FTC Suit Against D-Link Warns All IoT Device Makers To Boost Security

My panel on cyber-security at CES was just starting when I introduced Federal Trade Commission attorney Ben Rossen, who is part of the Division on Privacy and Identity Protection.

Rossen opened his discussion with an announcement that the FTC had just filed a lawsuit in the U.S. Federal Court for the Northern District of California alleging that network equipment maker D-Link had been misleading in describing its advanced security technology and in had endangered the public with lax product security practices.

Rossen said that the complaint was just one of what will be many complaints about poor internet of things device security.

Poor IoT security

D-Link IP cameras were a major contributor to the immense IoT denial of service attacks that occurred last year causing widespread disruption on the internet, including taking down Domain Name System services provider DYN.

Hackers had augmented the volume of their attacks by loading botnet software on vast numbers of IoT devices including security cameras, smart home devices and DVRs.

If nothing else, Rossen made it clear why he was part of my panel on “Regulation and Enforcement in Cybersecurity.” He said that the FTC was taking privacy and security risks affecting Americans very seriously. In this case, D-Link was allegedly engaging in unfair and deceptive practices by claiming to have provided security capabilities that clearly didn’t exist.

A typical example from the FTC complaint was the fact that D-Link had hard-coded “Guest” as the user name and password into its IP cameras. This made it easy for hackers to install botnet software on these devices so that thousands of them could be marshaled as part of a botnet. But the security holes in the D-Link equipment went beyond that.

In the FTC announcement on the enforcement action, the agency noted that a software flaw in D-Link equipment allowed command injection, in which hackers can send remote commands over the internet to the devices without authorization from the owner. In addition, the FTC complaint says that D-Link mishandled its private key code used to sign the company’s software products, by allowing it to be visible on the company’s public website for six months.

Finally, when users could actually create their own logins and passwords, the D-Link software allowed those names and passwords to be stored in the clear on the equipment.

The FTC complaint said that the flaws included insecure routers that could allow access to attached storage devices that could be directed to attack other devices on the network. The insecure routers could also be remotely programmed to direct users to fraudulent websites.

Originally published on eWeek

Read more on page 2…

Page: 1 2

Wayne Rash

Wayne Rash is senior correspondent for eWEEK and a writer with 30 years of experience. His career includes IT work for the US Air Force.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago