The lawsuit was originally filed in 2017, but D-Link and the FTC agreed to a settlement this week. “We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, who serves as the Director of the FTC’s Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”
One of the most egregious cases of D-Link security lapses alleged by the FTC -- which were attributed to both its routers and security cameras -- included easily guessable login credentials that were hard-coded into the device, making it easier for hackers to ensnare these devices into massive botnets. D-Link then had the audacity to advertise that its products were hardened against unauthorized access.
As part of the settlement, D-Link has agreed to 10 years of oversight, including "biennial, independent, third-party assessments" of its security software. The third-party chosen to monitor D-Link must first be approved by the FTC. The company is also being forced to implement a new security program that includes threat modeling, more rigorous testing for vulnerabilities and automatic firmware updates (among other mitigation solutions).
For its part, D-Link alleges that there was "no finding of liability" for the alleged violations cited by the FTC, and that the company will not need to submit to a financial penalty for its actions. "This settlement allows D-Link Systems to vigorously continue with its current comprehensive software security program and sets a new standard for secure software development practices for IoT devices," the company asserted in a statement issued on Tuesday. "Today's announcement further formalizes D-Link Systems' commitment to product quality, which remains a top priority."
Back in 2016, ASUS settled a similar lawsuit with the FTC over its past security transgressions.