WBK Industry - Federal Regulatory Developments

FTC Files Complaint against D-Link for Misleading Security Claims

Recently, the Federal Trade Commission (“FTC”) brought a complaint against a computer networking equipment manufacturer based on allegations the company did not take proper steps to ensure the security of their internet connected devices, commonly called the “Internet of Things” (“IoT”). Such devices include web cameras and routers made and sold by the company.

The FTC has been pursuing security failures such as this on a more frequent basis as part of its efforts to protect consumers’ privacy and security in the IoT. According to the FTC, the threat of cyber breaches is no longer limited to online accounts or computers, as hackers have expanded their range to include personal computers, video cameras, smart home devices and even connected refrigerators.

This complaint was brought because the equipment manufacturer claimed its products were “easy to secure” and contained “advanced network security,” when in reality, the company failed to take steps to address even the most basic cyber threats. These included “hard coded” generic username and passwords (such as the username “guest” and the password “guest”) as the default for many devices that allow easy access for many hackers; a software flaw known as “command injection” that could enable attackers to take control of consumers’ routers remotely; negligence in handling private key codes that were later published to a public website for six months; and leaving users’ login credentials for mobile apps unsecured, even though free security software is available.

These security lapses can have significant practical consequences. Compromised routers can allow hackers access to any device connected to the internet through the router, such as a personal computer containing sensitive, personal data. Similarly, hacked web cameras can allow hackers to spy on unsuspecting victims and track their whereabouts for the purpose of theft or other crimes.

This complaint was filed in the Federal District Court for the Northern District of California and means the FTC has “reason to believe” the law has been or is being violated. The case will be decided by a federal judge.

The FTC’s press release regarding this complaint may be found here:
https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate.