D-Link, a manufacturer of internet routers, IP cameras and smart home controls, is facing legal action from the Federal Trade Commission (FTC), which claims the company sold connected devices with inadequate security - yet marketed the products partly on the strength of their security.
The FTC charged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.
The FTC claims that the company "failed to take steps to address well-known and easily preventable security flaws".
- Hard-coded login credentials integrated into D-Link camera software, including a username and password combination of "guest", that meant that anyone could access internet-connected cameras' live feeds;
- Command-injection flaws that could enable remote attackers to take control of consumers' routers;
- The mishandling of a private-key code used to sign into D-Link software, which was openly available on a public website for six months; and,
- Leaving users' login credentials for D-Link's mobile app unsecured in clear, readable text on their mobile devices.
The FTC claims that hackers could easily exploit these glaring vulnerabilities using any number of "simple methods. The FTC cites the example of an attacker being able to obtain consumers' tax returns or other files stored on a D-Link router's network-attached storage (NAS) device.
"They could [also] redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances," claims the FTC in a statement.
Jessica Rich, director of the FTC's Bureau of Consumer Protection, indicated that the case against D-Link might not be the last the organisation brings against makers of insecure internet-connected devices.
"Hackers are increasingly targeting consumer routers and IP cameras - and the consequences for consumers can include device compromise and exposure of their sensitive personal information. When manufacturers tell consumers that their equipment is secure, it's critical that they take the necessary steps to make sure that's true," said Rich.
The health service must do more with less, and that is driving digital transformation
Leaks indicate that launch of AMD APUs with integrated Vega graphics is just around the corner
Facebook CISO Alex Stamos defends company over claims company network is 'run like a college campus'
Stamos explains: Facebook engineers enjoy a lot of autonomy, it's not disorganised and chaotic
HMRC refusal over VAT payment schedule forces 22-year-old computer reseller to the wall