FTC: D-Link IoT devices put thousands of customers at risk

The US Federal Trade Commission has accused D-Link of putting thousands of customers at risk by failing to provide adequate security measures in its IoT devices.

Charges filed yesterday say the Taiwanese company failed to take steps to prevent intruders from hacking IoT devices, with the view to steal customer network data or add devices to a larger 'botnet'.

D-Link called the allegations "vague and unsubstantiated".

The filing, made to the US District Court for the Northern District of California, represents a wider FTC campaign to improve the security of connected devices around the home, including webcams, routers, security cameras and other smart home technology.

The complaint states D-Link has "failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorised access", and has failed to protect customers against flaws considered "among the most critical and widespread web application vulnerabilities since at least 2007".

D-Link is accused of repeatedly failing to guard against "easily preventable software flaws", including the use of default user credentials, command injection flaws, and backdoors, which would allow the remote hacking of devices.

Specified in the complaint are D-Link's Wireless N 300 Router, N Dual Band Router, and the N Network Camera.

The company's allegedly inadequate approach to security has meant D-Link devices have put thousands of customers at risk of unauthorised access, and of being made part of a larger IoT botnet, according to the complaint.

"The FTC has made vague and unsubstantiated allegations relating to routers and IP cameras," a D-Link spokesperson responded in a statement. "D-Link Systems will vigorously defend itself against the unwarranted and baseless charges made by the FTC."

"The complaint does not allege any breach of a D-Link Systems device. Instead, the FTC speculates that consumers were placed 'at risk' to be hacked, but fails to allege that actual consumers suffered or are likely to suffer actual substantial injuries," the statement adds.

A D-Link Wi-Fi camera flaw discovered in July 2016 was found to have potentially exposed 400,000 devices to remote hacking, allowing intruders to change default credentials and potentially spy on users in their home. A firmware update to the DCS-930L Cloud Camera allowed hackers to use a single line of code to gain unauthorised access. D-Link is yet to respond to IT Pro's request for comment on the issue.

The hacking of IoT devices has led to the creation of botnets on a massive scale, resulting in a series of attacks by the so-called 'Mirai botnet' in 2016. Since its discovery, the army of enthralled IoT devices has launched some of the largest DDoS attacks in history, including the massive cyber attack against Dyn servers in October, which knocked sites such as Twitter, Netflix and Reddit offline.

The FTC brought similar charges against Asus last February, after a flaw was discovered in 2014 that allowed almost 13,000 routers to be remotely hacked, forcing the company into a program of independent security reviews for the next 20 years.

The complaint outlines six counts of breaking FTC policy, including misrepresentation of promotional security material and unfairness in handling customer safety. The FTC has requested the court to force D-Link to review security practices and reimburse any legal fees.