FTC sues D-Link for failure to secure webcams, routers from online attacks

Posted:
in General Discussion edited January 2017
D-Link is under fire from the Federal Trade Commission for not doing enough to secure its products, including connected home devices -- a threat Apple has countered via secure authentication chips in HomeKit-certified hardware.




In a new lawsuit, the FTC alleges D-Link "failed to take reasonable steps" to prevent hackers from accessing routers and IP cameras, putting "thousands of consumers" in an insecure position.

The FTC claims that the networking appliance producer didn't do enough to protect its devices from "widely known and reasonably foreseeable risks of unauthorized access." The list of risks cited by the commission notes "flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007."

The lawsuit comes after major distributed denial of service (DDoS) attack in October last year affected a number of prominent websites and services, driven by a botnet that took advantage of insecure IoT devices. Hardware that used unchanged default administration login information was targeted, with malware installed to allow it to be remotely controlled and used for the attack.
The FTC's lawsuit against D-Link comes after a 2016 botnet attack used inexpensive Internet of Things devices to take down huge swaths of the internet. Apple's HomeKit was not susceptible thanks to its end-to-end encryption.
That attack helped to highlight the benefits of Apple's HomeKit framework for connected devices. HomeKit uses a combination of end-to-end encryption, MFi authorization, and other techniques to keep communication between networked devices secure, making it extremely difficult for devices to be attacked via the framework itself.

The FTC, in its complaint, asserts that D-Link included "well-known and easily preventable software security flaws," and had repeatedly failed to test and repair its software to prevent them from being abused. The alleged issues include software that uses "hard-coded" user credentials, is vulnerable to command injection flaws, and other backdoors.

It is noted D-Link had also failed to keep the private key used to sign the software secure, with the mishandling leading to the "exposure of the private key on a public website for approximately six months."

The security lapses also extended to mobile apps offered by D-Link to access and manage IP cameras and routers from a smartphone or tablet. The FTC claims D-Link "failed to use free software, available since at least 2008" to protect a user's login credentials for the app, instead storing the details on the mobile device in easily-readable plaintext.

In a statement, D-Link chief information security officer William Brown told The Verge the company "denies the allegations outlined in the complaint," and intends to defend itself.

The issues raised by the FTC in the complaint highlight the challenges manufacturers face in the "Internet of Things" market, and the importance of maintaining the security of such connected devices.

Last week, D-Link announced it would start adopting HomeKit for its IP-based security camera range, with the Omna 180 Cam HD the first with compatibility.

Comments

  • Reply 1 of 18
    jbdragonjbdragon Posts: 2,192member
    Maybe these company's will see that the slightly more costs to support HomeKit and it's far better security is more then worth it.  Going cheap is not always worth it.

    rob53watto_cobra
  • Reply 2 of 18
    rob53rob53 Posts: 2,105member
    jbdragon said:
    Maybe these company's will see that the slightly more costs to support HomeKit and it's far better security is more then worth it.  Going cheap is not always worth it.

    I think you're giving the cutthroat business of manufacturing too much credit. The Walmart attitude prevails where the cheapest is what "everyone" demands and the only way to make any profit is to cut as many corners as possible. Of course the flip side is how people view Apple as only building and selling gold-plated products, charging way too much and much more than anyone else. As people who love Apple products know, Apple strives for the best quality, most secure product they can design because they know there are people who will pay a bit more for these products because they know they will last longer and not be as easy to hack. All it takes is a government official with large enough round things (same saying goes for women) to take a stand and force companies to do the right thing not only for America but for the world even if it costs more to manufacture. We'll see if there are any of those officials still around in the next month.....
    watto_cobra
  • Reply 3 of 18
    lkrupplkrupp Posts: 7,475member
    So why isn’t Apple shouting about this advantage from the rooftops? 
    watto_cobra
  • Reply 4 of 18
    avon b7avon b7 Posts: 4,305member
    This is good news. Hopefully, legislation will be brought forward to further increase the level of protection offered in home connected devices.

    I've long argued for Apple and others to clearly state how long Macs will receive stand alone security updates. 

    A couple of years ago I was speaking to a security manager at a critical infrastructure data centre who was complaining about a security problem in some Dell equipment. The solution offered by the company wasn't to fix the problem itself but to upgrade the software universally so instead of fixing the problem on one component he would have to upgrade more than 50 and pay.

