D-Link must suffer indignity of security audits to settle with the Federal Trade Commission
No admission of guilt, but plenty of new rules to follow
Taiwanese networking equipment vendor D-Link will have to submit to a decade of product security audits after agreeing to settle a lawsuit brought by the US Federal Trade Commission.
It has also pledged to maintain a "comprehensive software security programme" for the next 20 years, designed to make its IP cameras and routers safe for consumers.
You can find the settlement order on the US antitrust body's website, here (PDF).
"Notably," the company said in a statement, "the order does not find D-Link Systems liable for any alleged violations."
Back in 2017, the FTC accused D-Link of a long list of shoddy security practices, including, but not limited to, the use of non-removable default passwords in its IP cameras, command-injection flaws, leaked router security keys and the use of plain-text password storage in its mobile app.
FTC said D-Link failed to take "reasonable steps" to secure its products, putting the privacy of customers everywhere at risk. The trade watchdog interpreted this as a consumer rights issue.
"When manufacturers tell consumers that their equipment is secure, it's critical that they take the necessary steps to make sure that's true," FTC Consumer Protection Bureau director Jessica Rich wrote at the time.
D-Link sucks so much at Internet of Suckage security – US watchdogREAD MORE
The suit alleged six violations of the FTC Act of 1914: one count of unfairness and five counts of misrepresentation. After years of legal wrangling, the trial finally kicked off in January 2019.
During the case, D-Link argued that it shouldn't be on trial, since no actual customers have been harmed, and even managed to dismiss the unfairness claim.
The company has not admitted its guilt, but agreed the security of devices is very important and said it would make sure to comply with the FTC's requirements.
"We chose to defend against this litigation based on our strong belief in the quality and security of our products and practices," D-Link said. "This settlement allows D-Link Systems to vigorously continue with its current comprehensive software security program and sets a new standard for secure software development practices for IoT devices."
"This case will have a lasting impact and, we hope, positively shape public policy in the important areas of technology, data security, and privacy," added John Vecchione, lead trial counsel for D-Link Systems and CEO of Cause of Action Institute.
Cause of Action, formerly known as Freedom Through Justice Foundation, is a “government accountability” nonprofit that is working for “economic liberty unencumbered by overregulation” and it took on the D-Link case pro bono.
Besides bi-annual audits by an agency appointed by the FTC, the 32-page settlement outlines a security programme for D-Link, which will have to be documented in writing, with annual reports to the board of directors and annual device security assessments.
Most of it reads like best practice: for example the settlement mandates performing threat modeling, using automatic firmware updates when possible and conducting pre-release vulnerability testing of every release of software - things a responsible hardware vendor should be doing anyway.
There’s also a requirement for a process for accepting vulnerability reports from security researchers, and biennial security training for personnel and vendors responsible for developing, implementing, or reviewing router or IP camera software.
It’s not clear if D-Link will be using it, but the vendor has been granted a two-year “safe harbor” period to get its house in order. ®