FTC Sues D-Link For Pretending To Give A Damn About Hardware Security

from the cutting-edge-incompetence dept

Fri, Jan 13th 2017 1:14pm — Karl Bode

If you've been paying attention, you've probably noticed that the so-called Internet of Things isn't particularly secure. Hardware vendors were so excited to market a universe of new internet-connected devices, they treated things like privacy, security, and end-user control as afterthoughts. As a result, we've now got smart TVs, smart tea kettles, WiFi-connected barbies and all manner of other devices that are not only leaking private customer data, but are being quickly hacked, rolled into botnets, and used in historically unprecedented new, larger DDoS attacks.

This isn't a problem exclusive to new companies breaking into the IoT space. Long-standing hardware vendors that have consistently paid lip service to security are fueling the problem. Asus, you'll recall, was dinged by the FTC last year for marketing its routers as incredibly secure, yet shipping them with easily-guessed default username/login credentials and cloud-based functionality that was easily exploitable.

The FTC is back again, this time suing D-Link for routers and video cameras that the company claimed were "easy to secure" and delivered "advanced network security," yet were about as secure as a kitten-guarded pillow fort. Like Asus, D-Link's hardware also frequently ships with easily-guessed default login credentials. This frequently allows "hackers" (that term is generous since it takes just a few keystrokes) to peruse an ocean of unsecured cameras via search engines like Shodan, allowing them to spy on families and businesses in real time.

According to the FTC, D-Link's hardware also consistently suffers from a number of other vulnerabilities the regulator says the company simply refused to seriously address, including command injection software flaws that let remote attackers take control of consumers' routers via any IP address. D-Link is also accused of mishandling the private key used to sign into D-Link software (said key was openly available on a public website for six months), and of leaving users' login credentials for the mobile D-Link app unsecured in clear, readable text directly on the mobile device.

Needless to say, the FTC thinks D-Link should have done a little more to keep its products, and by proxy the internet at large, more secure:

“Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

Unsurprisingly, D-Link didn't think much of the FTC lawsuit, quickly posting a new FAQ and a press release implying that because the FTC didn't cite specific products and document clear instances of harm, there's no problem. The statement laments the FTC's "unwarranted allegations" and "contested 2-1 decision" to hold D-Link to account:

"The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted," said William Brown, chief information security officer, D-Link Systems, Inc. "We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems' products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices."

Granted you only need to spend a few moments with IoT-specific search engines to realize how common poorly-secured webcams (from D-Link and everybody else) are. And D-Link's router hardware has been well-represented in the recent rise of DDoS attacks on companies like Dyn. So the end result of this neglect should be pretty clear, and given the agency's recent warnings (pdf), the FTC's crackdown (which may or may not persist under a new administration) shouldn't be a surprise. Companies had every opportunity to prioritize privacy and security in their products, but instead chose to pay lip service to the concept.

170105 D Link Complaint and Exhibits (PDF)170105 D Link Complaint and Exhibits (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ftc, iot, routers, security
Companies: d-link

27 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Michael Becker (profile), 13 Jan 2017 @ 1:22pm

I've got a couple d-link wifi power plugs, and the security is a joke. The credentials are all hard coded into the device and you can't change them. Super lame.
[ link to this | view in chronology ]
Anonymous Coward, 13 Jan 2017 @ 1:27pm

Ask a CEO about security.
Answer: Why? That costs money? The stockholders won't like that.
[ link to this | view in chronology ]
Anonymous Coward, 13 Jan 2017 @ 1:31pm

If D-link were really interested in security they would have ensured the devices were secure. They were probably more interested in being able to have access to all customer details themselves and being able to pass them on to the relevant security forces that demanded it!
[ link to this | view in chronology ]
Anonymous Coward, 13 Jan 2017 @ 1:50pm

"kitten-guarded pillow fort" That is pretty good physiological security. The cuteness can be overwhelming to people. All you would have to do to make it harder is just add more kittens.
[ link to this | view in chronology ]
Anonymous Coward, 13 Jan 2017 @ 2:00pm

A new T-Shirt waiting to happen...

secure as a kitten-guarded pillow fort

I think it'd make a great TD shirt, with some tweaks :)
[ link to this | view in chronology ]
TechDescartes (profile), 13 Jan 2017 @ 2:00pm

Wordsmithing
"This frequently allows 'hackers' (that term is generous since it takes just a few keystrokes)..."

Maybe we should call them "shlackers"...
[ link to this | view in chronology ]
Anonymous Coward, 13 Jan 2017 @ 2:01pm

D-Link...
Forget to pay the bill...

