FTC Sues D-Link For Pretending To Give A Damn About Hardware Security
from the cutting-edge-incompetence dept
If you've been paying attention, you've probably noticed that the so-called Internet of Things isn't particularly secure. Hardware vendors were so excited to market a universe of new internet-connected devices, they treated things like privacy, security, and end-user control as afterthoughts. As a result, we've now got smart TVs, smart tea kettles, WiFi-connected barbies and all manner of other devices that are not only leaking private customer data, but are being quickly hacked, rolled into botnets, and used in historically unprecedented new, larger DDoS attacks.
This isn't a problem exclusive to new companies breaking into the IoT space. Long-standing hardware vendors that have consistently paid lip service to security are fueling the problem. Asus, you'll recall, was dinged by the FTC last year for marketing its routers as incredibly secure, yet shipping them with easily-guessed default username/login credentials and cloud-based functionality that was easily exploitable.
The FTC is back again, this time suing D-Link for routers and video cameras that the company claimed were "easy to secure" and delivered "advanced network security," yet were about as secure as a kitten-guarded pillow fort. Like Asus, D-Link's hardware also frequently ships with easily-guessed default login credentials. This frequently allows "hackers" (that term is generous since it takes just a few keystrokes) to peruse an ocean of unsecured cameras via search engines like Shodan, allowing them to spy on families and businesses in real time.
According to the FTC, D-Link's hardware also consistently suffers from a number of other vulnerabilities the regulator says the company simply refused to seriously address, including command injection software flaws that let remote attackers take control of consumers' routers via any IP address. D-Link is also accused of mishandling the private key used to sign into D-Link software (said key was openly available on a public website for six months), and of leaving users' login credentials for the mobile D-Link app unsecured in clear, readable text directly on the mobile device.
Needless to say, the FTC thinks D-Link should have done a little more to keep its products, and by proxy the internet at large, more secure:
“Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”Unsurprisingly, D-Link didn't think much of the FTC lawsuit, quickly posting a new FAQ and a press release implying that because the FTC didn't cite specific products and document clear instances of harm, there's no problem. The statement laments the FTC's "unwarranted allegations" and "contested 2-1 decision" to hold D-Link to account:
"The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted," said William Brown, chief information security officer, D-Link Systems, Inc. "We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems' products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices."Granted you only need to spend a few moments with IoT-specific search engines to realize how common poorly-secured webcams (from D-Link and everybody else) are. And D-Link's router hardware has been well-represented in the recent rise of DDoS attacks on companies like Dyn. So the end result of this neglect should be pretty clear, and given the agency's recent warnings (pdf), the FTC's crackdown (which may or may not persist under a new administration) shouldn't be a surprise. Companies had every opportunity to prioritize privacy and security in their products, but instead chose to pay lip service to the concept.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Ask a CEO about security.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
A new T-Shirt waiting to happen...
I think it'd make a great TD shirt, with some tweaks :)
[ link to this | view in thread ]
Wordsmithing
Maybe we should call them "shlackers"...
[ link to this | view in thread ]
D-Link...
We know which bill!
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
D-Link are assholes
[ link to this | view in thread ]
Alternatives
I did spend a bit more for the router I currently have, so that it had the power to do the encrypt/decrypt without slowing the connection down.
And yes, I have two routers. One, provided by my Internet provider, which connects to the Internet, and a second one which I bought (Tomato) through which everything passes. There is probably a way to get the Tomato router to perform the function on the ISP router, but that is beyond my ken, and/or interest.
This works.
[ link to this | view in thread ]
Re: Alternatives
https://en.wikipedia.org/wiki/Tomato_(firmware)
[ link to this | view in thread ]
Re: Alternatives
[ link to this | view in thread ]
not just D-Link
[ link to this | view in thread ]
Re: Re: Alternatives
[ link to this | view in thread ]
Industry solution: never claim anything is secure any longer. FTC is hamstrung and outside of the FCC who can potentially ding companies (and users) for using products that cause RFI, business continues as usual and IoT producers write any court awards and legal fees off as "cost of doing business".
If you think this lawsuit is going to change one damned thing other than how devices are marketed (they'll just drop putting "secure" on the box) by major corporations you are seriously deluding yourself.
Any such regulations would be written by politicians and bureaucrats both of which are 1) not qualified to write such rules, and 2) subject to lobby pressure to make them as ineffective as they can buy. Arguably from past experience, these rules would become more onerous as time went on eventually strangling the market for all but the biggest incumbents and scaring off possible market entrants. This is exactly what's happening with the medical profession, nuclear related industries, and other such ridiculously badly regulated industries. We don't need MORE regulation, we need SMART regulations NOT written by people who's only job experience is duping Average Joe to vote for him or her.
[ link to this | view in thread ]
Re: not just D-Link
What's the answer? In our current political and social climate in the US, I don't believe there is one other than ISPs blocking connections they determine are causing problems for their network. The problem is because politicians and government bureaucrats aren't qualified to write sane, to the point, and appropriate rules for *any* profession or market let alone something as nuanced and difficult to deal with as electronic & computer security where even the merely competent are uncommon and experts capable of writing best practices and specifications are far more rare than diamonds.
[ link to this | view in thread ]
Re: Re: not just D-Link
[ link to this | view in thread ]
[ link to this | view in thread ]
Make companies fincially liable for damages
If I buy a router or webcam, I expect that it will not get hacked and participate in a botnet that causes damage to others.
The company making products with these defects should be financially liable for the damages their products cause. Yes, really. If you've ever looked at the hoops you have to jump through for PCI compliance for a web site to accept credit cards, you know that there is much more that can be done for security. No default credentials. No special manufacturer back doors. Everything locked down. No unnecessary open ports. Signed firmware. Require pressing a physical button on the device in order to perform any admin activity. (OMG! do you know how much an extra button would cost!)
If companies had liability for security problems, they would suddenly have an incentive to invest in security. Even work together. Maybe industry standard best practices. Maybe even a common secure base distribution that everyone builds upon. Imagine incentivizing the shareholders of companies to require working together on security rather than ignoring it as a corner that can be cut.
[ link to this | view in thread ]
Re:
The "won't burn your house down!" is not a feature. Not any more than "Secure". It is something that should be a base expectation for the product to even be saleable or fit for purpose.
[ link to this | view in thread ]
Re: Re: Alternatives
most of these are far more than routers, although that became the generic term for boxes with a varying set of functions all bundled together with the router aspect.
Maybe one needs two, maybe one doesn't. It depends.
[ link to this | view in thread ]
Pictures, Please
Karl, can you provide photos of this. Sounds awesome.
[ link to this | view in thread ]
That private key on the public server
[ link to this | view in thread ]
Re: Pictures, Please
[ link to this | view in thread ]
Re: Re: Re: Alternatives
[ link to this | view in thread ]
About Dlink Router
I read this article and I feel disappointed to know about Dlink router in above discussion.I am a D-link router Tech support Employee and I have been serving from last 5year to Dlink router's customer.In my point of View Dlink is a good router.
[ link to this | view in thread ]