FTC goes after D-Link for security problems

The Federal Trade Commission (FTC) filed a complaint on Thursday against Taiwan’s D-Link and its U.S. subsidiary, D-Link Systems, Inc., alleging the company has put consumer privacy at risk with inadequate security measures.
The complaint cites a number of security problems D-Link has faced over the years, including a command injection vulnerability the company patched last summer
, which impacted some 400,000 D-Link devices.
The FTC also singles out hardcoded credentials
that can be used to view remote camera feeds, and the incident where code-signing keys were exposed to the public for at least six months.
雪后的峨眉山,惊艳了整个世纪!
Finally, the complaint references issues with D-Link’s mobile app, where user credentials were stored clear, readable text “even though there is free software available to secure the information,” the complaint explains.
“When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a prepared statement.
The FTC has filed similar complaints in the past, including one against ASUSTeK
Computer, Inc. for flaws in their router control panels, such as the ones that were used in a 2015 series of attacks that redirected internet traffic for some customers.
Asked for an opinion on the FTC’s actions, Allison Nixon the Director of Security Research at Flashpoint said it was a good move by the FTC, adding that the IoT security space needs to shape up quickly.
“Unauthenticated remote takeover is considered a borderline scandalous vulnerability in any other area of application development, but in the IoT world it’s routine. Vendors need to be held accountable because if they aren’t, the rest of us will pay the price,” Nixon said.
In a brief statement, a D-Link spokesperson sent Salted Hash the following:
多家高等院校的网站受到黑客攻击,大量学生个人资料和教学信息外泄,教育机构的安全意识亟待加强。

“D-Link Systems, Inc. is aware of the complaint filed by the FTC. D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customer’s private data is always our top priority.”
The company is preparing a public FAQ on the matter that will be published to the D-Link website.
我们不鼓励甚至禁止员工将私人计算设备用于工作,公司拥有系统和设备的所有权,它们由员工保管和在工作中使用,公司有权监管这些信息资产的使用情况,公私分明的做法,一方面为了保障商业安全,同时也避免出现隐私纠纷。

猜您喜欢

加强邮政快递安全监管
信息安全知识测验
网络安全公益短片社交网络安全基础
乳腺增生要看分级确定风险
GRANDHOTELPLAZA JAZDLIFESCIENCES
信息安全意识教育案例之商业黑客参与搜索引擎专利大战