The Federal Trade Commission (FTC) filed a complaint on Thursday against Taiwan’s D-Link and its U.S. subsidiary, D-Link Systems, Inc., alleging the company has put consumer privacy at risk with inadequate security measures.
The complaint cites a number of security problems D-Link has faced over the years, including a command injection vulnerability the company patched last summer
, which impacted some 400,000 D-Link devices.
The FTC also singles out hardcoded credentials
that can be used to view remote camera feeds, and the incident where code-signing keys were exposed to the public for at least six months.
Finally, the complaint references issues with D-Link’s mobile app, where user credentials were stored clear, readable text “even though there is free software available to secure the information,” the complaint explains.
“When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a prepared statement.
The FTC has filed similar complaints in the past, including one against ASUSTeK
Computer, Inc. for flaws in their router control panels, such as the ones that were used in a 2015 series of attacks that redirected internet traffic for some customers.
Asked for an opinion on the FTC’s actions, Allison Nixon the Director of Security Research at Flashpoint said it was a good move by the FTC, adding that the IoT security space needs to shape up quickly.
“Unauthenticated remote takeover is considered a borderline scandalous vulnerability in any other area of application development, but in the IoT world it’s routine. Vendors need to be held accountable because if they aren’t, the rest of us will pay the price,” Nixon said.
In a brief statement, a D-Link spokesperson sent Salted Hash the following:
“D-Link Systems, Inc. is aware of the complaint filed by the FTC. D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customer’s private data is always our top priority.”
The company is preparing a public FAQ on the matter that will be published to the D-Link website.