FTC: D-Link Failed To Secure Routers, IP Cameras

By Nathaniel Mott
published

The Federal Trade Commission (FTC) filed a complaint against D-Link saying the company failed to secure its routers and internet-connected cameras.

If the FTC's complaint is accurate, this is the latest example companies putting their customers and the rest of the internet at risk via faulty security. Hacking a router or IP camera doesn't just make it easy to compromise someone's personal information or snoop on them--it also provides the platform needed to conduct large-scale attacks on critical infrastructure. One company's failing can lead to problems for countless individuals and organizations.

Yet many companies are either disinterested in security or unable to keep pace with malicious actors. On the router side, Netgear recently introduced a bug bounty program after one researcher's disclosure of critical flaws in the company's routers went unnoticed for roughly four months. IP cameras have also had issues: Bitdefender found many problems with an unidentified company's products, and multiple backdoors were discovered in Sony's devices.

The FTC discovered many issues with D-Link's products. The commission said that basic credentials like using "guest" as both a username and password were hard-coded into the devices; that a private key code used to log in to D-Link's software was available on a public website for six months; that the routers were vulnerable to command injection attacks; and that login credentials for the company's mobile app were stored in plain text on the device.

Here's how these failings could have been exploited, according to the FTC:

According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances. [...] The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.

Insecure products can also lead to problems outside the home. Internet of Things (IoT) products were implicated in an attack that brought down popular websites like Twitter, Spotify, and many others in November, and Institute for Critical Infrastructure Technology warned in December that these gizmos could threaten entire nations. Hopefully the FTC joining the chorus of calls for improved security will help make these attacks less likely in the future.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

11 Comments Comment from the forums
  • memadmax
    And this is why DLink is the very bottom of the barrel...

    If I had a bricked router and only a DLink was available to replace it,

    I would stick with the bricked router...
    Reply
  • wiyosaya
    Maybe, just maybe manufacturers of devices like this and IoT products will start taking security seriously. At least until then, IoT or other devices like this are a no go for me.
    Reply
  • Why is the FTC involved?
    Reply
  • ko888
    19116468 said:
    Why is the FTC involved?

    Because the FTC's mandate is to protect the consumer by preventing fraud, deception, and unfair business practices in the marketplace. Hard coded backdoors facilitate fraud and deception.
    Reply
  • alextheblue
    19116162 said:
    And this is why DLink is the very bottom of the barrel...

    If I had a bricked router and only a DLink was available to replace it,

    I would stick with the bricked router...
    That's a shame. D-Link used to be quite good. I had a DGL-4300 gaming router back in the day that handled gobs of traffic and tons of simultaneous connections better than any router in it's price class. You could have roommates torrenting and streaming like there was no tomorrow, and still enjoy reliable, low-latency gaming. Security was also decent, and they were good about updates. Unfortunately, that was a long time ago and they have slipped in a number of regards.

    Anyway, as far as security lapses go, D-Link is far from the only one. With routers there's only a handful of decent firms, the rest are questionable at best. The situation with IP cameras is even worse. Probably 90% of affordable home cameras have more holes than swiss cheese. So I'm not sure why the FTC has such a hard-on for D-Link, but not others. Maybe they want to make an example out of a high-profile firm first?
    Reply
  • humorific
    D-Link is short for Delinquent.
    Reply
  • cbsecurity
    This could be a good thing on one hand. If FTC and other government orgs are going to take a more involved approach to InfoSec like this, then by all means. But it gets dicey when you mix business with standardization. D-Link is hardly a big player in that sense, but money and government are a difficult mix and once the regulatory bodies start scratching at the real industry players, especially those that are big political donors, will we see equal treatment? I hope so, because I actually applaud this FTC case against D-Link. Just hoping we see more of this down the road, as reinforcement of what InfoSec is all about and that the threats are real.
    Reply
  • Kewlx25
    19116468 said:
    Why is the FTC involved?

    False advertisement. DLink claims to use Advanced security and other objectively false advertising.
    Reply
  • razor512
    Now they need to go after the companies that release IOT devices where they prevent all local access, and then as soon as a new model is released, the old cloud reliant devices stop getting updates for security issues.

    The whole making a product completely cloud reliant, is done for business purposes, and not technical ones. This is largely to have additional bargaining power over the consumer. For example, suppose you like amazon video, and they change the rates, or screw up the service, you can easily switch to netflix at no switching cost (just replace an app or use a different website and you are good to go. On the other hand, you spend a few hundred dollars on some cloud reliant IOT cameras, and they decide that your monthly service fee to access and record content from your camera, is going up by $10, then you can't easily switch, you are instead stuck deciding between accepting a price increase, or effectively bricking hundreds of dollars of equipment.

    They should not be allowed to maintain such an anti-consumer business model, while also being able to not take responsibility for the problems it causes.

    If they are going to take the service life control out of the hands of the consumer, then they should be held accountable for the security. That means with the average security camera offering a 20 year service life, they should have to maintain the products for at least 20 years.
    Reply
  • sam1275tom
    Consumer routers sucks, if you want security, a enterprise level device is essential.
    Reply