D-Link Agrees To 10 Years Of Security Oversight Via FTC Settlement

by Brandon Hill — Wednesday, July 03, 2019, 01:57 PM EDT

D-Link is finally coming to terms with a Federal Trade Commission (FTC) lawsuit that was brought against it for serious lapses in security in its networking products. The FTC alleged in its lawsuit that D-Link had left its customers vulnerable to hacks by improperly securing its hardware, not following best practices with regards to login security, and the a rather unforgivable sin of storing passwords in plaintext.

The lawsuit was originally filed in 2017, but D-Link and the FTC agreed to a settlement this week. “We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, who serves as the Director of the FTC’s Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”

One of the most egregious cases of D-Link security lapses alleged by the FTC -- which were attributed to both its routers and security cameras -- included easily guessable login credentials that were hard-coded into the device, making it easier for hackers to ensnare these devices into massive botnets. D-Link then had the audacity to advertise that its products were hardened against unauthorized access.

As part of the settlement, D-Link has agreed to 10 years of oversight, including "biennial, independent, third-party assessments" of its security software. The third-party chosen to monitor D-Link must first be approved by the FTC. The company is also being forced to implement a new security program that includes threat modeling, more rigorous testing for vulnerabilities and automatic firmware updates (among other mitigation solutions).

For its part, D-Link alleges that there was "no finding of liability" for the alleged violations cited by the FTC, and that the company will not need to submit to a financial penalty for its actions. "This settlement allows D-Link Systems to vigorously continue with its current comprehensive software security program and sets a new standard for secure software development practices for IoT devices," the company asserted in a statement issued on Tuesday. "Today's announcement further formalizes D-Link Systems' commitment to product quality, which remains a top priority."

Back in 2016, ASUS settled a similar lawsuit with the FTC over its past security transgressions.

Tags: security, FTC, botnet, d-link

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now