FTC Sues D-Link For Allegedly Failing To Adequately Secure Wireless Routers And Webcams
The Federal Trade Commission (FTC) has filed a lawsuit against D-Link alleging that the company's failure to properly secure its line of wireless routers and webcams left thousands of customers "vulnerable to a range" of cyber attacks, including those that turned customers' PCs into major parts of numerous botnets. It is a similar suit to the one that ASUS settled with the FTC nearly a year ago.
"Defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including by failing to protect against flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007," the lawsuit states.
The FTC goes on to allege that D-Link repeatedly failed to adequately test its software to ensure that its routers and webcams were protected from "well-known and easily preventable security flaws," including hard-coded user credentials and other backdoors.
"The risk that attackers would exploit these vulnerabilities to harm consumers was significant. In many instances, remote attackers could take simple steps, using widely available tools, to locate and exploit Defendants’ devices, which were widely known to be vulnerable," the FTC stated in the lawsuit. "For example, remote attackers could search for vulnerable devices over the Internet and obtain their IP addresses using readily available tools, such as a popular search engine that can locate devices running particular software versions or operating in particular locations."
Today's botnets are bigger and more capable than ever, in large part because of a growing number of Internet of Things (IoT) devices and the poor security accompanying them. A lot of them contain login credentials that are not all that difficult to guess. For example, some of D-Link's camera software used the word "guest" for both the username and password.
"D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. Please note, the FTC complaint does not allege any breach of any product sold by D-Link Systems in the U.S.," D-Link said in its statement.
The company also issued a press release that goes into more detail about its stance on the situation.
"The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted," said William Brown, chief information security officer, D-Link Systems, Inc. "We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems' products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices."
D-Link also pointed out that the FTC complaint does not make the claim that any of its products were actually breached, only that there was a risk of being hacked. Accordingly, D-Link says its customers did not suffer (nor are likely to suffer) "actual substantial injuries."
An accompanying FAQ can be found here.
"Defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including by failing to protect against flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007," the lawsuit states.
The FTC goes on to allege that D-Link repeatedly failed to adequately test its software to ensure that its routers and webcams were protected from "well-known and easily preventable security flaws," including hard-coded user credentials and other backdoors.
"The risk that attackers would exploit these vulnerabilities to harm consumers was significant. In many instances, remote attackers could take simple steps, using widely available tools, to locate and exploit Defendants’ devices, which were widely known to be vulnerable," the FTC stated in the lawsuit. "For example, remote attackers could search for vulnerable devices over the Internet and obtain their IP addresses using readily available tools, such as a popular search engine that can locate devices running particular software versions or operating in particular locations."
Today's botnets are bigger and more capable than ever, in large part because of a growing number of Internet of Things (IoT) devices and the poor security accompanying them. A lot of them contain login credentials that are not all that difficult to guess. For example, some of D-Link's camera software used the word "guest" for both the username and password.
Update
D-Link reached out to HotHardware with a statement calling phooey on the FTC's claims."D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. Please note, the FTC complaint does not allege any breach of any product sold by D-Link Systems in the U.S.," D-Link said in its statement.
The company also issued a press release that goes into more detail about its stance on the situation.
"The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted," said William Brown, chief information security officer, D-Link Systems, Inc. "We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems' products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices."
D-Link also pointed out that the FTC complaint does not make the claim that any of its products were actually breached, only that there was a risk of being hacked. Accordingly, D-Link says its customers did not suffer (nor are likely to suffer) "actual substantial injuries."
An accompanying FAQ can be found here.