We know which bill!
[ link to this | view in chronology ]
Anonymous Coward, 13 Jan 2017 @ 2:43pm

Lol. I turned on adds for Techdirt since Shiva article and the add for this article is D-Link Cameras.
[ link to this | view in chronology ]
Anonymous Coward, 13 Jan 2017 @ 4:12pm

Maybe the FTC could call up the FCC and tell them not to harsh on router firmware replacements like openWRT to the point where router manufacturers outright block third party firmware.
[ link to this | view in chronology ]
D-Link sucks, 13 Jan 2017 @ 5:32pm

D-Link are assholes
D-Link are stupid
[ link to this | view in chronology ]
Anonymous Anonymous Coward (profile), 13 Jan 2017 @ 7:00pm

Alternatives
Tomato works for me. I off loaded the encrypt/decrypt of my VPN (Private Internet Access) encryption to my router, which is a Tomato firmware router. I disabled WiFi on my Internet providers router and enabled it on the Tomato, and place the Tomato router BEFORE the ISP router. All connections go through the Tomato router, including WiFi. So to connect to my VPN, all I have to do is connect everything else via the Tomato router.

I did spend a bit more for the router I currently have, so that it had the power to do the encrypt/decrypt without slowing the connection down.

And yes, I have two routers. One, provided by my Internet provider, which connects to the Internet, and a second one which I bought (Tomato) through which everything passes. There is probably a way to get the Tomato router to perform the function on the ISP router, but that is beyond my ken, and/or interest.

This works.
[ link to this | view in chronology ]
- Anonymous Anonymous Coward (profile), 13 Jan 2017 @ 7:04pm
  
  Re: Alternatives
  Oh, I meant to include
  
  https://en.wikipedia.org/wiki/Tomato_(firmware)
  [ link to this | view in chronology ]
- Anonymous Coward, 14 Jan 2017 @ 6:41am
  
  Re: Alternatives
  Why two routers? Does you ISP require that you use their router?
  [ link to this | view in chronology ]
  - Anonymous Anonymous Coward (profile), 14 Jan 2017 @ 7:37am
    
    Re: Re: Alternatives
    Don't know, didn't ask. Also, as I stated, I don't know how to get the second router to connect with the cable company, and don't need to.
    [ link to this | view in chronology ]
  - orbitalinsertion (profile), 16 Jan 2017 @ 11:34am
    
    Re: Re: Alternatives
    isp routers are frequently gateways with multiple functions including that of a "modem" hardware component to connect to their network if Ethernet isn't the incoming cable. some "routers"* can do it too.
    
    most of these are far more than routers, although that became the generic term for boxes with a varying set of functions all bundled together with the router aspect.
    
    Maybe one needs two, maybe one doesn't. It depends.
    [ link to this | view in chronology ]
    - Anonymous Coward, 17 Jan 2017 @ 10:28am
      
      Re: Re: Re: Alternatives
      You are correct sir. I have a gateway in "bridge" mode that is acting just as a modem with the router function turned off. I use my own router of course, but technically I have 2.
      [ link to this | view in chronology ]
Anonymous Coward, 14 Jan 2017 @ 7:25am

not just D-Link
Most manufacturers of SOHO network and IoT stuff play the same game. A few years ago they simply tried to ignore reports by security researches. Only after some media coverage they became active and provided firmware updates with security fixes. Meanwhile some learned how to deal with responsible disclosures by security researchers. Another problem is that they keep using obsolete software packages with known problems for years, instead of updating to the latest version of whatever daemon. Remember the UPnP problem across several brands? And if something is older than 2 years you won't get a firmware update anyway, because the manufacturer wants you to buy a new inexpensive gadget. Don't forget the consumer! If you pay $30 for a router you won't get something as good or secure as a $500 professional SOHO router.
[ link to this | view in chronology ]
- Anonymous Coward, 14 Jan 2017 @ 12:13pm
  
  Re: not just D-Link
  By that logic a $10k router from Cisco is more secure and better supported than the cheaper equivalent from Juniper. That's just not true. Granted a $30 TP-Link may have fewer features than the $100 Linksys, but even that is a stretch these days and there is no guarantee that Linksys is going to support that $100 device any longer or better than TP-Link supports their $30 device.
  
