Federal regulators have accused D-Link of failing to reasonably protect its routers and webcam devices from widely known threats, exposing thousands of American consumers to targeted security breaches.
Specifically, the alleged security failures detailed in the 31-page complaint amounted to D-Link hard-coding login credentials or backdoors that allowed unauthorised access to live feeds in its camera software – “username: guest / password: guest” – leaving a private key code that could be used to sign into the company’s software publicly available for six months, failing to take reasonable steps to prevent a known vulnerability allowing attackers to remotely control and send commands to routers, and storing users’ mobile app login credentials in clear, readable text on their mobile devices.
The FTC called the risk of attackers exploiting these vulnerabilities "significant", and took issue with D-Link’s promoting its products as “easy to secure,” and armed with “advanced network security."
“In many instances, remote attackers could take simple steps, using widely available tools, to locate and exploit defendants’ devices, which were widely known to be vulnerable," according to the complaint. “For example, using a compromised router, an attacker could obtain sensitive files from the router’s attached storage. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.”
The lawsuit comes almost a year after the agency settled with Asus over its insecure routers that allowed attackers to remotely log in to them and change security settings or access files stored on connected devices. The FTC is seeking to improve the security of all IoT devices in the wake of compromised devices being used to launch high-profile DDoS attacks over the past few months.
For its part, Taiwan-based D-Link has denied the allegations and will defend itself it court.