D-Link Settles With FTC Over Alleged IoT Security FailuresProposed Settlement Requires D-Link to Bolster Security Program
D-Link has reached a proposed settlement with the U.S. Federal Trade Commission, which alleged the IoT device developer left consumers vulnerable to hackers through inadequate security practices.
The proposed settlement, which was announced Tuesday, must gain final approval by a federal judge in the U.S. District Court for the Northern District of California. D-Link is one of the largest developers of routers, IP cameras and other internet-connected devices.
The terms of the settlement may serve as a warning to the IoT makers. Experts say the industry has been plagued by years of insecure software development that has led to widespread botnets, hacking and cybercrime.
"Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise," says Andrew Smith, director of the FTC's Bureau of Consumer Protection.
The proposed settlement, which does not impose a fine on D-Link, requires the company to develop a comprehensive software security program and obtain third-party assessments of that program by an organization pre-approved by the FTC. Also, that third-party assessor should not base any of its findings on representations made by D-Link's management.
Those business conduct changes are "noticeably more aggressive" than what the FTC usually demands, says Mark Paulding, a partner with Washington-based InfoLawGroup. "These aggressive demands may also reflect, in part, the acrimonious nature of the lawsuit," Paulding says.
Craig Spiezle, managing partner of the AgeLight Digital Trust Advisory & Research Group which specializes in IoT, says that while D-Link may not have been fined, the "cost and burden" of third-party assessments "is not trivial."
The Cause of Action Institute, a Washington-based group that challenges government regulation, defended D-Link in the complaint. In a statement, D-Link says it is "pleased to reach an amicable resolution with the FTC."
"Notably, this order does not find D-Link Systems liable for any alleged violations," D-Link says. "We chose to defend against this litigation based on our strong belief in the quality and security of our products and practices."
'Easily Preventable' Flaws
The FTC complaint was lodged in January 2017 against D-Link Corp. of Taiwan and its U.S. subsidiary, D-Link Systems, which is based in California (see: FTC vs. D-Link: A Warning to the IoT Industry).
The FTC alleged that D-Link "failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws, such as 'hard-coded' user credentials and other backdoors, and command injection flaws."
The complaint also focused on D-Link's marketing practices that the agency alleged violate the FTC Act, which addresses deceptive acts and unfair competition. The agency alleged that D-Link marketed its products as secure when many of its devices contained software vulnerabilities that put consumers at risk.
The Cause of Action Institute noted in its statement that the settlement does not include a "finding of deceptive marketing statements or practices by D-Link Systems."
D-Link left default usernames and passwords on devices and stored login credentials insecurely, the FTC alleged. Also, the FTC contended D-Link left a private code-signing key on a public website for more than six months. That poses a risk that someone could sign malicious software with D-Link's key and the malware would appear legitimate.
The FTC's original filing contained six counts, but a federal judge later dismissed three counts (see: Part of FTC Complaint Against D-Link Dismissed).
U.S. District Judge James Donato dismissed one of the counts by noting the FTC didn't demonstrate that any consumer's personal or financial data had been compromised as a result of security failings in D-Link's devices. Another two counts were dismissed for not meeting civil procedure rules.
The proposed settlement outlines a series of steps that D-Link must follow to avoid further action. Those steps include maintaining a "comprehensive software security program" for 20 years. D-Link must designate qualified employees to oversee that program.
It also must adjust how it develops its products from a security perspective. That includes threat modelling, using automatic static analysis tools for pre-release code reviews and conduct vulnerability testing before a product is released.
"Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise."
—Andrew Smith, FTC Bureau of Consumer Protection
D-Link must maintain "a database of shared code to be used to help find other instances of a vulnerability when a vulnerability is reported," the FTC ruled.
Also, D-Link must have a designated point of contact for security researchers to report issues. Bug hunters often complain of difficulty in contacting companies and that their vulnerability reports elicit no response.
Another widespread problem with IoT devices is that manufacturers eventually stop issuing security updates. Consumers are often unaware when their router, for example, is considered to be at the end of its life.
The FTC will require D-Link to provide "clear and conspicuous notice" to consumers who have registered a device that it will no longer receive firmware updates. If the proposed settlement is approved, D-Link must contact consumers who have registered their products and provide instructions for how to update their devices with the latest firmware.