FTC sues D-Link over router and IP camera security flaws

Jos

Posts: 3,073   +97

Federal regulators have accused D-Link of failing to reasonably protect its routers and webcam devices from widely known threats, exposing thousands of American consumers to targeted security breaches. 

Specifically, the alleged security failures detailed in the 31-page complaint amounted to D-Link hard-coding login credentials or backdoors that allowed unauthorised access to live feeds in its camera software – “username: guest / password: guest” – leaving a private key code that could be used to sign into the company’s software publicly available for six months, failing to take reasonable steps to prevent a known vulnerability allowing attackers to remotely control and send commands to routers, and storing users’ mobile app login credentials in clear, readable text on their mobile devices.

The FTC called the risk of attackers exploiting these vulnerabilities "significant", and took issue with D-Link’s promoting its products as “easy to secure,” and armed with “advanced network security."

“In many instances, remote attackers could take simple steps, using widely available tools, to locate and exploit defendants’ devices, which were widely known to be vulnerable," according to the complaint. “For example, using a compromised router, an attacker could obtain sensitive files from the router’s attached storage. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.”

The lawsuit comes almost a year after the agency settled with Asus over its insecure routers that allowed attackers to remotely log in to them and change security settings or access files stored on connected devices. The FTC is seeking to improve the security of all IoT devices in the wake of compromised devices being used to launch high-profile DDoS attacks over the past few months.

For its part, Taiwan-based D-Link has denied the allegations and will defend itself it court.

Permalink to story.

 
D

DelJo63

Did anyone else notice that Chrysler is going with Android technology soon? Oh boy, junior can now hack daddy's car too.
 

Uncle Al

Posts: 8,001   +6,775
There are so many digital devices out there with a variety of vulnerabilities that the Congress needs to turn the Federal Trade Commission loose and mandate they get the security of all products up to snuff. We've had enough of companies shrugging their shoulders and ignoring their responsibilities in order to make a buck. Strong laws with stronger enforcement is the order of the day!
 

Darth Shiv

Posts: 2,152   +752
It needs to be locked down by default. It's just security 101. Hoping this case helps push good practices and hope they go after more lazy companies.
 
D

DelJo63

It needs to be locked down by default. It's just security 101. Hoping this case helps push good practices and hope they go after more lazy companies.
Then how do you configure the device to your LAN? Agree on lock down, but the problem is a catch-22 for install and config. Bad users have bad behaviors, so my solution is to outlaw bad users :giggle:

Having World Wide Web access to my thermostat and garage door is just not necessary, so it's a bad product idea from the beginning.
 

psycros

Posts: 3,394   +3,871
It needs to be locked down by default. It's just security 101. Hoping this case helps push good practices and hope they go after more lazy companies.
Then how do you configure the device to your LAN? Agree on lock down, but the problem is a catch-22 for install and config. Bad users have bad behaviors, so my solution is to outlaw bad users :giggle:

Having World Wide Web access to my thermostat and garage door is just not necessary, so it's a bad product idea from the beginning.

Its pretty simple to generate a unique username and password for each device sold. It can all be automated to create a database of codes that each device pulls from when its first configured at the factory. Companies that actually care about security do this all the time. And yeah, I agree 100% that most things in the home or business have no need to be online. Its money making tripe at its worse, exploiting consumers at their stupidest.
 

Darth Shiv

Posts: 2,152   +752
Then how do you configure the device to your LAN? Agree on lock down, but the problem is a catch-22 for install and config. Bad users have bad behaviors, so my solution is to outlaw bad users :giggle:

Having World Wide Web access to my thermostat and garage door is just not necessary, so it's a bad product idea from the beginning.
Have ethernet for initial setup.

Also just use VPN for IoT remote access. Why the f$&k do those devices need internet facing IPs? It's just the dumbest idea I have ever heard of.
 
D

DelJo63

Have ethernet for initial setup.
.
They already do and the problem is, just all routers, they have well known user/passwords so it's easy to gain access. If they were locked down, the user/pass & port would not be well known AND impossible to configure day-1. DUMB users don't bother and just use all the defaults possible - - so Q.E.D. we're stuck with the ioT mess. High tech homes are now setting ducks.
 

Darth Shiv

Posts: 2,152   +752
They already do and the problem is, just all routers, they have well known user/passwords so it's easy to gain access. If they were locked down, the user/pass & port would not be well known AND impossible to configure day-1. DUMB users don't bother and just use all the defaults possible - - so Q.E.D. we're stuck with the ioT mess. High tech homes are now setting ducks.
How does a hacker access an admin console if they need physical access to the device? Admin consoles, even with simple username password defaults should not be accessible over WiFi by default OR the internet. That is two massive vectors closed off.

As good practice, the control panel should enforce good password practices (and not let you keep the default) if you did enable those access options but even so...
 
D

DelJo63

How does a hacker access an admin console if they need physical access to the device?
That's the problem; they don't need the admin console, it's done like so many other infections by buffer overflow forcing access to system level and proceeding from there.

Forcing access from only a keyboard would be a great start :)
 
D

DelJo63

@Darth Shiv
the ioT stuff is designed for remote control of the household devices and to do that - - you need the Internet.

IMO, it's dumb too! Obviously I would never buy any of this junk.
 

Darth Shiv

Posts: 2,152   +752
@Darth Shiv
the ioT stuff is designed for remote control of the household devices and to do that - - you need the Internet.

IMO, it's dumb too! Obviously I would never buy any of this junk.
Yeah I just think the way you access it is not direct to device. They should secure it through a proven technology like VPN. You are basically just multiplying the attack vectors into your home network by not doing this. It's just crazy. Anyone who thinks this is a good idea has rocks in their head. Every single device is running an OS with masses of unknown security holes.

To be honest it's a botnet hacker's wet dream.