https://threatpost.com/ftc-d-link-failed-to-secure-routers-ip-cameras/122895/
Legal process against companies that seem to have failed in IoT security in 2016 seems to be starting now. I expect that also several other companies will get similar treatment – very many companies have had same type security problems.
4 Comments
Tomi Engdahl says:
FTC takes D-Link to court citing lax product security, privacy perils
FTC: D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information
http://www.networkworld.com/article/3154899/security/ftc-takes-d-link-to-court-citing-lax-product-security-privacy-perils.html
The Federal Trade Commission has filed a complaint against network equipment vendor D-Link saying inadequate security in the company’s wireless routers and Internet cameras left consumers open to o hackers and privacy violations.
The FTC, in a complaint filed in the Northern District of California charged that “D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.”
https://www.ftc.gov/system/files/documents/cases/170105_d-link_complaint_and_exhibits.pdf
Tomi Engdahl says:
But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:
“Hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
A software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
The mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
Leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.
The FYC said that hackers could exploit these vulnerabilities using any of several simple methods.
Source: http://www.networkworld.com/article/3154899/security/ftc-takes-d-link-to-court-citing-lax-product-security-privacy-perils.html
Tomi Engdahl says:
Uncle Sam, D-Link told to battle in court over claims of shoddy device security: Judge snubs summary judgment bids
No spittin’, no cussin’, either, Cali judge rules
https://www.theregister.co.uk/2018/11/06/dlink_ftc_denied/
America’s trade watchdog’s case against network device maker D-Link will go ahead next January – after a district judge rebuked the two sides for wasting money drawing up and filing demands for summary judgments.
The US Federal Trade Commission (FTC) brought its lawsuit against Taiwanese D-Link early last year in California, and in doing so griped about a host of alleged bad practices, including hard-coded passwords, command-injection vulnerabilities, misplaced security keys, and plaintext password storage in D-Link’s gear. These, the watchdog claimed, amounted to misrepresentation by a company that touted the advanced security of its products, and thus put buyers at risk.
Tomi Engdahl says:
The FTC Lawsuit over D-Link: Technical Perspective of Routers Security
https://www.vdoo.com/blog/ftc-lawsuit-over-d-link
The U.S. Federal Trade Commission (FTC) sued D-Link for putting consumers’ most sensitive personal data at risk due to the inadequate security of its routers and cameras. D-Link was criticized for releasing products which lack basic security measures, and for responding late