Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

FTC sues D-Link for failure to secure webcams, routers from online attacks

Last updated

D-Link is under fire from the Federal Trade Commission for not doing enough to secure its products, including connected home devices — a threat Apple has countered via secure authentication chips in HomeKit-certified hardware.

In a new lawsuit, the FTC alleges D-Link "failed to take reasonable steps" to prevent hackers from accessing routers and IP cameras, putting "thousands of consumers" in an insecure position.

The FTC claims that the networking appliance producer didn't do enough to protect its devices from "widely known and reasonably foreseeable risks of unauthorized access." The list of risks cited by the commission notes "flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007."

The lawsuit comes after major distributed denial of service (DDoS) attack in October last year affected a number of prominent websites and services, driven by a botnet that took advantage of insecure IoT devices. Hardware that used unchanged default administration login information was targeted, with malware installed to allow it to be remotely controlled and used for the attack.

The FTC's lawsuit against D-Link comes after a 2016 botnet attack used inexpensive Internet of Things devices to take down huge swaths of the internet. Apple's HomeKit was not susceptible thanks to its end-to-end encryption.

That attack helped to highlight the benefits of Apple's HomeKit framework for connected devices. HomeKit uses a combination of end-to-end encryption, MFi authorization, and other techniques to keep communication between networked devices secure, making it extremely difficult for devices to be attacked via the framework itself.

The FTC, in its complaint, asserts that D-Link included "well-known and easily preventable software security flaws," and had repeatedly failed to test and repair its software to prevent them from being abused. The alleged issues include software that uses "hard-coded" user credentials, is vulnerable to command injection flaws, and other backdoors.

It is noted D-Link had also failed to keep the private key used to sign the software secure, with the mishandling leading to the "exposure of the private key on a public website for approximately six months."

The security lapses also extended to mobile apps offered by D-Link to access and manage IP cameras and routers from a smartphone or tablet. The FTC claims D-Link "failed to use free software, available since at least 2008" to protect a user's login credentials for the app, instead storing the details on the mobile device in easily-readable plaintext.

In a statement, D-Link chief information security officer William Brown told The Verge the company "denies the allegations outlined in the complaint," and intends to defend itself.

The issues raised by the FTC in the complaint highlight the challenges manufacturers face in the "Internet of Things" market, and the importance of maintaining the security of such connected devices.

Last week, D-Link announced it would start adopting HomeKit for its IP-based security camera range, with the Omna 180 Cam HD the first with compatibility.



18 Comments

❄️
jbdragon 10 Years · 2312 comments

Maybe these company's will see that the slightly more costs to support HomeKit and it's far better security is more then worth it.  Going cheap is not always worth it.

🕯️
rob53 13 Years · 3315 comments

jbdragon said:
Maybe these company's will see that the slightly more costs to support HomeKit and it's far better security is more then worth it.  Going cheap is not always worth it.

I think you're giving the cutthroat business of manufacturing too much credit. The Walmart attitude prevails where the cheapest is what "everyone" demands and the only way to make any profit is to cut as many corners as possible. Of course the flip side is how people view Apple as only building and selling gold-plated products, charging way too much and much more than anyone else. As people who love Apple products know, Apple strives for the best quality, most secure product they can design because they know there are people who will pay a bit more for these products because they know they will last longer and not be as easy to hack. All it takes is a government official with large enough round things (same saying goes for women) to take a stand and force companies to do the right thing not only for America but for the world even if it costs more to manufacture. We'll see if there are any of those officials still around in the next month.....

☕️
lkrupp 19 Years · 10521 comments

So why isn’t Apple shouting about this advantage from the rooftops? 

❄️
avon b7 20 Years · 8048 comments

This is good news. Hopefully, legislation will be brought forward to further increase the level of protection offered in home connected devices.

I've long argued for Apple and others to clearly state how long Macs will receive stand alone security updates. 

A couple of years ago I was speaking to a security manager at a critical infrastructure data centre who was complaining about a security problem in some Dell equipment. The solution offered by the company wasn't to fix the problem itself but to upgrade the software universally so instead of fixing the problem on one component he would have to upgrade more than 50 and pay.

He escalated the issue and Dell had to send someone to find a solution for the problem component. 

This is the kind of situation legislation should cater to for consumers.

🎄
Rayz2016 8 Years · 6957 comments

lkrupp said:
So why isn’t Apple shouting about this advantage from the rooftops? 

I imagine they are. But you won't hear it because they're shouting at manufacturers.