FTC sues D-Link for failure to secure webcams, routers from online attacks

In a new lawsuit, the FTC alleges D-Link "failed to take reasonable steps" to prevent hackers from accessing routers and IP cameras, putting "thousands of consumers" in an insecure position.

The FTC claims that the networking appliance producer didn't do enough to protect its devices from "widely known and reasonably foreseeable risks of unauthorized access." The list of risks cited by the commission notes "flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007."

The lawsuit comes after major distributed denial of service (DDoS) attack in October last year affected a number of prominent websites and services, driven by a botnet that took advantage of insecure IoT devices. Hardware that used unchanged default administration login information was targeted, with malware installed to allow it to be remotely controlled and used for the attack.

The FTC's lawsuit against D-Link comes after a 2016 botnet attack used inexpensive Internet of Things devices to take down huge swaths of the internet. Apple's HomeKit was not susceptible thanks to its end-to-end encryption.

That attack helped to highlight the benefits of Apple's HomeKit framework for connected devices. HomeKit uses a combination of end-to-end encryption, MFi authorization, and other techniques to keep communication between networked devices secure, making it extremely difficult for devices to be attacked via the framework itself.

The FTC, in its complaint, asserts that D-Link included "well-known and easily preventable software security flaws," and had repeatedly failed to test and repair its software to prevent them from being abused. The alleged issues include software that uses "hard-coded" user credentials, is vulnerable to command injection flaws, and other backdoors.

It is noted D-Link had also failed to keep the private key used to sign the software secure, with the mishandling leading to the "exposure of the private key on a public website for approximately six months."

The security lapses also extended to mobile apps offered by D-Link to access and manage IP cameras and routers from a smartphone or tablet. The FTC claims D-Link "failed to use free software, available since at least 2008" to protect a user's login credentials for the app, instead storing the details on the mobile device in easily-readable plaintext.

In a statement, D-Link chief information security officer William Brown told The Verge the company "denies the allegations outlined in the complaint," and intends to defend itself.

The issues raised by the FTC in the complaint highlight the challenges manufacturers face in the "Internet of Things" market, and the importance of maintaining the security of such connected devices.

Last week, D-Link announced it would start adopting HomeKit for its IP-based security camera range, with the Omna 180 Cam HD the first with compatibility.