    He escalated the issue and Dell had to send someone to find a solution for the problem component. 

    This is the kind of situation legislation should cater to for consumers.


  • Reply 5 of 18
    Rayz2016Rayz2016 Posts: 4,788member
    lkrupp said:
    So why isn’t Apple shouting about this advantage from the rooftops? 
    I imagine they are. But you won't hear it because they're shouting at manufacturers. 
    edited January 2017 watto_cobra
  • Reply 6 of 18
    welshdogwelshdog Posts: 1,695member
    The NSA needs to create and deploy a bot/virus whatever to find the vulnerable cameras (all brands) and permanently scramble their firmware rendering them useless.  These cameras and other devices are a threat to world security, any "harm" done to camera owners is trivial.  The bot could also kill cameras outside US which would be needed to stop the DDoS attacks.

    Along with this move all cameras sold in US at least would have to meet some minimal security standard to be sold here.  We could push other govs and companies to do the same.
  • Reply 7 of 18
    rob53rob53 Posts: 2,105member
    welshdog said:
    The NSA needs to create and deploy a bot/virus whatever to find the vulnerable cameras (all brands) and permanently scramble their firmware rendering them useless.  These cameras and other devices are a threat to world security, any "harm" done to camera owners is trivial.  The bot could also kill cameras outside US which would be needed to stop the DDoS attacks.

    Along with this move all cameras sold in US at least would have to meet some minimal security standard to be sold here.  We could push other govs and companies to do the same.
    Why would they disable cameras they could use for themselves? You know the NSA is the National Security Spy Administration. It wouldn't surprise me if they made a deal with D-Link to include the reduced security as a "feature" so it would be easier for them and the FBI to monitor everything they could. At this point, I can't trust our government's three-letter organizations to speak the truth about anything. The fact the FTC is responding to this means at least one organization is trying to support the consumers.
    SpamSandwich
  • Reply 8 of 18
    gatorguygatorguy Posts: 21,305member
    rob53 said:
    welshdog said:
    The NSA needs to create and deploy a bot/virus whatever to find the vulnerable cameras (all brands) and permanently scramble their firmware rendering them useless.  These cameras and other devices are a threat to world security, any "harm" done to camera owners is trivial.  The bot could also kill cameras outside US which would be needed to stop the DDoS attacks.

    Along with this move all cameras sold in US at least would have to meet some minimal security standard to be sold here.  We could push other govs and companies to do the same.
    Why would they disable cameras they could use for themselves? You know the NSA is the National Security Spy Administration. It wouldn't surprise me if they made a deal with D-Link to include the reduced security as a "feature" so it would be easier for them and the FBI to monitor everything they could. At this point, I can't trust our government's three-letter organizations to speak the truth about anything. The fact the FTC is responding to this means at least one organization is trying to support the consumers.
    Do you think the NSA or FBI should not be aware of chatter concerning possible harm being planned to people who live in your city and neighborhood? Very honest question. 
    edited January 2017
  • Reply 9 of 18
    StrangeDaysStrangeDays Posts: 8,819member
    avon b7 said:

    I've long argued for Apple and others to clearly state how long Macs will receive stand alone security updates. 
    https://support.apple.com/en-us/HT201624
    jSnivelywatto_cobra
  • Reply 10 of 18
    StrangeDaysStrangeDays Posts: 8,819member

    gatorguy said:
    rob53 said:
    welshdog said:
    The NSA needs to create and deploy a bot/virus whatever to find the vulnerable cameras (all brands) and permanently scramble their firmware rendering them useless.  These cameras and other devices are a threat to world security, any "harm" done to camera owners is trivial.  The bot could also kill cameras outside US which would be needed to stop the DDoS attacks.

