumers that their equipment is secure, it's critical that they take the necessary steps to make sure that's true," said Jessica Rich, head of the FTC Bureau of Consumer Protection, in a statement. "Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information."
The lawsuit, filed in the U.S. District Court for the Northern District of California, cites several recent flaws in D-Link products revealed by security researchers. One let attackers gain password-less access to about 120 different D-Link cameras, routers and other devices by flooding the software with too much data. A similar flaw was behind the DHS warning about the eight D-Link routers in November.
A third flaw was that some models of D-Link security cameras had hard-coded default credentials — username "guest" and password "guest" — that could let anyone tap into a camera's video feed. The leaked update-encryption key, which could let hackers create malicious software updates, affected a single model of camera, but the flaw in the myDLink mobile app, used to control dozens of different devices, left user passwords unprotected despite the existence of free encryption methods.
"By creating these vulnerabilities, [D-Link] put consumers at significant risk of harm in a variety of ways," the lawsuit states. "An attacker could compromise a consumer's router, thereby obtaining unauthorized access to consumers' sensitive personal information. ... [A]n attacker could compromise a consumer's IP camera, thereby monitoring consumers' whereabouts to target them for theft or other criminal activity or to observe and record over the internet their personal activities and conversations or those of their young children."
Parts of the lawsuit were blacked in out the publicly available version, apparently due to a motion by one of the parties to have those passages sealed by the court.
To D-Link's credit, fixes for almost all the flaws documented in the FTC lawsuit were made available on the D-Link website shortly after public disclosure. That's a better response than many makers of "Internet of Things" devices will provide.
But to install the fixes, users must often find their device's model number (which is often different from the name spelled out in boldface on the box), search for the appropriate support page, download an update package to a PC or Mac, then log into their device's administration interface from the same PC or Mac to upload the package to the device. (Some newer routers and security cameras from various brands will update themselves automatically.)
The FTC has taken similar action against other networking-gear makers in the past, suing TRENDNet in 2013 and ASUS in 2015. Both cases were settled out of court.