D-Link agrees to overhaul security in FTC settlement

News by Robert Abel

D-Link settled a lawsuit based on a 2017 complaint that its routers and IoT cameras exposed sensitive consumer information to third parties while the company claimed they were secure

D-Link agreed to make several security enhancements that overhaul the firm’s security platform to settle a US Federal Trade Commission (FTC) litigation case concerning allegations that the company misrepresented the security of its products. 

The case stems from a 2017 complaint against D-Link for the company’s routers and IoT cameras leaving sensitive consumer information, including live video and audio feeds, exposed to third parties despite D-Link claiming they were secure, according to a press release on 2 July. 

The FTC complaint also said the company failed to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws while claiming it offered "advanced network security". 

Some of these flaws included the use of hard-coded login credentials with the easily guessed username and password, "guest", and the storing mobile app login credentials in clear, readable text on a user’s mobile device.

"We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes," Andrew Smith, director of the FTC’s Bureau of Consumer Protection said in the release. "Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise."

D-Link agreed to implement a comprehensive software security program, including specific steps to ensure that its devices are secure as well as undergo independent third-party assessments for a predetermined amount of time.  

D-Link products have been called out for a host of other vulnerabilities, including man-in-the-middle vulnerabilities in D-Link cameras, D-Link router vulnerability detailed, and several campaigns that exploited these and other flaws.

This is not the first time D-Link has been in hot water with the FTC although the company fared better last time when A district court judge in a California District Court dismissed three FTC complaints against D-Link.

Comment from Bob Noel, vice president of strategic partnerships for Plixer said there also needs to be an accompanying set of security standards defined so that companies have a benchmark to know what is considered good enough.

"This is going to set the stage for IoT manufacturers to prioritise efforts for embedding security into the product development process – especially for the consumer market," Noel said. "Since there has been a lack of self-regulation by the industry, it is not surprising that the FTC has stepped in to establish a precedent in the area of securing consumers’ privacy."

This competition is now open and will close at midday BST on 12 August 2019.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews