The Federal Trade Commission has filed suit against a manufacturer of home router and webcam equipment, charging it made misleading security claims about its products, which were vulnerable to hackers and risky for consumers’ privacy.
According to a partially redacted complaint filed in federal court in Northern California, Taiwanese D-Link Corp. and its U.S. subsidiary “failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access.”
D-Link products put the personal cybersecurity and private data of thousands of Americans at risk, the complaint states.
The FTC alleges that D-Link had a years-long history of ignoring security best practices and shipping products with default hard-coded administrator passwords or unfixed and well-known software vulnerabilities. The company’s mobile app stored usernames and passwords that gave remote access in plaintext; and the supposedly private encryption key D-Link engineers used to sign its software updates was left on a public website for six months.
Despite this, the complaint alleges, the company used terms in its marketing like “easy to secure” and “advanced network security” — exactly the kind of “unfair or deceptive acts or practices in or affecting commerce” that’s prohibited under section 5(a) of the FTC Act.
The complaint seeks injunctive relief but no monetary damages.
Harbinger of IoT cases to come?
As far back as 2013 — when Sophos busted them for a hard-wired backdoor in their firmware — D-Link has become familiar to cybersecurity experts and their products continue to be fingered as vulnerable.
“Hackers are increasingly targeting [home] routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection in a statement.
“When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
The agency’s legal actions over poor cybersecurity or data protection have become almost routine, but this case is one of only a handful so far against a manufacturer of web-connected internet of things (IoT) hardware.
The latest move comes as experts warn that the IoT could herald an online security apocalypse — as billions of easily exploitable insecure devices are connected to the web, where hackers can weaponize them into massive botnets.