FTC v. D-Link: A warning shot to the IoT industry

FTC v. D-Link: A warning shot to the IoT industryEarlier this month, the FTC filed a complaint against Taiwan-based computer networking manufacturer D-Link Corp. and its United States subsidiary, D-Link Systems, Inc.  In its complaint, the FTC alleges that D-Link failed to take adequate steps to secure its wireless routers and internet cameras from hackers, which the FTC says put D-Links’ customers’ privacy at risk.  The FTC has said that the complaint filed against D-Link “is part of the FTC’s efforts to protect consumers’ privacy and security in the Internet of Things (IoT), which includes cases the agency has brought against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras.”

FTC Claims D-Link Falsely Touted Security and Privacy Practices

The FTC’s complaint claims that, while D-Link touted the security of its routers on the company’s website by promising “Advanced Network Security,” in reality the company           failed to take the necessary steps to address “well-known and easily preventable software security flaws.”  These well-known and easily preventable flaws included:

  • “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
  • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
  • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
  • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

FTC Says Hackers Could Easily Exploit Vulnerabilities in D-Links’ Routers and Cameras

The FTC says that hackers could easily exploit the above-identified flaws/vulnerabilities using several different simple methods, leaving consumers’ privacy at risk.  By way of example, the FTC said a hacker, using a compromised D-Link router, could obtain consumers’ tax returns or other files stored on the router’s attached storage device, or that a hacker could redirect a consumer to a fraudulent website, or use the compromised router to attack other devices on the local network, including: computers, smartphones, IP cameras, or even connected appliances.

The FTC also alleges that D-Link failed to guard the security of its cameras.  The FTC claims that hackers could use the compromised camera to monitor a consumer’s activities and whereabouts.  By monitoring a consumer through a compromised D-Link camera, the FTC says a hacker could plant out a theft against the consumer, or watch and record the consumer’s personal activities.

Security Means Security

The FTC’s Director of the Bureau of Consumer Protection, Jessica Rich explained, “Hackers are increasingly targeting consumer routers and IP cameras — and the            consequences for consumers can include device compromise and exposure of their sensitive personal information,” and that “[w]hen manufacturers tell consumers that their equipment    is secure, it’s critical that they take the necessary steps to make sure that’s true.”

D-Link Lashes Out at FTC

D-Link has responded to the FTC’s suit, stating that it vehemently disagrees with the FTC’s allegations, and that the company firmly believes that it has “more than reasonable” security processes and procedures in place to guard against any risks to consumers’ privacy that may exist in any of its devices.  Chief Information Security Officer for D-Link Systems, William Brown, has said:

We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems’ products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices.

D-Link Hires Cause of Action Institute to Defendant Against FTC’s Claims

Following announcement of the suit, D-Link posted a Q&A to its website in order to answer any questions consumers might have regarding the FTC’s complaint.  Additionally, D-Link has also hired a Washington-based group, the Cause of Action Institute, to defend it against the FTC’s claims.  In a press release, Cause of Action Institute Vice President Patrick Massari said:

It sets a dangerous precedent for the federal government to go after a good company and put American jobs at risk without a single instance of actual or likely consumer harm.  This lawsuit is another instance of the FTC’s unchecked regulatory overreach. If the FTC can bring a lawsuit on the mere potential of a data security breach, nearly every company will be subject to unconstrained and unexplored data security liability.  Such limitless liability coupled with FTC’s history of unrelentingly litigious oversight will no doubt have a chilling effect on innovation in the Internet of Things. Privacy advocates and consumers at large should applaud our client’s courage for fighting these incendiary claims and refusing to be held hostage by the FTC for the next 20 years.

Is the FTC’s Complaint Against D-Link All Bark and No Bite?

While the FTC’s case against D-Link is just beginning, the major issue presented by the case, the fact that FTC has not claimed any consumer has actually been harmed by D-Link’s alleged practices, has been at issue in other recent FTC cases.  For example, in 2014, the FTC announced a settlement with social media giant Snapchat, whereby Snapchat was prohibited “from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information.”  In addition, the settlement required Snapchat “to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.”  However, what was notably missing from the FTC’s settlement with Snapchat was any kind of monetary fine, which makes perfect sense since the FTC did not allege that any consumer was actually harmed by Snapchat’s business practices.

Essentially, in both the FTC’s case against Snapchat, and now D-Link, the FTC is doing little more than alleging that the companies lied about privacy and security, but not that any actual consumers were harmed by it.  Thus, it begs the question, should the FTC be allowed to bring suits against companies for allegedly lying about their data security and privacy practices without alleging any direct consumer harm?

FTC and NIST Issue Guidance on IoT

To learn more about the FTC’s stance on the Internet of Things, you can visit the FTC’s website, which offers guidelines to company’s regarding data security and privacy practices.  You can also visit the National Institute of Standards and Technology’s website to read their draft of their proposed guidelines.