FTC suing D-LINK for lax IP camera, router security

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

RMerlin

Asuswrt-Merlin dev
The reponse is interesting. FTC now has to publicly show if D-Link products are vulnerable to such problems.

5 minutes of Googling should support at least some of the FTC's allegation as to DLink failing to take appropriate measures to ensure proper security. I remember of at least two occasions where a security hole was found, and the initial fix provided by DLink did NOT resolve the issue, requiring a second security update from them (one was related to a HNAP hole, the other was related to the Joel backdoor).
 

thiggins

Mr. Easy
Staff member
What I would like to know is who dropped the dime on D-Link to the FTC. Someone had the long knives out, especially with the announcement timed to CES.

I also think the mention of the closing of a similar FTC action against ASUS in the FTC announcement is interesting. Didn't even hear about that one.
 

RMerlin

Asuswrt-Merlin dev
What I would like to know is who dropped the dime on D-Link to the FTC.

Wouldn't it be funny if company A complained about B, then B complained about C, and ultimately the FTC would progressively hit them all with "stop sucking and start securing your shirt".

I also think the mention of the closing of a similar FTC action against ASUS in the FTC announcement is interesting. Didn't even hear about that one.

Odd, the announcement was discussed a fair amount on SNBforums at the time. Asus have to go through mandatory security audit for the next 20 (!) years, in addition to other requirements.
 

Wutikorn

Senior Member
This is bad news for me as I have one D-Link IP Camera in my house. I didn't know that its app uses HTTP for password transmission, but I don't use common password for it anyway. However, I hope FTC go through security audits with all manufacturers so that most products will be more secure.
 

sfx2000

Part of the Furniture
What I would like to know is who dropped the dime on D-Link to the FTC.

From a business perspective - I don't think any one of D-Link's competitors would have tipped things off - as they would have been at risk for the same things... It's a fair warning for all the consumer oriented players... fix stuff or get busy in the woodshed...
 

RMerlin

Asuswrt-Merlin dev
I don't think any one of D-Link's competitors would have tipped things off - as they would have been at risk for the same things...

Plenty of folks who live in glass houses, so I still wouldn't rule that out.
 

sfx2000

Part of the Furniture
Nice writeup on the FTC vs DLink...

http://blog.erratasec.com/2017/01/notes-about-ftc-action-against-d-link.html

The suit is not "product liability", but "unfair and deceptive" business practices for promising "security". In addition, they interpret "security" different from the cybersecurity community.

This needs to be stressed because right now in our industry, there is a big discussion of product liability, insisting that everything attached to the Internet needs to be secured. People will therefore assume the FTC action is based on "liability".

Instead, all six counts are based upon the fact that D-Link offers its products for securing networks, and claims they are secure. Because they have backdoor passwords, clear-text passwords, command-injection bugs, and public private-keys, the FTC feels the claims of security to be untrue.​
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top