FTC Suit Against D-Link Warns All IoT Device Makers To Boost Security
ANALYSIS: Despite claims about advanced security, the FTC says D-Link hard-coded login credentials leaving encryption keys unprotected and publicly exposed
The security flaws on the company’s IP cameras also went beyond just allowing hackers to implant botnet software. The FTC complaint also notes that the security flaws could allow hackers to use the cameras to spy on their owners, record their personal activities and conversations, and monitor their whereabouts to target them for theft or other crimes.
The FTC announcement also noted that similar complaints had been filed against ASUS and TrendNet, and that those complaints have been settled.
While D-Link is one of the first companies doing business in the U.S. to become the subject of FTC enforcement action, it’s hardly alone in its practice of selling insecure products to U.S. consumers.
FTC D-Link
What’s worse is that complaint doesn’t just involve cheap devices being sold by overseas companies. Rather, these are mainstream vendors intentionally selling products with inadequate security to customers in the U.S.
Exactly why these companies chose maintain such weak security practices is unclear, since the necessary software to fix the problem is available for free and enabling user-created credentials is no more complicated than implementing hard-coded credentials.
While it’s possible that these companies could argue that these actions resulted in lower costs for customers, that’s not a compelling argument, since the difference in cost to secure these products is minimal.
More likely, the company leadership simply didn’t care. The FTC complaint, together with the settlement amount, will certainly remove any cost savings and the embarrassment alone from being the target of an FTC complaint will likely make these companies take action.
Unfortunately for the internet at large, there’s nothing the FTC can do about the millions of insecure devices that are already in use, especially those outside of the U.S. But there are things that the FTC action might bring about, such as prompting manufacturers to distribute software updates to those insecure devices allow easy changes to hard-coded credentials so that they can be individually set.
It might also convince these companies to perform recalls of insecure devices, especially if they plan to keep selling their products in the U.S.
If the FTC can continue holding these companies accountable for their poor security practices, it might even be able to give IoT device manufacturers the incentive to design effective security measures into their products from the start.
The fact is that taking appropriate steps during the design and manufacturing process is neither complex nor expensive. What’s required is for these companies to take the responsibility for the security of the products they put their company names on.
The FTC appears to have found a strong way to encourage cooperation. One hopes that the offending companies get the message. In the meantime, D-Link is off my list of acceptable vendors.
Originally published on eWeek