D-Link agrees to Security Assessment to Settle FTC lawsuit
D-Link has agreed to make some security enhancements that have reorganized the company’s security platform to resolve disputes from the Federal Trade Commission (FTC) because it has misinterpreted the security of its product.
The case stems from complaints from corporate routers and IoT cameras against D-Link in 2017 that disclosed confidential consumer information to third parties, including live video and audio, despite claims of D-Link to be secured, as per their press release of July 2nd. According to the complaint filed by the FTC, the company has not developed secure core software, including tests and solutions to address known and preventable security vulnerabilities, while claiming it offers “sophisticated network security“.
Some of these vulnerabilities include the use of encrypted credentials with easy-to-guess usernames and passwords, “guest”, and storage of credentials for mobile applications in clear, readable text on a mobile device of the user.
Andrew Smith, director of the FTC’s Bureau of Consumer Protection said in the release “We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes. Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to the risk of compromise.”
D-Link agrees to implement a comprehensive software security program that includes specific steps to ensure the security of the device and to ensure that it is independently evaluated by a third party for a specified period of time.
D-Link products have been called for a variety of other security vulnerabilities, including vulnerabilities of D-Link camera, detailed vulnerabilities of D-Link routers, and multiple campaigns exploiting these bugs.
It’s also not the first time D-Link has been in trouble with the FTC, even though the company did well, the last time a California district court judge dismissed three complaints from the FTC against D-Link.
Bob Noel, vice president of the Strategic Partnership for Plixer, said “there also needs to be an accompanying set of security standard is defined, so that companies have a benchmark to know what is considered good enough. This is going to set the stage for IoT manufacturers to prioritize efforts for embedding security into the product development process – especially for the consumer market,” Noel said. “Since there has been a lack of self-regulation by the industry, it is not surprising that the FTC has stepped in to establish a precedent in the area of securing consumers’ privacy.”