D-Link sued by FTC over alleged inadequate router, camera security

Cybersecurity

D-Link has been sued by the Federal Trade Commission (FTC) over allegations that the prominent home networking vendor has been selling internet of things (IoT) devices such as routers and internet-connected security cameras with inadequate security against hackers.

FTC filed the suit as part of a broader effort to improve security of internet-connected devices, including routers, webcams, digital video recorders and other widely used consumer electronics devices.

In its complaint, the FTC says that D-Link failed to protect the devices from "widely known and reasonably foreseeable risks of unauthorized access.” The flaws included easily guessable login credentials, such as the use of “guest” for both username and password.

FTC’s suit follows a spike in large cyberattacks by hackers against some of the world’s most popular websites via the use of hundreds of thousands of poorly secured internet-connected devices.

RELATED: Year in Review: Cyber attacks on IoT devices, networks grow in intensity

D-Link refutes claims

D-Link Systems said it would “vigorously defend itself against the unwarranted and baseless charges made by Federal Trade Commission (FTC).”

The company has rejected FTC's allegations, pointing out that the FTC complaint does not allege any breach of a D-Link Systems device but rather speculates that consumers were “at risk” to hacking.

"The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted," said William Brown, chief information security officer for D-Link Systems, in a release. "We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems' products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices."

A growing problem

Security experts have previously warned that hackers are increasingly taking advantage of default configuration weaknesses in the operating systems of millions of IoT devices, which often ship with the same default username and password.

Allison Nixon, director of security research with cyber intelligence firm Flashpoint, told Reuters that the FTC's suit should be a wakeup call for IoT manufacturers to enhance security on their devices.

"I think vendors are going to take it seriously," she said. "The IoT world needs to shape up quickly because this is a big problem."

In October, internet provider Dyn suffered a distributed-denial-of-service (DDoS) cyberattack based on the Mirai botnet. Mirai malware is a DDoS Trojan that targets Linux systems and, in particular, internet of things (IoT) devices. The Trojan uses malware from phishing emails to infect computer or home networks initially and then spreads the virus to various devices to create a robot network.

At the time, devices such as DVRs and IP cameras played a big role because they can be hacked pretty easily. According to security experts, these devices’ hardware contains a root password that most users don't even know about.