FTC: D-Link IoT devices put thousands of customers at risk

D-Link calls Federal Trade Commission's claims "vague and unsubstantiated"

Hacking

The US Federal Trade Commission has accused D-Link of putting thousands of customers at risk by failing to provide adequate security measures in its IoT devices. 

Charges filed yesterday say the Taiwanese company failed to take steps to prevent intruders from hacking IoT devices, with the view to steal customer network data or add devices to a larger 'botnet'.

D-Link called the allegations "vague and unsubstantiated".

The filing, made to the US District Court for the Northern District of California, represents a wider FTC campaign to improve the security of connected devices around the home, including webcams, routers, security cameras and other smart home technology.

Advertisement
Advertisement - Article continues below

The complaint states D-Link has "failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorised access", and has failed to protect customers against flaws considered "among the most critical and widespread web application vulnerabilities since at least 2007".

D-Link is accused of repeatedly failing to guard against "easily preventable software flaws", including the use of default user credentials, command injection flaws, and backdoors, which would allow the remote hacking of devices.

Specified in the complaint are D-Link's Wireless N 300 Router, N Dual Band Router, and the N Network Camera.

The company's allegedly inadequate approach to security has meant D-Link devices have put thousands of customers at risk of unauthorised access, and of being made part of a larger IoT botnet, according to the complaint.

"The FTC has made vague and unsubstantiated allegations relating to routers and IP cameras," a D-Link spokesperson responded in a statement. "D-Link Systems will vigorously defend itself against the unwarranted and baseless charges made by the FTC."

"The complaint does not allege any breach of a D-Link Systems device. Instead, the FTC speculates that consumers were placed 'at risk' to be hacked, but fails to allege that actual consumers suffered or are likely to suffer actual substantial injuries," the statement adds.

A D-Link Wi-Fi camera flaw discovered in July 2016 was found to have potentially exposed 400,000 devices to remote hacking, allowing intruders to change default credentials and potentially spy on users in their home. A firmware update to the DCS-930L Cloud Camera allowed hackers to use a single line of code to gain unauthorised access. D-Link is yet to respond to IT Pro's request for comment on the issue.

The hacking of IoT devices has led to the creation of botnets on a massive scale, resulting in a series of attacks by the so-called 'Mirai botnet' in 2016. Since its discovery, the army of enthralled IoT devices has launched some of the largest DDoS attacks in history, including the massive cyber attack against Dyn servers in October, which knocked sites such as Twitter, Netflix and Reddit offline.

The FTC brought similar charges against Asus last February, after a flaw was discovered in 2014 that allowed almost 13,000 routers to be remotely hacked, forcing the company into a program of independent security reviews for the next 20 years.

The complaint outlines six counts of breaking FTC policy, including misrepresentation of promotional security material and unfairness in handling customer safety. The FTC has requested the court to force D-Link to review security practices and reimburse any legal fees.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/hardware/354232/raspberry-pi-4-owners-complain-of-broken-wi-fi-when-using-hdmi
Hardware

Raspberry Pi 4 owners complain of broken Wi-Fi when using HDMI

29 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019