NEWS ANALYSIS: Despite claims about advanced security, the Federal Trade Commission says that D-Link hard-coded login credentials leaving encryption keys unprotected and publicly exposed on the web
LAS VEGAS—My panel on cyber-security at CES was just starting when I introduced Federal Trade Commission attorney Ben Rossen, who is part of the Division on Privacy and Identity Protection.Rossen opened his discussion with an announcement that the FTC had just filed a lawsuit in the U.S. Federal Court for the Northern District of California alleging that network equipment maker D-Link had been misleading in describing its advanced security technology and in had endangered the public with lax product security practices.Rossen said that the complaint was just one of what will be many complaints about poor internet of things device security. D-Link IP cameras were a major contributor to the immense IoT denial of service attacks that occurred last year causing widespread disruption on the internet, including taking down Domain Name System services provider DYN.Hackers had augmented the volume of their attacks by loading botnet software on vast numbers of IoT devices including security cameras, smart home devices and DVRs.
If nothing else, Rossen made it clear why he was part of my panel on “Regulation and Enforcement in Cybersecurity.” He said that the FTC was taking privacy and security risks affecting Americans very seriously. In this case, D-Link was allegedly engaging in unfair and deceptive practices by claiming to have provided security capabilities that clearly didn’t exist.
A typical example from the FTC complaint was the fact that D-Link had hard-coded “Guest” as the user name and password into its IP cameras. This made it easy for hackers to install botnet software on these devices so that thousands of them could be marshaled as part of a botnet. But the security holes in the D-Link equipment went beyond that.In the FTC announcement on the enforcement action, the agency noted that a software flaw in D-Link equipment allowed command injection, in which hackers can send remote commands over the internet to the devices without authorization from the owner. In addition, the FTC complaint says that D-Link mishandled its private key code used to sign the company’s software products, by allowing it to be visible on the company’s public website for six months.Finally, when users could actually create their own logins and passwords, the D-Link software allowed those names and passwords to be stored in the clear on the equipment.The FTC complaint said that the flaws included insecure routers that could allow access to attached storage devices that could be directed to attack other devices on the network. The insecure routers could also be remotely programmed to direct users to fraudulent websites.