- January 6, 2017
- Posted by: Kerry Tomlinson, Archer News
- Category: Archer News, Cyber Crime, Cyberattack, Hacking, Home Security, Posts with image, Smart Devices
A watchdog agency is suing the company for allegedly tricking customers.
***Updated with new statement from D-Link***
If you bought a D-Link router, you might think it had high-level security.
The network device company advertises more than one product as “one of the safest” routers available.
You’ll also see these D-Link claims online—“easy to secure,” “advanced network security” and “where smart meets safe.”
But the FTC has now filed suit against the router, baby monitor and IP [Internet Protocol] camera maker, saying D-Link deceived customers about the real safety of its devices.
D-Link represented to customers that it took reasonable steps to secure its products from unauthorized access, but failed to actually take the necessary steps, the FTC said.
“The risk that attackers would exploit these vulnerabilities to harm consumers was significant,” the FTC complaint against D-Link reads.
The company is based in Taiwan and works with a partner company, D-Link Systems, in California.
“D-Link Systems, Inc. is aware of the complaint filed by the FTC,” the California company said in a statement to Archer News. “D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers’ private data is always our top priority.”
***Update at 9:15 pm on January 5: D-Link Systems issued a press release with new information about its response to the complaint.***
“D-Link Systems rejects the FTC’s allegations and firmly believes that its processes and procedures related to security were more than reasonable,” the statement said. “D-Link Systems maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IoT) devices.”
The company said that the FTC mentioned risk to D-Link to customers did not reveal any actual breach of a D-Link device.
“The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted,” said D-Link Systems Chief Information Security Officer William Brown in the release.
“We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint,” he said. “Furthermore, we are continually working to address the overall security features of D-Link Systems’ products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices.”
The company also posted FTC complaint FAQs for customers on its site.
The security holes?
D-Link did not fix “well-known and easily preventable security flaws,” the FTC said in its complaint.
For example, the company put “hard-coded,” easy-to-guess logins into D-Link camera software, the FTC said.
That means anyone who tried an easy username like “guest” and an easy password like “guest” could get into your system, and there was no way for you to change it on your own.
Another flaw—“command injection,” where malicious hackers could send your router their own commands and take over your system, according to the complaint.
Also, when you log in to the D-Link mobile app, the app stores your personal info without protecting it, even though there’s been free software available to do so for more than seven years, said the FTC.
And D-Link left a private key code out in the open on a public website for six months where anyone could grab it and use it against you, the FTC complained.
That private key code is a problem, said Vincent Berk, CEO of cybersecurity company FlowTraq. It can create a secret backdoor where bad guys can get it
“The command injection is bad,” Berk said to Archer News. “But the fact that there is a private key code that unlocks access to the software is even worse.”
“Such a mechanism is typically frowned upon in the industry,” he added. “It is security by obscurity, and once lost and out in the open, there is nothing you can do to keep secure.”
Promotional material for D-Link baby monitor. Image from FTC complaint documents.
What could the bad guys do?
An attacker could use these vulnerabilities to do things like steal your sensitive personal information, like your tax returns, or trick you into visiting a fake bank site to grab your account password, the FTC alleged.
They could also spy on you or your children through compromised cameras and microphones, according to the complaint.
“Hackers are increasingly targeting consumer routers and IP cameras—and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said the FTC’s Jessica Rich in a press release. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
D-Link advertises more than one of its routers as “one of the safest” available, according to the FTC. Image from FTC complaint documents.
Spying is not your biggest worry, according to Travis Smith, senior security research engineer with Tripwire.
“It’s important to know that most cyber criminals are after a financial gain of some type,” Smith told Archer News. “While it may be entertaining for someone half-way around the world look at your driveway, there is little to no money in that feed.”
More likely, Smith believes? Bad guys could turn your router and cameras into zombie attack devices to blitz other websites with so much traffic that no one can reach them, like in the October 21 big Internet “takedown.“
That’s still a problem, but you’ll feel it less, Smith said.
“For consumers, it’s kind of like having someone steal your car only to return it when they are done,” he said. “You may feel a little bit violated that someone was using your belongings, but at the end of the day, you weren’t really affected.”
If you don’t feel the pain—and if the router/camera company doesn’t feel the pain—the problem of insecure devices may continue.
“Until criminals exploit these devices to harm the device manufacturer and/or the device owner, neither will have much incentive to respond to these types of issues,” Smith explained. “It looks as if the FTC realizes this and is trying to force the hand of device manufacturers to take security more seriously.”
D-Link router as presented online. Image from FTC complaint documents.
Buy a new one?
So, should you trade out your D-LInk router or camera for something else?
“I certainly would not recommend running out and buying new,” advised Berk. “That often just means you’re just swapping known vulnerabilities for unknown vulnerabilities. The devil you know, right?”
And D-Link is not the only manufacturer with security issues.
“There are printers, VOIP [Voice over Internet Protocol] boxes, thermostats, even home appliances such as refrigerators that are already out there, and communicating on your network,” Berk said. “It is likely that one-by-one these devices are going to become compromised, and the manufacturer has little they can do to pull them back and fix them.”
“The problem is going to get worse, not because people don’t care, but because the vulnerable stuff is already out there for the taking,” he added.
D-Link camera & app as presented online. Image from FTC complaint documents.
What can you do?
You can cut off remote access to your router to try to keep the bad guys out.
“For example, many vulnerabilities in consumer routers are with the web-based administration of the device,” said Smith. “It is likely that users can disable remote administration of their router to prevent an attacker from gaining access to their home network.”
And follow some basic security steps, like changing the default password—the password that comes on your device so you can set up your system—because attackers can easily guess them.
“As consumers, we would do wise to change default passwords as a matter of fact,” said Berk. “Lock your house! It is kind of common sense.”
Watch out for updates, no matter what brand of router or camera you have. They could fix vulnerabilities like the ones in the FTC complaint.
“Be cognizant of software updates that are available for your IoT [Internet of Things] devices,” said Berk. “Manufacturers do send updates to these, and they are available.”
And don’t believe all the marketing claims you see online.
“In the year 2017, we should be somewhat skeptical of unqualified marketing slogans,” said Berk.