Connected device manufacturer D-Link has agreed to boost the security of its routers and IP-connected video cameras as part of a settlement with the Federal Trade Commission.
The FTC sued Taiwan-based D-Link and its U.S. subsidiary in 2017, accusing the company of failing to take reasonable steps to secure its routers and IP cameras, despite claiming to offer advanced and/or easy network security. The lapses included hard-coded default log-in credentials — such as username “guest” and password “guest” — that could allow hackers to easily access cameras’ live feeds, leaving users’ login credentials for its mobile app “unsecured in clear, readable text on their mobile devices,” and mishandling of a key code to sign into D-Link software, among others.
“Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.
Hacked internet of things devices, such as IP cameras, have contributed to the rise of automated botnets such as Mirai and others, and have been the focus of federal cybersecurity efforts. A 2018 report from the Department of Commerce found that attacks fueled by massive numbers of co-opted internet of things devices have overwhelmed the usual tools for fighting distributed denial of service attacks.
“Traditional DDoS mitigation techniques, such as network providers building in excess capacity to absorb the effects of botnets, are designed to protect against botnets of an anticipated size. With new botnets that capitalize on the sheer number of ‘Internet of Things’ (IoT) devices, DDoS attacks have grown in size to more than one terabit per second, outstripping expectations,” the report said, specifically citing 2016’s Mirai botnet attack as a watershed moment for IoT-device-based attacks.
As part of the settlement with the FTC, D-Link has to implement a comprehensive software security program, including “specific steps to ensure that its Internet-connected cameras and routers are secure,” the FTC said. That includes implementing security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers, the agency added.
D-Link also has to undergo biennial, third-party assessments of its software security program for 10 years, keep all of the related documents and provide them to the FTC on request. The FTC gets the final say on which third-party assessor that D-Link chooses, and that third party has to “identify specific evidence for its findings—and not rely solely on the assertions of D-Link’s management,” the FTC noted.