D-Link has agreed to a settlement with the US Federal Trade Commission in regards to a 2017 lawsuit in which the US government agency accused the Taiwanese hardware maker of misrepresenting the security of its devices and ignoring vulnerability reports.
As part of the settlement, D-Link has promised to implement a new software security program for its routers and Internet-connected cameras.
The company has also agreed to subject itself to ten years of biennial security audits from a third-party, independent auditor. The FTC gets to choose the auditor, while D-Link got to decide the certifications the auditor must obtain before allowing it to review its security program.
According to the 32-page settlement, D-Link's new software security program must include a series of necessary components, such as:
The settlement stems from a 2017 FTC complaint in which the US agency accused the Taiwanese device maker of leaving hardcoded credentials for its products and mobile apps in their firmware or source code, which opened customers to hacking.
In a press release, D-Link welcomed the settlement and was happy that the FTC didn't claim D-Link acted intentionally in misleading its customers and that the FTC didn't bar the company from making any statements about its devices' security, like it forbade other IoT vendors from doing in their respective marketing materials.
"This settlement contrasts sharply with FTC's other consent orders with IoT companies, which include very broad restrictions on what those companies may say about their products. Importantly, unlike other IoT matters in which FTC had alleged 'deception,' today's proposed order contains no such restrictions," D-Link said.
The device maker was also happy that it did not receive a fine, which the FTC also often imposes in many settlements.
The FTC also gave D-Link a two-year safe harbor for its new security program so the hardware maker can obtain all the needed security certifications for its new software security program.
In 2016, the FTC reached a similar settlement with ASUS, which agreed to 20 years of security audits after it had also failed to secure its routers.