FTC Takes Aim at D-Link for IoT Security

In a legal complaint, the FTC makes multiple allegations about improper security measures in D-Link devices that could potentially enable attacks. D-Link calls the claims "vague and unsubstantiated."

FTC D-Link

The U.S Federal Trade Commission (FTC) filed a legal complaint against networking equipment vendor D-Link Corporation on Jan. 5, alleging that the company has inadequate security measures in its products, leaving consumers at risk. D-Link denies the allegations.

In a 31-page legal complaint, the FTC outlined multiple alleged failings in D-Link's security. According to the complaint, D-Link, "…failed to to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access..."

Among the issues alleged by the FTC complaint are hard-coded user credentials, which are embedded passwords in devices that users cannot easily change, that could enable an attacker unauthorized access. The FTC also warns about command injection flaws that might potentially enable a remote attacker to gain control of a vulnerable D-Link device.

The FTC also takes issue with how D-Link secures mobile application login credentials, which allegedly are now being stored in a non-encrypted readable text format. As well, the FTC is concerned with how D-Link has managed its own private encryption key, that is used to validate the authenticity of D-Link's software.

"Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information," Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a statement. "When manufacturers tell consumers that their equipment is secure, it's critical that they take the necessary steps to make sure that's true."

In an email sent to eWEEK, D-Link stated that it denies the allegations outlined in the complaint and is taking steps to defend the action.

"The security of our products and protection of our customers private data is always our top priority," the company stated.

In a publicly posted response to the FTC claims, D-Link states that the allegations are vague and unsubstantiated. Additionally, D-Link notes that the FTC complaint does not claim any specific breach of any D-Link product.

"The FTC speculates that consumers were placed 'at risk' to be hacked, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries," D-Link states. "D-Link Systems maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IOT) devices."

The FTC has been actively working in recent years to help protect consumers against potential dangers rising from improperly secured Internet of Things (IoT) devices. In January 2015, the FTC released a report providing recommendations to vendors on how to improve IoT security.

In February 2016, networking vendor Asus settled with the FTC, over wireless router security issues. In the Asus case, the company agreed to maintain a comprehensive security program that includes its wireless routers and associated firmware being independently audited every two years for the next 20 years.

Earlier this week on Jan. 4, the FTC announced the $25,000 IoT Home Inspector Challenge to help improve security in connected home devices.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.