Do you use D-Link modem/routers or routers? Do you have or plan to buy smart home appliances or electronics (a/k/a the Internet of Things or IoT) you want to connect via your home WiFi network to these or other brand routers? Are you concerned about the security of IoT devices? If you answered yes to any of these questions, then today's blog post is for you.
The U.S. Federal Trade Commission (FTC) has filed a complaint against Taiwan-based D-Link Corporation and its U.S. subsidiary alleging the tech company didn't do enough to make its products secure from hacking. The FTC announcement stated that its complaint alleged:
"... that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras... D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as: a) "hard-coded" login credentials integrated into D-Link camera software -- such as the username “guest” and the password “guest” -- that could allow unauthorized access to the cameras’ live feed; b) a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet; c) the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and d) leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information."
Besides the D-Link shopping site, the company's products are available at many online stores, including Best Buy, Target, Walmart, and Amazon. The FTC complaint (Adobe PDF) stated 5 Counts describing in detail the alleged security lapses, some of which allegedly contradict advertising claims. The redacted complaint did not list specific product model numbers. Apple Insider reported:
"The security lapses also extended to mobile apps offered by D-Link to access and manage IP cameras and routers from a smartphone or tablet."
If these allegations are true, then item "C" is troubling. it raises questions about how and why a private key code were available on a public, unprotected server and for so long. It raises questions why this information wasn't encrypted. Access codes on a public server may help government intelligence agencies perform their tasks, but it suggests insufficient security for consumers. Access codes and login credentials are the holy grail for criminals. This is the information they seek in order to hack accounts and hijack devices.
Consumers connect via home routers a variety of IoT or smart devices: security systems, cameras, baby monitors, thermostats, home electronics, home appliances, toys, lawn mowers, and more. If true, the vulnerabilities could allow criminals to case home furnishings, eavesdrop on conversations, watch residents' patterns and discover when they are away from home, disable security systems, access tax and financial records, redirect users' Internet usage to fraudulent sites, and more.
The risks are real. A prior blog post discussed some of the security issues with IoT devices. Home routers have been hijacked and used to shut down targeted sites. ZDNet warned in May 2015:
"According to a report released by cybersecurity firm Incapsula on Wednesday, lax security practices concerning small office and home office (SOHO) routers has resulted in tens of thousands of routers becoming hijacked -- ending up as slave systems in the botnet network. Distributed denial-of-service (DDoS) attacks are a common way to disrupt networks and online services. The networks are often made up of compromised PCs, routers and other devices. Attackers control the botnet through a command and control center (C&C) in order to flood specific domains with traffic... ISPs, vendors and users themselves -- who do not lay down basic security foundations such as changing default passwords and keeping networks locked -- have likely caused the slavery of "hundreds of thousands [...] more likely millions" of routers now powering DDoS botnets which can cause havoc for both businesses and consumers..."
And a December 7, 2016 report by Incapsula listed about 18 vendors, including D-Link, that were susceptible to the Mirai malware used by botnets. So, the threat is real. Home routers have already been hijacked by bad guys to attack sites.
D-Link posted on its site a response to the FTC complaint:
"D-Link Systems, Inc. will vigorously defend itself against the unwarranted and baseless charges made by the Federal Trade Commission (FTC)... D-Link Systems maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IOT) devices. Notably, the complaint does not allege any breach of a D-Link Systems device. Instead, the FTC speculates that consumers were placed “at risk” to be hacked, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries."
That response raises more questions. Breaches involve unauthorized persons accessing computers and/or networks. Clearly, botnets are collections of hijacked devices controlled by unauthorized persons using malware. The Incapsula reports clearly documented this. So, how are hijacked home routers and IoT devices with malware not breaches? And, botnets are designed to attack targeted sites, and not necessarily the hijacked routers and devices. So, the "actual substantial injuries" argument falls apart.
Aware consumers don't want their smart televisions, refrigerators, dishwashers, home security systems, baby monitors, cameras, and other devices hijacked by bad guys. The whole situation seems to provide two important reminders for consumers: 1) protect your IoT devices, and 2) be informed shoppers.
Protecting your IoT devices means changing the default passwords, especially on your routers and disabling remote access features. Informed shoppers Inquire before purchase about software security updates for IoT devices. Are those updates included in the product price, available in a separate subscription, or not at all? There are plenty of examples of smart home products with vulnerabilities and questionable security. Informed shoppers know before purchase.
If the product offers a separate subscription for software security updates, the money spent will be well worth it to protect your sensitive personal and financial information, to protect your family's privacy, and to avoid hijacked devices. If the product lacks software security updates, you want to know what you're buying and maybe barter for a lower price. Me? I'd keep shopping for alternatives with better security.
Protect your WiFi-connected home electronics, devices, and appliances. Don't contribute to Internet security problems.
Since most consumers lack the technical expertise to understand and detect breaches on their IoT devices, I am grateful for the FTC enforcement action; and for its guidelines in 2015 for companies offering IoT devices. Plus, the FTC is concerned with industry-wide threats that could hamper commerce. Perhaps, an economist can calculate the negative impacts upon commerce, the U.S. economy, and GDP from botnet attacks.
What are your opinions of the FTC lawsuit against D-Link Corporation? Of the security of IoT devices?