Internet-of-things vendors beware: The complaint filed by the Federal Trade Commission against router and camera manufacturer D-Link could signal the start of a long-term battle to fix systemic industry problems.
D-Link left doors open in its products for hackers through poor security practices, the FTC alleges in a five-count complaint filed in federal court on San Francisco. But D-Link marketed devices such as routers to consumers as secure – a law-breaking misrepresentation that put consumers’ data at risk, the agency contends.
The complaint was filed against D-Link Corp. of Taiwan and its U.S. subsidiary, D-Link Systems, based in California. The FTC is asking the court for a permanent injunction that would prevent violations of the FTC Act, which prohibits deceptive practices.
D-Link has called the charges “unwarranted” and “baseless,” arguing that it maintains a robust set of procedures to address security problems.
“The FTC has made vague and unsubstantiated allegations relating to routers and IP cameras,” according to a Q&A published online. “Notably, the complaint does not allege any breach of any product sold by DLink Systems in the U.S.”
The complaint doesn’t argue that consumers were breached because of the security errors but rather they were at risk of a breach. As part of its legal fight, D-Link has retained a Washington-based group, the Cause of Action Institute, to defend it.
The institute takes on cases where it believes the government may stretching its legal powers. The group contends it’s a “dangerous precedent for the federal government to go after a good company and put American jobs at risk without a single instance of actual or likely consumer harm.”
The IoT industry has been under close scrutiny over the past six months as hackers have compromised large numbers of home routers, IP cameras and even baby monitors. Those devices were then used for devastating distributed denial-of-service attacks. The FTC complaint is a sign that if the industry doesn’t improve security, regulators will take note.
“This is probably among the first examples of many that we will see in which regulators are really going to aggressively file against vendors for these security breaches,” says Laura Didio, IoT research director with 451 Research.
Vulnerable To Attacks
D-Link is one of the largest manufacturers of consumer routers and IP cameras, which of late have been aggressively targeted by hackers. Computer security experts have warned the devices often have poor security controls and that large-scale problems were likely imminent.
It finally happened last September. Hackers infected a large number of IoT devices with Mirai, a type of malware targeting embedded Linux systems. The devices were then used for record-breaking DDoS attacks that had knock-on effects for large services including Spotify and PayPal.
The FTC contends that D-Link’s marketing material says its routers are “easy to secure” and are equipped with “advanced network security.” But in practice, the company failed to implement proper security safeguards, the FTC says.
Software that runs a D-Link IP camera contained a default username and password, both set to “guest,” and could have allowed access to live video feeds, the FTC says. In another alleged misstep, D-Link stored login credentials for a mobile app without encryption, the agency adds.
But in the most egregious alleged mistake, D-Link left its private code-signing key on a public website for more than six months, the FTC contends. Code-signing keys are extremely sensitive. If obtained by a hacker, the key could be used to sign malicious software that would appear to have been developed by D-Link.
The collective result of these errors means that consumer routers and cameras have been vulnerable to attacks that could have compromised their sensitive personal information, the complaint says. “The risk that attackers would exploit these vulnerabilities to harm consumers was significant,” it says.
Shoring Up IoT
The complaint centers largely on how D-Link allegedly misrepresented its products to its customers. That should serve as a reminder to other companies that public statements concerning security and privacy are promises to the public, writes Brian Schaller, an attorney with the Information Law Group.
“Breaking those promises could not only subject a company to FTC complaints, but also state attorney generals’ actions and costly class action lawsuits,” Schaller writes in a blog post.
Although D-Link is the focus of the FTC, the problem of inadequate security in IoT industry is widespread, says Craig Spiezle, executive director and president of the Online Trust Alliance.
“This discussion is not about D-Link,” he says. “This discussion now is about how every company needs to be accountable. We need to be thinking about the long-term impact of these devices.”
IoT manufacturers push out new products quickly. It’s common for companies to stop supporting those devices after a couple of years even though consumers and businesses may use them for a long time.
Spiezle’s group has developed a set of security guidelines called the IoT Security & Privacy Trust Framework, the latest version of which was released last week. The framework is a set of basic practices that all manufacturers should follow that wouldn’t necessarily increase development costs.
So far, Symantec and ADT, the security company, have signed on. Spiezle says some companies are hesitating, though, because their current product lines may not comply. But Spiezle views adoption of the framework as a longer-term campaign, and he is encouraging companies to use the framework for forthcoming products.
The FTC complaint against D-Link “is the warning” to IoT companies, Spiezle says. “What’s the right thing for consumers to be doing for consumers and the industry? It’s securing these devices and making sure [companies] have a plan for supporting them over the expected life. That’s what I’m most concerned about.”