When you buy a router or other internet-connected device from a company as well known as D-Link, you expect a high standard of security. Many of D-Link’s products are advertised with these kind of claims, which is part of the reason the US Federal Trade Commission is suing the company in a California court. In legal action launched yesterday, the FTC has accused D-Link of putting consumers at risk with its lax approach to hardware security.
“Defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including by failing to protect against flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007,” the official complaint reads.
Getting into specifics, the FTC notes D-Link leaking its own private code-signing key in 2015. This was plainly visible in the company’s open-source firmware for months, and could’ve been used by baddies to make malware appear like official software issued by D-Link. Then there are the hard-coded login credentials for D-Link cameras that could allow anyone to view the feed. Also mentioned is the company failing to use readily available tools to protect sign-in credentials on its mobile apps, instead storing these in plain text on users’ smartphones. To add insult to injury, D-Link often makes device security a part of its product pitches, which the FTC believes is clear misrepresentation.
Though this legal action has come more or less out of the blue, it’s not in the least surprising. The FTC has warned the makers of internet-connected devices — and what isn’t internet-connected these days? — that security is of primary importance. And last year ASUS submitted to regular audits to settle a similar case, after the FTC took issue with the security (or lack thereof) of its routers.
These days, you can barely see out a month before a new report from security researchers focuses on or at least features D-Link and vulnerabilities in its hardware. Recently, D-Link routers were identified as some of many agents used in mammoth Mirai botnet attacks that plagued the internet late last year and highlighted the power countless compromised internet of things devices working together can have.
In a press release regarding the FTC complaint, D-Link calls the charges “unwarranted and baseless,” with the company’s chief information security officer William Brown adding: “We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint.”
Update: D-Link has issued the following statement to Engadget regarding the FTC’s legal action against it. “D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. Please note, the FTC complaint does not allege any breach of any product sold by D-Link Systems in the US,” per William Brown, D-Link’s chief information security officer.