D-Link didn’t “take reasonable software testing and remediation measures” to protect users of its routers and IP-enabled cameras, failed to protect the private keys that sign the software on those devices, and put thousands of consumers at risk of attack, according to a new complaint brought against the technology vendor by the Federal Trade Commission.
In the complaint, filed Thursday, the FTC alleges that D-Link advertised its routers and cameras as being safe and secure, but did not take basic security precautions. The company included hard-coded credentials in some of its IP cameras’ software, didn’t address known vulnerabilities in its routers, and left the login credentials for the D-Link mobile app in plaintext on users’ mobile devices, the FTC complaint says. And, the private key used to sign software for some of D-Link’s devices was left exposed on a public website for several months, according to the complaint.
“Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
In its complaint, the FTC is asking for a permanent injunction against D-Link to prevent the company from making misleading statements or representations about the security of their products. The commission says in its complaint that the lack of attention to security in the routers and IP cameras left D-Link customers open to a number of attacks.
“In many instances, an attacker could then take simple steps to exploit vulnerabilities in Defendants’ routers and IP cameras.”
“The risk that attackers would exploit these vulnerabilities to harm consumers was significant. In many instances, remote attackers could take simple steps, using widely available tools, to locate and exploit Defendants’ devices, which were widely known to be vulnerable. For example, remote attackers could search for vulnerable devices over the Internet and obtain their IP addresses using readily available tools, such as a popular search engine that can locate devices running particular software versions or operating in particular locations,” the complaint says.
“Alternatively, attackers could use readily accessible scanning tools to identify vulnerable devices operating in particular areas or on particular networks. In many instances, an attacker could then take simple steps to exploit vulnerabilities in Defendants’ routers and IP cameras, impacting not only consumers who purchased these devices, but also other consumers, who access the Internet in public or private locations served by the routers or who visit locations under the IP cameras’ surveillance.”
Home routers are frequent prey for attackers, because many popular models have known vulnerabilities and consumers rarely update the firmware on their routers, if a patch is even available. Compromising a home router can give an attacker considerable power, allowing him to access a victim’s home network, redirect traffic to malicious sites, and steal data from connected devices. On the other side of the fence, attackers have been compromising millions of IP-enabled cameras lately, and adding them to botnets, such as Mirai.
Exploiting vulnerabilities in IP cameras also could allow an attacker to “compromise a consumer’s IP camera, thereby monitoring consumers’ whereabouts to target them for theft or other criminal activity or to observe and record over the Internet their personal activities and conversations or those of their young children,” the FTC complaint says.
D-Link said in a statement that it rejects the FTC’s charges and that the complaint is unwarranted.
“The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted,” said William Brown, chief information security officer, D-Link Systems. “We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems’ products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices.”
This story was updated on Jan. 6 to add the statement from D-Link.
Image: Eli Pousson, CC By-SA license.