FTC files lawsuit against D-Link

[ionbasa]

 

Quote

The United States Federal Trade Commission (FTC) has filed a lawsuit against D-Link, claiming the company put thousands of customers at risk of unauthorised access by failing to secure its IP cameras and routers, after security vulnerabilities were discovered last year.

 

The lawsuit [...], filed in the District Court in San Francisco on January 5, claims that D-Link "repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws" in several of its Internet of Things (IoT) devices.

 

Specifically, the FTC said these alleged security failures amounted to D-Link hard-coding login credentials or backdoors that allowed unauthorised access to live feeds in its camera software; mishandling its own software private sign-in key code so it was exposed online for around six months; failing to take reasonable steps to prevent a known vulnerability allowing attackers to remotely control and send commands to routers; and failing to use free software that has been available since 2008 to secure its users' app logins, instead storing them in clear, readable text on users' mobile devices.

http://www.zdnet.com/article/ftc-files-lawsuit-against-d-link-for-router-and-camera-security-flaws/

Link to the lawsuit (PDF): https://www.ftc.gov/system/files/documents/cases/170105_d-link_complaint_and_exhibits.pdf

Link to FTC's press release: https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate

 

The FTC alleges that D-Link coded backdoor logins in their routers and cameras. D-Link's own private key was also leaked online, putting  virtually all devices at risk. TO add to that, login credentials were stored in plaintext if you accessed the interface off of a mobile device. Its also ironic, since D-Link knew about the vulnerabilities and still falsely promoted their devices as secure.

 

Honestly, let the D-Link needs to own up to its failures, this isn't acceptable by any means. Here's what the FTC has in store for them:

Quote

The FTC is seeking a permanent injunction to prevent D-Link from engaging in unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act, as well as legal costs and any other equitable relief the court deems appropriate.

 

[Castdeath97]

Another example of why having a key that unlocks encryption or allows access to a supposed secure system is retarded. No suprises here.

[ionbasa]

Just now, Castdeath97 said:

Another example of why having a key that unlocks encryption or allows access to a supposed secure system is retarded. No suprises here.

And the fact that credentials were stored in plaintext? D-Link just dropped the ball.

 

Secondly, what about the implications of spying? If D-Link has a backdoor to access its cameras and routers, who's stopping them from watching? Luckily, I don't use D-Link cameras.

[manikyath]

guys, big news: Dlink security blows chunks.

 

it's been like this since wireless N first came arount, i've yet to encounter a budget D-link wireless router that can actually do WPA2 without crashing. before we switched to something that could actually be secured we had a white van parked next to our house like once a month.

[desertcomputer]

Feels good that im not using any consumer network gear, Thank god my old d-link router died and i get replacement. 

 

 

So now essential everyone have access to your IP cameras ... the government, the pedo down the street. 

[captain cactus]

Why stop at DLink? Why not go after literally everything else as well for having utter trash or non-existant security?

 

Companies want to jump in on the hype that is "connect everything together and to the internet" and in doing so skimp on the most important thing: security. The amount of news articles with security experts finding security holes left and right in these new IOT devices should sound some massive alarm bells, but for some reason it doesn't.

[ionbasa]

14 minutes ago, lots of unexplainable lag said:

Why stop at DLink? Why not go after literally everything else as well for having utter trash or non-existant security?

 

Companies want to jump in on the hype that is "connect everything together and to the internet" and in doing so skimp on the most important thing: security. The amount of news articles with security experts finding security holes left and right in these new IOT devices should sound some massive alarm bells, but for some reason it doesn't.

They already went after Asus last year. Asus ended up settling.

 

And honestly, you cant just blindly start lawsuits (ironic, I know). The FTC in this specific case has concrete evidence against D-Link. The FTC is doing their homework and doing things the right way. 

[Energycore]

14 minutes ago, lots of unexplainable lag said:

Why stop at DLink?

You're asking that question as though the FTC issued a statement saying "DLink is the only one we will prosecute"

[ionbasa]

3 minutes ago, Energycore said:

You're asking that question as though the FTC issued a statement saying "DLink is the only one we will prosecute"

Its funny you mention that:

 

Quote

“We can’t say whether we will take action against similar companies,” an FTC spokesman said on Thursday.

http://www.pcworld.com/article/3154819/security/ftc-goes-after-d-link-for-shoddy-security-in-routers-cameras.html

 

The FTC is most likely using D-Link as a warning to the rest of the industry. They went after Asus last year, and were successful (Asus settled).

[Energycore]

Just now, ionbasa said:

Its funny you mention that:

 

http://www.pcworld.com/article/3154819/security/ftc-goes-after-d-link-for-shoddy-security-in-routers-cameras.html

 

The FTC is most likely using D-Link as a warning to the rest of the industry. They went after Asus last year, and were successful (Asus settled).

" We can’t say whether we will take action against similar companies" is very different to "We're not gonna take action against similar companies". I'm sure the FTC will prosecute anyone who's at least as blatant as D-Link

[Misanthrope]

1 hour ago, Castdeath97 said:

Another example of why having a key that unlocks encryption or allows access to a supposed secure system is retarded. No suprises here.

Wait, by definition encryption requires a key or pass or way to decrypt, it's the entire point of encryption. 

[JAKEBAB]

DD-WRT is your friend and majority of d-links support it.

[Dabombinable]

So...what should I do with my D-Link AC router then? The damn thing cost $200 and I don't want to throw it out.

[zMeul]

2 hours ago, ionbasa said:

The FTC alleges that D-Link coded backdoor logins in their routers and cameras. D-Link's own private key was also leaked online

that's really fucked up

 

I own two DLink routers, one is currently working as an AP at home and the 2nd is a router at my father's

 

---

 

@ionbasa not only ASUS, TP-Link too with the WiFi radio hack - because of the restrictions the Open-WRT community went up in flames (almost)

[Castdeath97]

2 hours ago, Misanthrope said:

Wait, by definition encryption requires a key or pass or way to decrypt, it's the entire point of encryption. 

Well then make it pseudo encryption, you know the one politicians strive for.

[bartvbl]

Neat! I was the one at the time to find the private code signing key they accidentally published in one of their open source code archives (third point in the list in the FTC's press release). Kudos to the FTC that they keep their eyes open

 

Link to FTC's press release on this lawsuit, since it doesn't appear to have been posted yet: https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate

[ionbasa]

3 hours ago, bartvbl said:

Neat! I was the one at the time to find the private code signing key they accidentally published in one of their open source code archives (third point in the list in the FTC's press release). Kudos to the FTC that they keep their eyes open

 

Link to FTC's press release on this lawsuit, since it doesn't appear to have been posted yet: https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate

Thanks! I'll update the OP With that link.

[Inheritance]

-Makes master key- -looses master key- -cries- 

 

Welcome to backdoors 2017! How may we leak your shit?