D-Link Agrees to Make Security Enhancements to Settle FTC Litigation

[David H. Lipman]

D-Link Agrees to Make Security Enhancements to Settle FTC Litigation

Quote

Smart home products manufacturer D-Link Systems, Inc., has agreed to implement a comprehensive software security program in order to settle Federal Trade Commission allegations over misrepresentations that the company took reasonable steps to secure its wireless routers and Internet-connected cameras.

The settlement ends FTC litigation against D-Link stemming from a 2017 complaint in which the agency alleged that, despite claims touting device security, vulnerabilities in the company’s routers and Internet-connected cameras left sensitive consumer information, including live video and audio feeds, exposed to third parties and vulnerable to hackers.

“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”

Despite promoting the security of its products by claiming it offered “advanced network security,” D-Link failed to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws, according to the FTC’s complaint. These flaws included using hard-coded login credentials on its D-Link camera software with the easily guessed username and password, “guest,” and storing mobile app login credentials in clear, readable text on a user’s mobile device.

As part of the proposed settlement, D-Link is required to implement a comprehensive software security program, including specific steps to ensure that its Internet-connected cameras and routers are secure. This includes implementing security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers.

In addition, D-Link is required for 10 years to obtain biennial, independent, third-party assessments of its software security program. The assessor must keep all documents it relies on for its assessment for five years and provide them to the Commission upon request. The settlement also requires the assessor to identify specific evidence for its findings—and not rely solely on the assertions of D-Link’s management. Finally, the order gives the FTC authority to approve the third-party assessor D-Link chooses.

 

[Firefox]

Thanks for posting this @David H. Lipman currently don't use any D-Link equipment, nor do I know anyone that does.

[AdvancedSetup]

I've used it off and on before but not currently using