FTC filed a lawsuit against D-Link over failure to secure its IoT devices

Pierluigi Paganini January 07, 2017

FTC charges the Taiwanese IT giant D-Link putting consumers’ privacy at risk due to the failure of Implementing secure adequate measures for IoT devices.

The U.S. Federal Trade Commission (FTC) has filed a lawsuit against the Taiwanese firm D-Link, over failure to secure its IoT products, including IP cameras and routers.

The company has produced promotional materials ensuring “Advanced Network Security” for its products, but the reality is different because according to the authorities it has failed to fix flaws exposing consumers to risk.
A lawsuit the FTC filed against D-Link, a global manufacturer of computer networking equipment and other connected devices, alleges that the company made deceptive claims about the security of its products and engaged in unfair practices that put consumers’ privacy at risk.” reads the announcement from FTC.
The lawsuit includes examples of the D-Link’ choices that put consumers’ privacy at risk:
  • D-Link allegedly hard-coded login credentials into D-Link camera software that could allow unauthorized access to cameras’ live feed.
  • D-Link allegedly left users’ login credentials for its mobile app unsecured in clear, readable text on consumers’ devices.
  • D-Link allegedly mishandled its own private key code used to sign into D-Link software and as a result, it was publicly available online for six months.
  • D-Link allegedly failed to take reasonable steps to prevent command injection, a known vulnerability that lets attackers take control of people’s routers and send them unauthorized commands.
Usually, hackers that find the flaws report them to the company giving it the necessary time to solve the problems before publicly disclose the vulnerability. Over the past year, some hackers decided to disclose unpatched flaws due to the company’s failure to release necessary security updates that will fix the vulnerabilities.
The Tech giant has been accused of failing to take reasonable steps to secure the software for its IoT devices and for conducting practices that are “likely to cause, substantial injury to consumers in the United States.”
This isn’t the first time that IoT manufacturers tell customers that their products are totally secure while they lack to adopt the necessary security measures.
Earlier 2016, the FTC filed a lawsuit against Asus claiming that the company has put hundreds of thousands of consumers at risk through a series of critical flaws discovered in its products.

“Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – D-Link, security)

you might also like

leave a comment