The Federal Trade Commission filed charges against the computer networking equipment company D-Link for providing inadequate security for its consumers.
In the case filed Thursday in the Northern District of California, the FTC said that the Taiwan-based company and U.S. subsidiary failed to take reasonable steps to secure its routers and cameras, which would allow hackers to access personal information about consumers such as live video and audio feeds.
D-Link said in its response to the case that the FTC failed to provide any instances of breaches of D-Link products sold in the United States, and bases its claim solely on the premise that D-Link put consumers at risk to be hacked. D-Link called the FTC’s charges “unwarranted and baseless” and said that the company has a set of procedures to address security problems on all of its Internet of Things (IoT) devices.
The FTC, which has jurisdiction over any company that makes and sells products for consumers, asks IoT companies to consider their products from the perspective of the average consumer. In this case, D-Link would have to provide security protections that a buyer with an average knowledge of technology wouldn’t think about. This includes providing a secure router and camera, according to the FTC charges.
According to the FTC, D-Link said that its products were “easy to secure” and had “advanced network security.” Despite this, the FTC said that D-Link products had common, default user names and passwords that could not be changed by the user and software flaws that would allow hackers to send users unauthorized commands. The FTC also said that D-Link kept its universal key code to access its software available online for six months and left users’ login information for its mobile app unsecured in clear, readable text on their cellphones.
“Hackers are increasingly targeting consumer routers and IP cameras–and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
Hackers could use compromised routers to access consumers’ tax returns or other information housed on the router’s storage device, according to the FTC’s complaint. Hackers could also redirect the user to a fake website or enable the device to take part in a denial of service (DDoS) attack. Hackers could use a compromised camera to watch users’ movements in order to target them for theft or other crimes, or to monitor personal activities and conversations.
The FTC has provided guidance for companies on data security and has held workshops across the country with technology companies to discuss topics like threat modeling and agile security on the go. The FTC has dealt with about 60 cases on security and uses those precedents to bring charges and rationalize future cases, such as the D-Link case. The FTC has also worked to educate consumers on security, teaching users to update firmware.
In the FTC’s guidance on Internet of Things security, the agency told technology companies to build security into any new devices from the beginning, train employees on security, ensure that any third-party providers are knowledgeable on security measures, include multiple layers of security to mitigate risks, monitor connected devices throughout their expected life cycle for potential security problems, and “consider measures” to keep hackers from accessing user devices or data.