FTC files lawsuit against D-Link for router and camera security flaws

The FTC has filed a lawsuit against D-Link for failing to protect its customers against 'well known and easily preventable software security flaws' in its routers and IoT cameras.
Written by Corinne Reichert, Contributor

The United States Federal Trade Commission (FTC) has filed a lawsuit against D-Link, claiming the company put thousands of customers at risk of unauthorised access by failing to secure its IP cameras and routers, after security vulnerabilities were discovered last year.

The lawsuit [PDF], filed in the District Court in San Francisco on January 5, claims that D-Link "repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws" in several of its Internet of Things (IoT) devices.

Specifically, the FTC said these alleged security failures amounted to D-Link hard-coding login credentials or backdoors that allowed unauthorised access to live feeds in its camera software; mishandling its own software private sign-in key code so it was exposed online for around six months; failing to take reasonable steps to prevent a known vulnerability allowing attackers to remotely control and send commands to routers; and failing to use free software that has been available since 2008 to secure its users' app logins, instead storing them in clear, readable text on users' mobile devices.

"Defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorised access, including by failing to protect against flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007," the lawsuit says.

The FTC called the risk of attackers exploiting these vulnerabilities "significant", as remote attackers were able to gain unauthorised access to devices using "simple steps" and "widely available tools".

"In many instances, an attacker could then take simple steps to exploit vulnerabilities in defendants' routers and IP cameras, impacting not only consumers who purchased these devices, but also other consumers, who access the internet in public or private locations served by the routers or who visit locations under the IP cameras' surveillance," the lawsuit argues.

Attackers would be able to gain access to sensitive financial account information; obtain tax returns and other such files stored on a user's router; attack any other devices attached to the local network, including smartphones, IoT appliances, computers, and cameras; gain access to home-security cameras and thereby enable the theft of these premises by observing the comings and goings of inhabitants; observe and record personal activities and conversations online; and download malware onto users' devices.

Not only did it fail to protect against these risks, but the FTC claims that D-Link also actively promoted the security of its devices during this period.

"Promising 'Advanced Network Security', D-Link's promotional materials assured buyers that their routers 'support the latest wireless security features to help prevent unauthorised access, be it from a wireless network or from the Internet'," the FTC wrote in a blog post on Thursday.

"Other ads touted a D-Link product as 'not only one of the finest routers available, it's also one of the safest'. Even the package for D-Link's Digital Baby Monitor featured a lock icon with the phrase 'Secure Connection' next to a picture of an adorable baby. The company repeated many of those security promises in the interactive interfaces consumers used to set up their D-Link products.

"D-Link further touted its practices in a Security Event Response Policy, posted after some highly-publicised security flaws were found to affect the company's products."

The FTC is seeking a permanent injunction to prevent D-Link from engaging in unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act, as well as legal costs and any other equitable relief the court deems appropriate.

The lawsuit follows reports in July last year that a serious security flaw was discovered by the Senrio research team in five of D-Link's cameras, with a stack overflow issue giving attackers the ability to overwrite administrator passwords in home Wi-Fi cameras, add new users with administrative access, reconfigure products, and download malware.

The vulnerability was a result of a firmware update for the D-Link DCS-930L Network Cloud Camera that enabled remote unauthorised access through just a single line of code.

"The vulnerable function copies data from an incoming string to a stack buffer, overwriting the return address of the function," Senrio wrote in a blog post last year.

"This vulnerability can be exploited with a single command which contains custom assembly code and a string crafted to exercise the overflow. The function first copies the assembly code to a hard-set, executable, address. Next, the command triggers the stack overflow and sets the value of the function's return address to the address of the attacker's assembly code."

Senrio laid the blame at the feet of "poorly written firmware components used in cheap systems on chips (SoCs)".

In response, D-Link said it was "fully aware" of the report and was taking it seriously.

"Since being alerted, we have been carefully investigating all the information sent to us from the source of the report. At this time, there is suspicion that it may be pointing to a past issue that's already been dealt with. We are continuing to investigate further and will do what's necessary to keep our cameras safe," a D-Link spokesperson told ZDNet in July.

"As a rule of thumb, we advise customers to once again review their devices and check they are all running on the latest firmware as well as change their passwords regularly."

Editorial standards