FTC sues D-Link over alleged security flaws

D-Link is a household name across much of the world for its range of affordable networking hardware, which includes Wi-Fi routers, webcams, and new IoT devices. They have a big share of the market but are coming under fire there at the moment after the Federal Trade Commission opted to take them to court over their security practices.

The case, which has been filed in the district court of San Francisco argues that D-Link has, since 2007, consistently failed to meet security standards in their products and has left vulnerabilities unattended which make users vulnerable to cyber attacks. D-Link has strongly denied the claims and intends to fight the case.

Alleged Security Failings

The details of the case will be hugely troubling for customers of D-Link. The FTC has accused the company of coding login credentials into their camera software which was easy for hackers to crack. By doing so, the FTC states that the company was leaving their customers susceptible to online spying.

They further allege that D-Link left the passwords to users of their mobile apps unencrypted. This meant that when users input their passwords, they were available on screen in plain text for anyone looking over their shoulder to note down.

The FTC also highlighted a “command injection” problem which made it possible for hackers to take control of routers remotely.

In the lawsuit, the FTC argues D-Link “repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws”.

They went on to say that the risk of attack for customers was “significant” claiming that the vulnerabilities could be exploiting using simple methods and easily obtained tools.

The FTC is pushing on the matter because compromised webcams and other IoT devices are thought to make up the majority of botnets, which hackers use for DDoS attacks, such as the one last October which affected Twitter, Spotify, and Netflix, along with many other sites.

D-Link defence

It is not the first time that D-Link have been accused of security failings either. Back in July 2016, the Senrio research team identified issues with five D-Link webcams.

They have however responded robustly to the lawsuit and indicated they will defend themselves. In a statement, they highlighted the fact that the decision to go ahead with the case was a unanimous one within the FTC, as well as the failure of the claim to identify any specific products.

They stated that the company would “vigorously defend itself against the unwarranted and baseless charges made by the FTC.”

D-Link is at pains to stress that none of their current products are identified specifically in the lawsuit and whilst it is not the first time they have been accused of such failings, the details of the lawsuit do seem to be rather vague.

More details may emerge in due course, but there is no doubt that the case is likely to cause D-Link some reputational damage, in the short term especially, and in the USA in particular.

For users of D-Link products who are concerned, there is a simple way to guarantee the security of all your IoT devices. Using a VPN ensures that all traffic to and from any device is encrypted and therefore secure. While only a few IoT devices can have VPN’s used on them directly, this can be got around by using a VPN-enabled router.

A VPN-enabled router means the entire Wi-Fi connection runs through a VPN, with any device attached to the Wi-Fi therefore protected. Wi-Fi enabled routers are commonly available and for the most part affordable, and if you are going down the IoT road, they are a very sensible investment, whether you are using D-Link products or not.