Feds file complaint against D-Link for inadequate security

FTC: Company left wireless routers, internet cameras vulnerable to hackers

The Federal Trade Commission filed a complaint Thursday against Taiwan-based computer networking equipment manufacturer D-Link Corp. and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.

The FTC said in the complaint that D-Link failed to take reasonable steps to secure its routers and internet protocol cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.

The complaint is part of the FTC’s efforts to protect consumers’ privacy and security in the internet of things, which includes cases that the agency has brought against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras.

“Hackers are increasingly targeting consumer routers and IP cameras, and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” director of the FTC’s Bureau of Consumer Protection Jessica Rich said. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”          

According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “easy to secure” and “advanced network security.” But despite the claims made by D-Link, the FTC said, the company failed to take steps to address well-known and easily preventable security flaws, including:

  • “Hard-coded” login credentials integrated into D-Link camera software, such as the username “guest” and the password “guest,” that could allow unauthorized access to the cameras’ live feed
  • A software flaw known as “command injection” that could allow remote attackers to take control of consumers’ routers by sending them unauthorized commands over the internet
  • The mishandling of a private key code used to sign into D-Link software, which made it openly available on a public website for six months
  • Leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information

According to the complaint, hackers could exploit those vulnerabilities using simple methods.

For example, using a compromised router, a hacker could get consumers’ tax returns or other files stored on the router’s attached storage device. The hacker could redirect a consumer to a fraudulent website or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras or connected appliances.

The FTC said that by using a compromised camera, a hacker could monitor a consumer’s whereabouts and target them for theft or other crimes, or watch and record their personal activities and conversations.

The FTC provided guidance to companies on how to preserve privacy and security in their products while still innovating and growing technology.

How to protect home security

There are several easy steps that people can take at home to prevent themselves from being hacked, security experts said.

Sean Mulholland, president of Mulholland Investigation and Computer Forensics, explained that there are many things people use every day that could be at risk if they're not secured.

Mulholland said logging on to the computer, getting on the internet, and using a wireless camera are all ways that hackers can easily take advantage of people and create the potential for other crimes.

"Security is time-consuming. And that's the thing. Security is inconvenient," Mulholland said. "People need to take precautions. And people are concerned that it's very sophisticated and difficult to do. It’s not."

Mulholland said people need to go into the settings of their wireless devices, even if they come with a password, and change them to something more difficult to figure out.

"If your garage door is open, someone is going to steal your bicycle. It's the same thing. If you don't have a password on your modem or on your cameras, the chances of someone riding by with what they call a sniffer, it picks up those signals. And it's easy to do," he said.

Mulholland said many people think that having a password on your wireless modem is enough, but it isn’t. He said each device should have a separate, different password, especially if you have wireless IP cameras that can show different rooms inside your house.

"It's like people posting on Facebook that they're going on vacation. Then they can look at your camera and see you're not there," Mulholland said.

It’s also recommended to update the software on devices, as they are offered as having the most up-to-date security that is available.