D-Link sued by US authorities over "easily preventable" security flaws

Selling internet-connect gear that's easily compromised? The FTC is coming for you (even if UK agencies aren't)

Taiwanese networking equipment maker D-Link is being sued by the US Federal Trade Commission (FTC), which claims that the company made routers and other internet-connected devices with inadequate security - while claiming that the devices were secure.

The FTC charged D-Link for failing to take reasonable steps to secure its routers and Internet Protocol (IP) cameras (PDF), potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.

The FTC claims that the company "failed to take steps to address well-known and easily preventable security flaws".

These included:

• Hard-coded login credentials integrated into D-Link camera software, including a username and password combination of "guest", that meant that anyone could access internet-connected cameras' live feeds;
• Command-injection flaws that could enable remote attackers to take control of consumers' routers;
• The mishandling of a private-key code used to sign into D-Link software, which was openly available on a public website for six months; and,
• Leaving users' login credentials for D-Link's mobile app unsecured in clear, readable text on their mobile devices.

The FTC claims that hackers could easily exploit these glaring vulnerabilities using any number of "simple methods. The FTC cites the example of an attacker being able to obtain consumers' tax returns or other files stored on a D-Link router's network-attached storage (NAS) device.

"They could [also] redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances," claimed the FTC in a statement.

Jessica Rich, director of the FTC's Bureau of Consumer Protection, indicated that the case against D-Link might not be the last the organisation brings against makers of insecure internet-connected devices.

"Hackers are increasingly targeting consumer routers and IP cameras - and the consequences for consumers can include device compromise and exposure of their sensitive personal information. When manufacturers tell consumers that their equipment is secure, it's critical that they take the necessary steps to make sure that's true," said Rich.

The opening of the case against D-Link follows-up cases the FTC has brought against Asus and Torrance, California-based TRENDnet. It comes after the widespread compromise of internet-connected devices was used in a number of cases in 2016 to conduct distributed denial of service (DDoS) attacks, and even to take down insecure consumer-grade routers.