Router maker allegedly failed to take reasonable security steps to protect data against hackers
Taiwanese networking equipment maker is being sued by the Federal Trade Commission (FTC), after it alleged that its lax security in its routers and webcams put US consumer data at risk from hackers.
The lawsuit comes after security researchers Senrio last July a serious flaw that affected a range of devices from D-Link.
Matters were not helped when it later emerged that D-Link had been slow to patch the flaw, which affected more than 120 device models from the company, including cameras, routers, access points, modems and storage devices.
And now D-Link faces an official complaint filed in the Northern District of California by the FTC. The case will be decided by a federal district court judge.
The FTC allege that D-Link Corporation and its US subsidiary permitted “inadequate security measures”, which in turn “left its wireless routers and Internet cameras vulnerable to hackers and put US consumers’ privacy at risk”.
The FTC “charged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras”.
The FTC has also filed similar cases against computer maker ASUS, video camera marketer TRENDnet.
“Hackers are increasingly targeting consumer routers and IP cameras – and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection.
“When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
What seems to have irritated the FTC especially is the fact that D-Link promoted the security of its routers on its website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY”.
The FTC alleged that D-Link had failed to take steps to address well-known and easily preventable security flaws.
These included, according to the FTC, “hard-coded” login credentials that were integrated into D-Link camera software. For example, usernames such as “guest” and the password “guest”, could have allowed unauthorised access to the cameras’ live feed.
The FTC also took D-Link to task over a command injection software flaw, that could enable remote attackers to take control of routers by sending them unauthorized commands over the Internet.
Another issue was D-Link’s alleged mishandling of a private key code used to sign into D-Link software, so it was openly available on a public website for six months. D-Link also apparently left users’ login credentials for the D-Link’s mobile app unsecured in clear, readable text on mobile devices.
According to the FTC complaint, “hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device.”
The flaws could have also redirected a consumer to a fraudulent website, or use the router to attack other devices on the local network.
It should be noted that D-Link products have been found to contain serious security vulnerabilities in the past.
In 2013 US firm Core Security found firmware flaws in a range of IP cameras, including a number of models made by D-Link. It should also be noted however that vulnerabilities can affect many companies, and not just D-Link.