Router and webcam maker D-Link has agreed to implement a new security program to settle charges it failed to safeguard its hardware against well-known and preventable hacks and misrepresented its existing security regimen.
Tuesdays agreement settles a 2017 complaint by the US Federal Trade Commission that alleged D-Link left thousands of customers open to potentially costly hack attacks. The hardware maker, the FTC said, failed to test its gear against security flaws ranked among the most critical and widespread by the Open Web Application Security Project. The 2017 suit also said that, despite the lack of testing and hardening of its products, D-Link misrepresented its security regimen as reasonable.
Specific shortcomings cited by the FTC included:
- hard-coded login credentials on its D-Link camera software that used easily guessed passwords
- storing mobile app login credentials in human-readable text on a users mobile device
- expressly or implicitly describing its hardware as being secure from unauthorized access
- repeatedly failing to take reasonable testing and remediation measures to protect hardware from well-known and easily preventable software security flaws
“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users most sensitive personal information to prying eyes,” Andrew Smith, director of the FTCs Bureau of Consumer Protection, said in a release. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”
Tuesdays settlement requires D-Link to implement a security program that better ensures the companys cameras and routers are secure. The program requires “implementing security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers.”
For the next decade, D-Link will also be required every two years to obtain independent, third-party assessments of its software security program. Documents related to the assessment must be provided to FTC employees upon request. The settlement also requires the assessor to identify specific evidence for its findings rather than solely relying on assertions by D-Link management. The FTC has the authority to approach the third-party assessor chosen by D-Link.
In the 30 months that have passed since the FTC sued D-Link, hackers have continued to capitalize on past mRead More – Source