The Federal Trade Commission has filed a complaint against network equipment vendor D-Link saying inadequate security in the company’s wireless routers and Internet cameras left consumers open to o hackers and privacy violations.
+More on Network World: Top 10 Google searches of 2016 in pictures+
The FTC, in a complaint filed in the Northern District of California charged that “D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.”
For its part, D-Link Systems said it "is aware of the complaint filed by the FTC. D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers private data is always our top priority." [Update: A full response fromD-Link can be found here]
According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “Easy to secure” and “Advance network security.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:
- “Hard-coded” login credentials integrated into D-Link camera software -- such as the username “guest” and the password “guest” -- that could allow unauthorized access to the cameras’ live feed;
- A software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
- The mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
- Leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.
The FYC said that hackers could exploit these vulnerabilities using any of several simple methods.
“For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances,” the FTC stated.
The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts to target them for theft or other crimes, or watch and record their personal activities and conversations.
According to an FTC blog post, D-Link also failed to take reasonable steps to address well-known and easy preventable security flaws. You’ll want to read the complaint for the specifics, but here are a few examples of the choices D-Link made that the FTC says unfairly put consumers’ privacy at risk:
- D-Link allegedly hard-coded login credentials into D-Link camera software that could allow unauthorized access to cameras’ live feed.
- D-Link allegedly left users’ login credentials for its mobile app unsecured in clear, readable text on consumers’ devices.
- D-Link allegedly mishandled its own private key code used to sign into D-Link software and thus, it was publicly available online for six months.
- D-Link allegedly failed to take reasonable steps to prevent command injection, a known vulnerability that lets attackers take control of people’s routers and send them unauthorized commands.
“Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection in a statement. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
The FTC recently outlined several security steps IOT vendors should be taking saying that the sheer volume of data that even a small number of devices can generate is stunning: one participant in the workshop indicated that fewer than 10,000 households using the company’s IoT home-automation product can “generate 150 million discrete data points a day” or approximately one data point every six seconds for each household, the report states.
The FTC includes the following recommendations for companies developing Internet of Things devices:
- Build security into devices at the outset, rather than as an afterthought in the design process
- Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization.
- Ensure that when outside service providers are hired, that those providers can maintain reasonable security, and provide reasonable oversight of the providers.
- When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk. For example, companies should consider implementing reasonable
- Install access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network. In the IoT ecosystem, strong authentication could be used to permit or restrict IoT devices from interacting with other devices or systems.
- Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network.
- Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
- Consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period, and not indefinitely. The report notes that data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.
The FTC also recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations. The agency acknowledges that there is no one-size-fits-all approach to how that notice must be given to consumers, particularly since some Internet of Things devices may have no consumer interface.
The current filing is but one privacy and security in the Internet of Things (IoT) case the FTC has ongoing. The agency has brought against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras.
Check out these other hot stories: