Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Featured FTC suing D-LINK for lax IP camera, router security

Discussion in 'General Network Security' started by thiggins, Jan 6, 2017.

  1. thiggins

    thiggins Mr. Easy Staff Member

    Joined:
    May 18, 2008
    Messages:
    11,695
  2. Wutikorn

    Wutikorn Senior Member

    Joined:
    Nov 12, 2015
    Messages:
    302
    Location:
    Thailand
  3. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    9,718
    Location:
    San Diego, CA
  4. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    21,289
    Location:
    Canada
    5 minutes of Googling should support at least some of the FTC's allegation as to DLink failing to take appropriate measures to ensure proper security. I remember of at least two occasions where a security hole was found, and the initial fix provided by DLink did NOT resolve the issue, requiring a second security update from them (one was related to a HNAP hole, the other was related to the Joel backdoor).
     
    Wutikorn likes this.
  5. thiggins

    thiggins Mr. Easy Staff Member

    Joined:
    May 18, 2008
    Messages:
    11,695
    What I would like to know is who dropped the dime on D-Link to the FTC. Someone had the long knives out, especially with the announcement timed to CES.

    I also think the mention of the closing of a similar FTC action against ASUS in the FTC announcement is interesting. Didn't even hear about that one.
     
    Nullity likes this.
  6. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    21,289
    Location:
    Canada
    Wouldn't it be funny if company A complained about B, then B complained about C, and ultimately the FTC would progressively hit them all with "stop sucking and start securing your shit".

    Odd, the announcement was discussed a fair amount on SNBforums at the time. Asus have to go through mandatory security audit for the next 20 (!) years, in addition to other requirements.
     
    hggomes likes this.
  7. thiggins

    thiggins Mr. Easy Staff Member

    Joined:
    May 18, 2008
    Messages:
    11,695
  8. Wutikorn

    Wutikorn Senior Member

    Joined:
    Nov 12, 2015
    Messages:
    302
    Location:
    Thailand
    This is bad news for me as I have one D-Link IP Camera in my house. I didn't know that its app uses HTTP for password transmission, but I don't use common password for it anyway. However, I hope FTC go through security audits with all manufacturers so that most products will be more secure.
     
  9. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    9,718
    Location:
    San Diego, CA
    From a business perspective - I don't think any one of D-Link's competitors would have tipped things off - as they would have been at risk for the same things... It's a fair warning for all the consumer oriented players... fix stuff or get busy in the woodshed...
     
  10. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    21,289
    Location:
    Canada
    Plenty of folks who live in glass houses, so I still wouldn't rule that out.
     
  11. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    9,718
    Location:
    San Diego, CA
    If it gets fully to court, we'll find out soon enough...
     
  12. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    9,718
    Location:
    San Diego, CA
    Nice writeup on the FTC vs DLink...

    http://blog.erratasec.com/2017/01/notes-about-ftc-action-against-d-link.html

    The suit is not "product liability", but "unfair and deceptive" business practices for promising "security". In addition, they interpret "security" different from the cybersecurity community.

    This needs to be stressed because right now in our industry, there is a big discussion of product liability, insisting that everything attached to the Internet needs to be secured. People will therefore assume the FTC action is based on "liability".

    Instead, all six counts are based upon the fact that D-Link offers its products for securing networks, and claims they are secure. Because they have backdoor passwords, clear-text passwords, command-injection bugs, and public private-keys, the FTC feels the claims of security to be untrue.​
     

Share This Page