FTC sues D-Link for failure to secure webcams, routers from online attacks
D-Link is under fire from the Federal Trade Commission for not doing enough to secure its products, including connected home devices -- a threat Apple has countered via secure authentication chips in HomeKit-certified hardware.
In a new lawsuit, the FTC alleges D-Link "failed to take reasonable steps" to prevent hackers from accessing routers and IP cameras, putting "thousands of consumers" in an insecure position.
The FTC claims that the networking appliance producer didn't do enough to protect its devices from "widely known and reasonably foreseeable risks of unauthorized access." The list of risks cited by the commission notes "flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007."
The lawsuit comes after major distributed denial of service (DDoS) attack in October last year affected a number of prominent websites and services, driven by a botnet that took advantage of insecure IoT devices. Hardware that used unchanged default administration login information was targeted, with malware installed to allow it to be remotely controlled and used for the attack.
That attack helped to highlight the benefits of Apple's HomeKit framework for connected devices. HomeKit uses a combination of end-to-end encryption, MFi authorization, and other techniques to keep communication between networked devices secure, making it extremely difficult for devices to be attacked via the framework itself.
The FTC, in its complaint, asserts that D-Link included "well-known and easily preventable software security flaws," and had repeatedly failed to test and repair its software to prevent them from being abused. The alleged issues include software that uses "hard-coded" user credentials, is vulnerable to command injection flaws, and other backdoors.
It is noted D-Link had also failed to keep the private key used to sign the software secure, with the mishandling leading to the "exposure of the private key on a public website for approximately six months."
The security lapses also extended to mobile apps offered by D-Link to access and manage IP cameras and routers from a smartphone or tablet. The FTC claims D-Link "failed to use free software, available since at least 2008" to protect a user's login credentials for the app, instead storing the details on the mobile device in easily-readable plaintext.
In a statement, D-Link chief information security officer William Brown told The Verge the company "denies the allegations outlined in the complaint," and intends to defend itself.
The issues raised by the FTC in the complaint highlight the challenges manufacturers face in the "Internet of Things" market, and the importance of maintaining the security of such connected devices.
Last week, D-Link announced it would start adopting HomeKit for its IP-based security camera range, with the Omna 180 Cam HD the first with compatibility.
In a new lawsuit, the FTC alleges D-Link "failed to take reasonable steps" to prevent hackers from accessing routers and IP cameras, putting "thousands of consumers" in an insecure position.
The FTC claims that the networking appliance producer didn't do enough to protect its devices from "widely known and reasonably foreseeable risks of unauthorized access." The list of risks cited by the commission notes "flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007."
The lawsuit comes after major distributed denial of service (DDoS) attack in October last year affected a number of prominent websites and services, driven by a botnet that took advantage of insecure IoT devices. Hardware that used unchanged default administration login information was targeted, with malware installed to allow it to be remotely controlled and used for the attack.
The FTC's lawsuit against D-Link comes after a 2016 botnet attack used inexpensive Internet of Things devices to take down huge swaths of the internet. Apple's HomeKit was not susceptible thanks to its end-to-end encryption.
That attack helped to highlight the benefits of Apple's HomeKit framework for connected devices. HomeKit uses a combination of end-to-end encryption, MFi authorization, and other techniques to keep communication between networked devices secure, making it extremely difficult for devices to be attacked via the framework itself.
The FTC, in its complaint, asserts that D-Link included "well-known and easily preventable software security flaws," and had repeatedly failed to test and repair its software to prevent them from being abused. The alleged issues include software that uses "hard-coded" user credentials, is vulnerable to command injection flaws, and other backdoors.
It is noted D-Link had also failed to keep the private key used to sign the software secure, with the mishandling leading to the "exposure of the private key on a public website for approximately six months."
The security lapses also extended to mobile apps offered by D-Link to access and manage IP cameras and routers from a smartphone or tablet. The FTC claims D-Link "failed to use free software, available since at least 2008" to protect a user's login credentials for the app, instead storing the details on the mobile device in easily-readable plaintext.
