D-Link, a manufacturer of internet routers, IP cameras and smart home controls, is facing legal action from the Federal Trade Commission (FTC), which claims the company sold connected devices with inadequate security - yet marketed the products partly on the strength of their security.
The FTC charged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.
The FTC claims that the company "failed to take steps to address well-known and easily preventable security flaws".
- Hard-coded login credentials integrated into D-Link camera software, including a username and password combination of "guest", that meant that anyone could access internet-connected cameras' live feeds;
- Command-injection flaws that could enable remote attackers to take control of consumers' routers;
- The mishandling of a private-key code used to sign into D-Link software, which was openly available on a public website for six months; and,
- Leaving users' login credentials for D-Link's mobile app unsecured in clear, readable text on their mobile devices.
The FTC claims that hackers could easily exploit these glaring vulnerabilities using any number of "simple methods. The FTC cites the example of an attacker being able to obtain consumers' tax returns or other files stored on a D-Link router's network-attached storage (NAS) device.
"They could [also] redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances," claims the FTC in a statement.
Jessica Rich, director of the FTC's Bureau of Consumer Protection, indicated that the case against D-Link might not be the last the organisation brings against makers of insecure internet-connected devices.
"Hackers are increasingly targeting consumer routers and IP cameras - and the consequences for consumers can include device compromise and exposure of their sensitive personal information. When manufacturers tell consumers that their equipment is secure, it's critical that they take the necessary steps to make sure that's true," said Rich.
British Airways blames 'global systems outage' for IT meltdown
Mark Zuckerberg mercilessly trolled by Harvard student newspaper after return to university he dropped out of 12 years ago
'Unauthorised user' blamed by Harvard for insulting Mark Zoinkerberg
Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users
Yet more Android malware discovered on the Google Play Store
Airport believes new system will be more reliable than GPS or Google Maps