    Along with this move all cameras sold in US at least would have to meet some minimal security standard to be sold here.  We could push other govs and companies to do the same.
    Why would they disable cameras they could use for themselves? You know the NSA is the National Security Spy Administration. It wouldn't surprise me if they made a deal with D-Link to include the reduced security as a "feature" so it would be easier for them and the FBI to monitor everything they could. At this point, I can't trust our government's three-letter organizations to speak the truth about anything. The fact the FTC is responding to this means at least one organization is trying to support the consumers.
    Do you think the NSA or FBI should not be aware of chatter concerning possible harm being planned to people who live in your city and neighborhood? Very honest question. 
    If that means spying on any and all US citizens, I do not think they have a right to be aware of chatter, no. It's impossible to prevent all bad things from happening all the time, so it makes no sense to give up a major constitutional tenant for that impossible goal.
    edited January 2017 SpamSandwich
  • Reply 11 of 18
    rob53rob53 Posts: 2,105member
    gatorguy said:
    rob53 said:
    welshdog said:
    The NSA needs to create and deploy a bot/virus whatever to find the vulnerable cameras (all brands) and permanently scramble their firmware rendering them useless.  These cameras and other devices are a threat to world security, any "harm" done to camera owners is trivial.  The bot could also kill cameras outside US which would be needed to stop the DDoS attacks.

    Along with this move all cameras sold in US at least would have to meet some minimal security standard to be sold here.  We could push other govs and companies to do the same.
    Why would they disable cameras they could use for themselves? You know the NSA is the National Security Spy Administration. It wouldn't surprise me if they made a deal with D-Link to include the reduced security as a "feature" so it would be easier for them and the FBI to monitor everything they could. At this point, I can't trust our government's three-letter organizations to speak the truth about anything. The fact the FTC is responding to this means at least one organization is trying to support the consumers.
    Do you think the NSA or FBI should not be aware of chatter concerning possible harm being planned to people who live in your city and neighborhood? Very honest question. 
    At what risk to illegal access to that information? We already know the FBI since the beginning has performed illegal investigations of people who had done nothing. As far as "chatter" to what extent are you willing to have everything you say and do monitored? I don't believe in the Patriot Act and all the unconstitutional activities it allows without any oversight by the public, the people it's supposed to protect. I don't want the US to turn into a country that spies on its law abiding citizens just in case they find something that "might" help them stop a major threat to our country. I believe peaceful cooperation with others is the best way to find peace and something that just doesn't seem to be done because someone always needs to be telling others what to do. 

    To answer your negative question, I believe the NSA and FBI should be aware of chatter that might be helpful in legally determining whether someone has or possibly will commit a crime against anyone in the US. The extent to which they monitor and act on the results is what bothers me. I do not believe the NSA or the FBI should have access to any type of communications they want without due process and by that I mean going to a judge who isn't going to simply always give them a blank check to do anything they want to do. The people of the US have a history of having private conversations and private dealings with other people. I see that going away with the direction the FBI wants to go. I don't know what the NSA does because they aren't standing up in front of everyone demanding things. I am concerned the NSA knows everything that everybody in the US does every minute of the day and I DON'T believe that is right.
    brucemc
  • Reply 12 of 18
    SpamSandwichSpamSandwich Posts: 31,513member

    gatorguy said:
    rob53 said:
    welshdog said:
    The NSA needs to create and deploy a bot/virus whatever to find the vulnerable cameras (all brands) and permanently scramble their firmware rendering them useless.  These cameras and other devices are a threat to world security, any "harm" done to camera owners is trivial.  The bot could also kill cameras outside US which would be needed to stop the DDoS attacks.

    Along with this move all cameras sold in US at least would have to meet some minimal security standard to be sold here.  We could push other govs and companies to do the same.
    Why would they disable cameras they could use for themselves? You know the NSA is the National Security Spy Administration. It wouldn't surprise me if they made a deal with D-Link to include the reduced security as a "feature" so it would be easier for them and the FBI to monitor everything they could. At this point, I can't trust our government's three-letter organizations to speak the truth about anything. The fact the FTC is responding to this means at least one organization is trying to support the consumers.
    Do you think the NSA or FBI should not be aware of chatter concerning possible harm being planned to people who live in your city and neighborhood? Very honest question. 
    If that means spying on any and all US citizens, I do not think they have a right to be aware of chatter, no. It's impossible to prevent all bad things from happening all the time, so it makes no sense to give up our privacy for that impossible goal.
    I agree. Mass surveillance is tacit acceptance of a police state.
  • Reply 13 of 18
    gatorguygatorguy Posts: 21,305member

    gatorguy said:
    rob53 said:
    welshdog said:
    The NSA needs to create and deploy a bot/virus whatever to find the vulnerable cameras (all brands) and permanently scramble their firmware rendering them useless.  These cameras and other devices are a threat to world security, any "harm" done to camera owners is trivial.  The bot could also kill cameras outside US which would be needed to stop the DDoS attacks.

