Smart home products manufacturer D-Link Systems, Inc., has agreed to implement a comprehensive software security program in order to settle Federal Trade Commission allegations over misrepresentations that the company took reasonable steps to secure its wireless routers and Internet-connected cameras.
The settlement ends FTC litigation against D-Link stemming from a 2017 complaint in which the agency alleged that, despite claims touting device security, vulnerabilities in the company’s routers and Internet-connected cameras left sensitive consumer information, including live video and audio feeds, exposed to third parties and vulnerable to hackers.
“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”
Despite promoting the security of its products by claiming it offered “advanced network security,” D-Link failed to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws, according to the FTC’s complaint. These flaws included using hard-coded login credentials on its D-Link camera software with the easily guessed username and password, “guest,” and storing mobile app login credentials in clear, readable text on a user’s mobile device.
As part of the proposed settlement, D-Link is required to implement a comprehensive software security program, including specific steps to ensure that its Internet-connected cameras and routers are secure. This includes implementing security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers.
In addition, D-Link is required for 10 years to obtain biennial, independent, third-party assessments of its software security program. The assessor must keep all documents it relies on for its assessment for five years and provide them to the Commission upon request. The settlement also requires the assessor to identify specific evidence for its findings—and not rely solely on the assertions of D-Link’s management. Finally, the order gives the FTC authority to approve the third-party assessor D-Link chooses.
Under this settlement, D-Link has the option to have the assessor certify its compliance with the secure product development standard set by the International Electrotechnical Commission, an international standard setting organization. If the company successfully obtains the necessary compliance certifications required of the standard, D-Link will be deemed in compliance with the order’s comprehensive security program requirement. This provision, however, does not apply if D-Link provides any misleading or false information during its biennial audit or assessment process.
The Commission vote to accept the proposed consent agreement with D-Link was 5-0. The FTC filed the proposed settlement in the U.S. District Court for the Northern District of California on July 2, 2019.