Anytime you buy a router or another internet-connected device (which is going to continue to become more and more common over the next several years) you expect that there will be a certain standard for security. This would be particularly true, you might assume, of a well-known company like D-Link. As a matter of fact D-Link advertises that many of its products are of the highest security marks.
Unfortunately for D-Link, though, the US Federal Trade Commission is suing the company over these claims, accusing that the company’s claims are not true. The FTC has launched legal action, yesterday, in a California court, accusing D-Link of putting consumers at risk because of its lax approach to hardware security.
The official complaint follows: “Defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including by failing to protect against flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007.”
More specifically, the complain alleges that D-Link leaked its own private code-signing key, back in 2015. In fact, this fact was supposedly plainly visible in D-Link’s open-source firmware for several months. This, the FTC says, could have been capitalized on by less-than-honorable firms to make malware that could appear just like officially-licensed D-Link software. The report also lists that D-Link had exposed hard-coded login credentials for D-Link cameras which could allow for anyone to get access to their feeds. There is also mention of the company failing to use the most readily available tools that would have otherwise protected sign-in credentials in its mobile apps and instead opted to store this data in plain text on user’s smartphones. Finally, the FTC believes that the pitches D-Link makes regarding its device security are clearly not representative of the company’s actual behavior.
Now, while this legal action seems to have come out of nowhere, it is not really all that surprising. The FTC has long warned the makers of various internet-connected devices of the utmost importance of even the most primary security.
D-Link has, of course, called the FTC complaint “unwarranted and baseless,” in a recent press release. D-Link Systems chief information security officer William Brown notes, “The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted. We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems’ products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices.”