D-Link fights back against 'baseless' data security lawsuit

Suing companies for the potential of a data security breach would stifle IoT innovation, the firm representing D-Link against the FTC's lawsuit has argued.

Cause of Action Institute has announced that it will be defending D-Link against the United States Federal Trade Commission (FTC)'s "unwarranted and baseless" lawsuit claiming that the technology company put thousands of customers at risk of unauthorised access by failing to secure its IP cameras and routers.

The FTC should not be able to "bring a lawsuit on the mere potential of a data security breach", Cause of Action Institute assistant VP Patrick Massari argued, as this would stifle innovation and uptake of the Innovation of Things (IoT).

"It sets a dangerous precedent for the federal government to go after a good company and put American jobs at risk without a single instance of actual or likely consumer harm," Massari said.

"This lawsuit is another instance of the FTC's unchecked regulatory overreach ... nearly every company will be subject to unconstrained and unexplored data security liability. Such limitless liability coupled with FTC's history of unrelentingly litigious oversight will no doubt have a chilling effect on innovation in the Internet of Things."

D-Link Systems chief information security officer William Brown said the company is committed to fighting the FTC's "false allegations" alongside Cause of Action Institute, which also represented LabMD in its successful data security suit against the FTC in 2015.

The company is also staunch about securing its customers' data, Brown said.

"We are committed to protecting customer security, which the complaint affirmed by citing no actual data breach," Brown said.

"Global connectivity relies on an unfettered commitment to security; we will continue to maintain and enhance the integrity of all D-Link Systems products."

The FTC filed its lawsuit against D-Link last week, claiming that D-Link continually "failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws" in several of its IoT devices.

Specifically, the FTC said these alleged security failures amounted to D-Link hard-coding login credentials or backdoors that allowed unauthorised access to live feeds in its camera software; mishandling its own software private sign-in key code so it was exposed online for around six months; failing to take reasonable steps to prevent a known vulnerability allowing attackers to remotely control and send commands to routers; and failing to use free software that has been available since 2008 to secure its users' app logins, instead storing them in clear, readable text on users' mobile devices.

"Defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorised access, including by failing to protect against flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007," the lawsuit [PDF] says.

The FTC called the risk of attackers exploiting these vulnerabilities "significant", as remote attackers were able to gain unauthorised access to devices using "simple steps" and "widely available tools".

Attackers would be able to gain access to sensitive financial account information; obtain tax returns and other such files stored on a user's router; attack any other devices attached to the local network, including smartphones, IoT appliances, computers, and cameras; gain access to home-security cameras and thereby enable the theft of these premises by observing the comings and goings of inhabitants; observe and record personal activities and conversations online; and download malware onto users' devices.

Not only did it fail to protect against these risks, but the FTC claims that D-Link also actively promoted the security of its devices during this period.

The lawsuit followed reports in July last year that a serious security flaw was discovered by the Senrio research team in five of D-Link's cameras, with a stack overflow issue giving attackers the ability to overwrite administrator passwords in home Wi-Fi cameras, add new users with administrative access, reconfigure products, and download malware.

The vulnerability was a result of a firmware update for the D-Link DCS-930L Network Cloud Camera that enabled remote unauthorised access through just a single line of code.

The FTC is seeking a permanent injunction to prevent D-Link from engaging in unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act, as well as legal costs and any other equitable relief the court deems appropriate.