Tech

D-Link to undergo security audits for 10 years as part of FTC settlement

D-Link must also implement a new and modern software security program for its routers and security cameras.

Written by Catalin Cimpanu, Contributor on July 3, 2019

See als

Best Media Streamers for 2019 (CNET)

D-Link has agreed to a settlement with the US Federal Trade Commission in regards to a 2017 lawsuit in which the US government agency accused the Taiwanese hardware maker of misrepresenting the security of its devices and ignoring vulnerability reports.

As part of the settlement, D-Link has promised to implement a new software security program for its routers and Internet-connected cameras.

The company has also agreed to subject itself to ten years of biennial security audits from a third-party, independent auditor. The FTC gets to choose the auditor, while D-Link got to decide the certifications the auditor must obtain before allowing it to review its security program.

D-Link's new software security program

According to the 32-page settlement, D-Link's new software security program must include a series of necessary components, such as:

Engaging in security planning by enumerating in writing how functionality and features will affect the security of its devices.
Performing threat modeling to identify internal and external risks to the security of data transmitted using its devices.
Reviewing source code and testing for vulnerabilities before releasing products using automated static analysis tools.
Performing ongoing code maintenance by maintaining a database of shared code to be used to help find other instances of a vulnerability when a vulnerability is reported or otherwise discovered.
Remediation processes designed to address security flaws, or analogous instances of security flaws, identified at any stage of software development process.
Ongoing monitoring of security research for potential vulnerabilities that could affect its products.
A process for accepting vulnerability reports from security researchers, which shall include providing a designated point of contact for security researchers, appointing supervisory personnel to validate concerns.
Implementing an automatic firmware update mechanism for its devices.
Warning device owners that a specific model has ceased receiving security updates, at least 60 days before the company decides to stop supporting a model.

The settlement stems from a 2017 FTC complaint in which the US agency accused the Taiwanese device maker of leaving hardcoded credentials for its products and mobile apps in their firmware or source code, which opened customers to hacking.

D-Link welcomes settlement

In a press release, D-Link welcomed the settlement and was happy that the FTC didn't claim D-Link acted intentionally in misleading its customers and that the FTC didn't bar the company from making any statements about its devices' security, like it forbade other IoT vendors from doing in their respective marketing materials.

"This settlement contrasts sharply with FTC's other consent orders with IoT companies, which include very broad restrictions on what those companies may say about their products. Importantly, unlike other IoT matters in which FTC had alleged 'deception,' today's proposed order contains no such restrictions," D-Link said.

The device maker was also happy that it did not receive a fine, which the FTC also often imposes in many settlements.

The FTC also gave D-Link a two-year safe harbor for its new security program so the hardware maker can obtain all the needed security certifications for its new software security program.

In 2016, the FTC reached a similar settlement with ASUS, which agreed to 20 years of security audits after it had also failed to secure its routers.