  What's the answer? In our current political and social climate in the US, I don't believe there is one other than ISPs blocking connections they determine are causing problems for their network. The problem is because politicians and government bureaucrats aren't qualified to write sane, to the point, and appropriate rules for *any* profession or market let alone something as nuanced and difficult to deal with as electronic & computer security where even the merely competent are uncommon and experts capable of writing best practices and specifications are far more rare than diamonds.
  [ link to this | view in chronology ]
  - Anonymous Coward, 14 Jan 2017 @ 1:38pm
    
    Re: Re: not just D-Link
    That's not what I've meant. You can't expect a high quality firmware or long time support for a $30 router. OpenWRT might be an option, but not for average Joe. On the other hand you can buy a router from AVM or Lancom and get free updates for about 5 to 10 years (security fixes and new features).
    [ link to this | view in chronology ]
Anonymous Coward, 14 Jan 2017 @ 12:00pm

The FTC lawsuits all hinge on marketing claims. Basically, the FTC says labeling one's devices as "secure" when they are trivial to exploit is false advertising.

Industry solution: never claim anything is secure any longer. FTC is hamstrung and outside of the FCC who can potentially ding companies (and users) for using products that cause RFI, business continues as usual and IoT producers write any court awards and legal fees off as "cost of doing business".

If you think this lawsuit is going to change one damned thing other than how devices are marketed (they'll just drop putting "secure" on the box) by major corporations you are seriously deluding yourself.

Any such regulations would be written by politicians and bureaucrats both of which are 1) not qualified to write such rules, and 2) subject to lobby pressure to make them as ineffective as they can buy. Arguably from past experience, these rules would become more onerous as time went on eventually strangling the market for all but the biggest incumbents and scaring off possible market entrants. This is exactly what's happening with the medical profession, nuclear related industries, and other such ridiculously badly regulated industries. We don't need MORE regulation, we need SMART regulations NOT written by people who's only job experience is duping Average Joe to vote for him or her.
[ link to this | view in chronology ]
- DannyB (profile), 16 Jan 2017 @ 7:02am
  
  Re:
  It is more than marketing. What you're saying is that a toaster manufacturer will drop the marketing label: "won't burn your house down!", but will continue to make toasters that burn your house down.
  
  The "won't burn your house down!" is not a feature. Not any more than "Secure". It is something that should be a base expectation for the product to even be saleable or fit for purpose.
  [ link to this | view in chronology ]
Ninja (profile), 16 Jan 2017 @ 4:08am

If companies don't start being financially hurt by their lack of care with security we will see major problems soon. It's past time bodies like the FTC started bringing down the hammer on the bad players.
[ link to this | view in chronology ]
DannyB (profile), 16 Jan 2017 @ 6:59am

Make companies fincially liable for damages
If I buy a toaster, I expect that it will not burn my house down.

If I buy a router or webcam, I expect that it will not get hacked and participate in a botnet that causes damage to others.

The company making products with these defects should be financially liable for the damages their products cause. Yes, really. If you've ever looked at the hoops you have to jump through for PCI compliance for a web site to accept credit cards, you know that there is much more that can be done for security. No default credentials. No special manufacturer back doors. Everything locked down. No unnecessary open ports. Signed firmware. Require pressing a physical button on the device in order to perform any admin activity. (OMG! do you know how much an extra button would cost!)

If companies had liability for security problems, they would suddenly have an incentive to invest in security. Even work together. Maybe industry standard best practices. Maybe even a common secure base distribution that everyone builds upon. Imagine incentivizing the shareholders of companies to require working together on security rather than ignoring it as a corner that can be cut.
[ link to this | view in chronology ]
Derek Kerton (profile), 16 Jan 2017 @ 12:53pm

Pictures, Please
"yet were about as secure as a kitten-guarded pillow fort."

Karl, can you provide photos of this. Sounds awesome.
[ link to this | view in chronology ]
- Wendy Cockcroft, 17 Jan 2017 @ 5:43am
  
  Re: Pictures, Please
  Ask and you shall receive: https://i.ytimg.com/vi/uGZQFEhpmzE/maxresdefault.jpg
  [ link to this | view in chronology ]
Joel, 17 Jan 2017 @ 12:08am

That private key on the public server
I'm pretty sure I read elsewhere that the private key they left on a public server for 6 months is the one used to sign their firmware. It's not just a password to log into a software. It's the key that is used to cryptographically sign firmware files such that devices can be sure that the firmware was authorised by D-Link. Usually the router will not install anything without that signature, preventing malicious third parties from updating the device with their firmware. Having such a private key for signing go public is very serious, because it allows others to impersonate you cryptographically speaking
[ link to this | view in chronology ]
Dlink Technical Support (profile), 23 Apr 2018 @ 4:43am

About Dlink Router
Hlw guys,

I read this article and I feel disappointed to know about Dlink router in above discussion.I am a D-link router Tech support Employee and I have been serving from last 5year to Dlink router's customer.In my point of View Dlink is a good router.
[ link to this | view in chronology ]