In a statement, D-Link chief information security officer William Brown told The Verge the company "denies the allegations outlined in the complaint," and intends to defend itself.
The issues raised by the FTC in the complaint highlight the challenges manufacturers face in the "Internet of Things" market, and the importance of maintaining the security of such connected devices.
Last week, D-Link announced it would start adopting HomeKit for its IP-based security camera range, with the Omna 180 Cam HD the first with compatibility.
Comments
I've long argued for Apple and others to clearly state how long Macs will receive stand alone security updates.
A couple of years ago I was speaking to a security manager at a critical infrastructure data centre who was complaining about a security problem in some Dell equipment. The solution offered by the company wasn't to fix the problem itself but to upgrade the software universally so instead of fixing the problem on one component he would have to upgrade more than 50 and pay.
He escalated the issue and Dell had to send someone to find a solution for the problem component.
This is the kind of situation legislation should cater to for consumers.
Along with this move all cameras sold in US at least would have to meet some minimal security standard to be sold here. We could push other govs and companies to do the same.
If that means spying on any and all US citizens, I do not think they have a right to be aware of chatter, no. It's impossible to prevent all bad things from happening all the time, so it makes no sense to give up a major constitutional tenant for that impossible goal.
To answer your negative question, I believe the NSA and FBI should be aware of chatter that might be helpful in legally determining whether someone has or possibly will commit a crime against anyone in the US. The extent to which they monitor and act on the results is what bothers me. I do not believe the NSA or the FBI should have access to any type of communications they want without due process and by that I mean going to a judge who isn't going to simply always give them a blank check to do anything they want to do. The people of the US have a history of having private conversations and private dealings with other people. I see that going away with the direction the FBI wants to go. I don't know what the NSA does because they aren't standing up in front of everyone demanding things. I am concerned the NSA knows everything that everybody in the US does every minute of the day and I DON'T believe that is right.
FWIW I don't consider the fact that records of phone calls and other communications exists on servers somewhere and if someone uses certain keywords it may get a particular one flagged is "spying on all US citizens". I don't for a second think anyone at NSA cares enough to note what I just posted here, or what I said to my wife in a phone call. Ain't happinin', so no one there is "spying on me".
There is no guarantee that bad people won't do bad things to us. But privacy of non-criminal-suspects (normal citizens) is guaranteed.
The right to privacy isn't directly mentioned in the Constitution, but the US Supreme Court has held that it is a fundamental liberty deserving protection because privacy is implied in the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments (Due Process Clause).
With that said, and I know the various Supreme Court justices have messed with the Bill of Rights since day 1, our private lives are our own and our government has no right to invade them without Due Process (14th Amendment). Of course, it's that Due Process that is getting easier to obtain and is what is bringing an end to any kind of privacy in the US.
Seems reasonable. Apple was still supporting my recently departed 2009 17" MacBook Pro even after updates to the software I used most wouldn't run on it.
In the internet world (some datacenter staff I know have been using the term 'intercloud' for a few years now), security is paramount. Not only in terms of someone gaining access to your account but in terms of how some providers protect the information they have on you.
You can try the 'upgrade to resolve security issues' as the security updates are resolved in the update or you can provide standalone security updates for the systems you sell.
The former is better for the vendor but users often have valid reasons not to upgrade so standalone updates are preferable.
Given the importance of security it would be good for vendors to publicly commit to it and communicate to users how long security will be provided for and to communicate when security updates are ceased.
These are not the kinds of things vendors do on their own initiative. That's why I prefer legislative frameworks which make things very clear.
Hard to get the message out to the mass consumer market without hefty advertising, and given the state of the home automation market, I am sure they prefer to spend those ad dollars and time on products selling in significantly more volume.
While Apple does get huge exposure for new products in the media at a high level, for more complex and detailed stuff like this, the media ignores it mostly. What clicks are to be had for articles like "Apple doing the hard work to secure our future". Much easier to say that Apple is failing at something...like not going fast enough in the voice controlled home automation market:)