Router and webcam maker D-Link has agreed to implement a new security program to settle charges it failed to safeguard its hardware against well-known and preventable hacks and misrepresented its existing security regimen.
Tuesday’s agreement settles a 2017 complaint by the US Federal Trade Commission that alleged D-Link left thousands of customers open to potentially costly hack attacks. The hardware maker, the FTC said, failed to test its gear against security flaws ranked among the most critical and widespread by the Open Web Application Security Project. The 2017 suit also said that, despite the lack of testing and hardening of its products, D-Link misrepresented its security regimen as reasonable.
Specific shortcomings cited by the FTC included:
- hard-coded login credentials on its D-Link camera software that used easily guessed passwords
- storing mobile app login credentials in human-readable text on a user’s mobile device
- expressly or implicitly describing its hardware as being secure from unauthorized access
- repeatedly failing to take reasonable testing and remediation measures to protect hardware from well-known and easily preventable software security flaws
“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a release. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”
Tuesday’s settlement requires D-Link to implement a security program that better ensures the company’s cameras and routers are secure. The program requires “implementing security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers.”
Over the next decade, D-Link will also be required every two years to obtain independent third-party assessments of its software security program. Documents related to the assessment must be provided to FTC employees upon request. The settlement also requires the assessor to identify specific evidence for its findings rather than solely relying on assertions by D-Link management. The FTC has the authority to approach the third-party assessor chosen by D-Link.
In the 30 months that have passed since the FTC sued D-Link, hackers have continued to capitalize on past missteps the hardware maker has made. In June 2018, malicious hackers behind the Satori Internet-of-things botnet started mass-exploiting a critical code-execution vulnerability in D-Link hardware that was used by subscribers of Verizon and other ISPs. A month later came word criminals had stolen a D-Link code-signing certificate and were using it to pass off malware that steals passwords and backdoors PCs. A month after that, hackers exploited a vulnerability in D-Link routers that sent users to a fake banking website that attempted to steal their login credentials.
Tuesday’s settlement comes a little more than three years after the FTC settled charges with ASUS over the security of its routers.