D-Link sucks so much at Internet of Suckage security – US watchdog
Router biz sued by Uncle Sam for hardcoded passwords, exploitable bugs and more
America's trade watchdog is suing D-Link, alleging the router and camera vendor failed to implement basic security protections in its gear.
The FTC said that its complaint was based on D-Link's failure to take "reasonable steps" to secure its products, putting the privacy of citizens everywhere at risk as a result.
"Hackers are increasingly targeting consumer routers and IP cameras – and the consequences for consumers can include device compromise and exposure of their sensitive personal information," said FTC Consumer Protection Bureau director Jessica Rich. "When manufacturers tell consumers that their equipment is secure, it's critical that they take the necessary steps to make sure that's true."
Among the transgressions the FTC cites in its legal complaint [PDF] are:
- The use of non-removable default passwords in its IP cameras.
- Command-injection flaws.
- Leaked security keys in its routers.
- The use of plain-text password storage on its mobile app.
This despite D-Link advertising its products as having "advanced security" protections and using secure connection protocols. As a result, the FTC says, D-Link illegally misrepresented its products and put the privacy of its customers at risk.
The FTC also notes the danger D-Link's security lapses presented to people who were not their customers, as the poorly-secured routers and cameras presented prime targets for hackers looking to build IoT botnets.
The suit alleges six violations of the FTC Act of 1914: one count of unfairness and five counts of misrepresentation for security event response policy, router promotional material, router GUI, IP camera promotional material, and IP camera GUI.
The complaint seeks costs and damages as well as an injunction to further penalize D-Link should it continue to violate the FTC Act.
In a statement, the hardware maker said: "D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers private data is always our top priority."
And in an FAQ, D-Link said the charges against it were "baseless." ®