    Along with this move all cameras sold in US at least would have to meet some minimal security standard to be sold here.  We could push other govs and companies to do the same.
    Why would they disable cameras they could use for themselves? You know the NSA is the National Security Spy Administration. It wouldn't surprise me if they made a deal with D-Link to include the reduced security as a "feature" so it would be easier for them and the FBI to monitor everything they could. At this point, I can't trust our government's three-letter organizations to speak the truth about anything. The fact the FTC is responding to this means at least one organization is trying to support the consumers.
    Do you think the NSA or FBI should not be aware of chatter concerning possible harm being planned to people who live in your city and neighborhood? Very honest question. 
    If that means spying on any and all US citizens, I do not think they have a right to be aware of chatter, no. It's impossible to prevent all bad things from happening all the time, so it makes no sense to give up our privacy for that impossible goal.
    What privacy do you suppose you give up IF the NSA were monitoring all communications? Surely you can't believe there's actually people at the NSA listening right now to what you've said to Siri or Alexa? I hear a lot of cookie-cutter comments here and elsewhere but haven't yet seen any explanation of why my right to personal safety and security is less worthy than the right of someone plotting to harm me to not have anyone aware of it. 

    FWIW I don't consider the fact that records of phone calls and other communications exists on servers somewhere and if someone uses certain keywords it may get a particular one flagged is "spying on all US citizens". I don't for a second think anyone at NSA cares enough to note what I just posted here, or what I said to my wife in a phone call. Ain't happinin', so no one there is "spying on me". 
    edited January 2017
  • Reply 14 of 18
    StrangeDaysStrangeDays Posts: 8,819member
    gatorguy said:

    gatorguy said:
    rob53 said:
    welshdog said:
    The NSA needs to create and deploy a bot/virus whatever to find the vulnerable cameras (all brands) and permanently scramble their firmware rendering them useless.  These cameras and other devices are a threat to world security, any "harm" done to camera owners is trivial.  The bot could also kill cameras outside US which would be needed to stop the DDoS attacks.

    Along with this move all cameras sold in US at least would have to meet some minimal security standard to be sold here.  We could push other govs and companies to do the same.
    Why would they disable cameras they could use for themselves? You know the NSA is the National Security Spy Administration. It wouldn't surprise me if they made a deal with D-Link to include the reduced security as a "feature" so it would be easier for them and the FBI to monitor everything they could. At this point, I can't trust our government's three-letter organizations to speak the truth about anything. The fact the FTC is responding to this means at least one organization is trying to support the consumers.
    Do you think the NSA or FBI should not be aware of chatter concerning possible harm being planned to people who live in your city and neighborhood? Very honest question. 
    If that means spying on any and all US citizens, I do not think they have a right to be aware of chatter, no. It's impossible to prevent all bad things from happening all the time, so it makes no sense to give up our privacy for that impossible goal.
    What privacy do you suppose you give up IF the NSA were monitoring all communications? Surely you can't believe there's actually people at the NSA listening right now to what you've said to Siri or Alexa? I hear a lot of cookie-cutter comments here and elsewhere but haven't yet seen any explanation of why my right to personal safety and security is less worthy than the right of someone plotting to harm me to not have anyone aware of it. 
    I don't have to explain why my privacy is valuable -- it's a literally a god-given birth right. The US federal government doesn't grant me this as privilege, they merely recognize it as my right. I need offer no further explanation than this.

    There is no guarantee that bad people won't do bad things to us. But privacy of non-criminal-suspects (normal citizens) is guaranteed.
  • Reply 15 of 18
    rob53rob53 Posts: 2,105member
    gatorguy said:

    gatorguy said:
    rob53 said:
    welshdog said:
    The NSA needs to create and deploy a bot/virus whatever to find the vulnerable cameras (all brands) and permanently scramble their firmware rendering them useless.  These cameras and other devices are a threat to world security, any "harm" done to camera owners is trivial.  The bot could also kill cameras outside US which would be needed to stop the DDoS attacks.

