D-Link's Alleged Security Failures Achieve FTC Lawsuit

In its latest enforcement action in the realm of the Internet of Things, the Federal Trade Commission filed suit against D-Link Corporation, a Taiwan-based computer networking equipment manufacturer and its U.S. subsidiary, alleging that the defendants failed to employ adequate security measures for their wireless routers and Internet cameras.

Although D-Link promoted the security of its routers with claims like "EASY TO SECURE" and "ADVANCED NETWORK SECURITY," the company neglected to take easy steps to avoid security flaws, the agency asserted in its California federal court complaint. According to the agency, D-Link accepted hard-coded login credentials and the use of "command injection," which allowed remote attackers to take control of routers by sending commands over the Internet.

The defendants also openly displayed a private key code used to sign into D-Link software on a public website for six months and allowed user login credentials on D-Link's mobile app to remain in clear, readable text on mobile devices—despite the availability of free software that could have secured the information, the FTC alleged.

All of these errors left consumers vulnerable, the agency said, as a hacker could take advantage of a compromised router to obtain stored files (tax returns, for example), redirect a consumer to a fraudulent website, or leverage the router to attack other devices on consumers' local networks such as smartphones, computers, and other connected appliances.

As for the unsecure cameras, D-Link's actions placed consumers at risk of having their personal activities and conversations recorded and watched or their locations monitored, which could make theft or other crimes much easier to commit, the agency told the court.

The suit seeks a permanent injunction against future violations of the Federal Trade Commission Act, as well as costs.

D-Link responded to the lawsuit with a statement on its website denying "the unwarranted allegations outlined in the FTC complaint" and stating its plans to "vigorously defend the action." The company also noted that the agency's complaint "does not allege any breach of any product sold by D-Link Systems in the U.S."

To read the complaint in FTC v. D-Link Corporation, click here.

Why it matters: The complaint against D-Link furthers the agency's efforts with regard to privacy and security in the Internet of Things, the agency noted. "Hackers are increasingly targeting consumer routers and IP cameras—and the consequences for consumers can include device compromise and exposure of their sensitive personal information," Director of the FTC's Bureau of Consumer Protection Jessica Rich said in a statement. "When manufacturers tell consumers that their equipment is secure, it's critical that they take the necessary steps to make sure that's true." Commissioner Maureen Ohlhausen voted against filing the suit but did not comment on her decision.



pursuant to New York DR 2-101(f)

© 2022 Manatt, Phelps & Phillips, LLP.

All rights reserved