    Along with this move all cameras sold in US at least would have to meet some minimal security standard to be sold here.  We could push other govs and companies to do the same.
    Why would they disable cameras they could use for themselves? You know the NSA is the National Security Spy Administration. It wouldn't surprise me if they made a deal with D-Link to include the reduced security as a "feature" so it would be easier for them and the FBI to monitor everything they could. At this point, I can't trust our government's three-letter organizations to speak the truth about anything. The fact the FTC is responding to this means at least one organization is trying to support the consumers.
    Do you think the NSA or FBI should not be aware of chatter concerning possible harm being planned to people who live in your city and neighborhood? Very honest question. 
    If that means spying on any and all US citizens, I do not think they have a right to be aware of chatter, no. It's impossible to prevent all bad things from happening all the time, so it makes no sense to give up our privacy for that impossible goal.
    What privacy do you suppose you give up IF the NSA were monitoring all communications? Surely you can't believe there's actually people at the NSA listening right now to what you've said to Siri or Alexa? I hear a lot of cookie-cutter comments here and elsewhere but haven't yet seen any explanation of why my right to personal safety and security is less worthy than the right of someone plotting to harm me to not have anyone aware of it. 
    I don't have to explain why my privacy is valuable -- it's a literally a god-given birth right. The US federal government doesn't grant me this as privilege, they merely recognize it as my right. I need offer no further explanation than this.

    There is no guarantee that bad people won't do bad things to us. But privacy of non-criminal-suspects (normal citizens) is guaranteed.
    I agree with you but back it up with the US Bill of Rights. A quick web search finds comments like these.

    The right to privacy isn't directly mentioned in the Constitution, but the US Supreme Court has held that it is a fundamental liberty deserving protection because privacy is implied in the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments (Due Process Clause). 

    With that said, and I know the various Supreme Court justices have messed with the Bill of Rights since day 1, our private lives are our own and our government has no right to invade them without Due Process (14th Amendment). Of course, it's that Due Process that is getting easier to obtain and is what is bringing an end to any kind of privacy in the US.
  • Reply 16 of 18
    avon b7 said:

    I've long argued for Apple and others to clearly state how long Macs will receive stand alone security updates. 

    Looks like five years in most countries.

    Seems reasonable. Apple was still supporting my recently departed 2009 17" MacBook Pro even after updates to the software I used most wouldn't run on it.
  • Reply 17 of 18
    avon b7avon b7 Posts: 4,305member
    avon b7 said:

    I've long argued for Apple and others to clearly state how long Macs will receive stand alone security updates. 
    https://support.apple.com/en-us/HT201624
    Thanks but that refers to hardware support, not security updates. I will expand a little.

    In the internet world (some datacenter staff I know have been using the term 'intercloud' for a few years now), security is paramount. Not only in terms of someone gaining access to your account but in terms of how some providers protect the information they have on you. 

    You can try the 'upgrade to resolve security issues' as the security updates are resolved in the update or you can provide standalone security updates for the systems you sell.

    The former is better for the vendor but users often have valid reasons not to upgrade so standalone updates are preferable.

    Given the importance of security it would be good for vendors to publicly commit to it and communicate to users how long security will be provided for and to communicate when security updates are ceased.

    These are not the kinds of things vendors do on their own initiative. That's why I prefer legislative frameworks which make things very clear.
  • Reply 18 of 18
    brucemcbrucemc Posts: 1,540member
    lkrupp said:
    So why isn’t Apple shouting about this advantage from the rooftops? 
    They are fairly consistent in stating their commitment to security and privacy all the time.  They speak about it, bring it up in interviews, the keynotes, and of course it is outlined on their website.

    Hard to get the message out to the mass consumer market without hefty advertising, and given the state of the home automation market, I am sure they prefer to spend those ad dollars and time on products selling in significantly more volume. 

    While Apple does get huge exposure for new products in the media at a high level, for more complex and detailed stuff like this, the media ignores it mostly.  What clicks are to be had for articles like "Apple doing the hard work to secure our future".  Much easier to say that Apple is failing at something...like not going fast enough in the voice controlled home automation market:)
Sign In or Register to comment.