What's new

FTC suing D-LINK for lax IP camera, router security

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The reponse is interesting. FTC now has to publicly show if D-Link products are vulnerable to such problems.

5 minutes of Googling should support at least some of the FTC's allegation as to DLink failing to take appropriate measures to ensure proper security. I remember of at least two occasions where a security hole was found, and the initial fix provided by DLink did NOT resolve the issue, requiring a second security update from them (one was related to a HNAP hole, the other was related to the Joel backdoor).
 
What I would like to know is who dropped the dime on D-Link to the FTC. Someone had the long knives out, especially with the announcement timed to CES.

I also think the mention of the closing of a similar FTC action against ASUS in the FTC announcement is interesting. Didn't even hear about that one.
 
What I would like to know is who dropped the dime on D-Link to the FTC.

Wouldn't it be funny if company A complained about B, then B complained about C, and ultimately the FTC would progressively hit them all with "stop sucking and start securing your shirt".

I also think the mention of the closing of a similar FTC action against ASUS in the FTC announcement is interesting. Didn't even hear about that one.

Odd, the announcement was discussed a fair amount on SNBforums at the time. Asus have to go through mandatory security audit for the next 20 (!) years, in addition to other requirements.
 
This is bad news for me as I have one D-Link IP Camera in my house. I didn't know that its app uses HTTP for password transmission, but I don't use common password for it anyway. However, I hope FTC go through security audits with all manufacturers so that most products will be more secure.
 
What I would like to know is who dropped the dime on D-Link to the FTC.

From a business perspective - I don't think any one of D-Link's competitors would have tipped things off - as they would have been at risk for the same things... It's a fair warning for all the consumer oriented players... fix stuff or get busy in the woodshed...
 
I don't think any one of D-Link's competitors would have tipped things off - as they would have been at risk for the same things...

Plenty of folks who live in glass houses, so I still wouldn't rule that out.
 
Nice writeup on the FTC vs DLink...

http://blog.erratasec.com/2017/01/notes-about-ftc-action-against-d-link.html

The suit is not "product liability", but "unfair and deceptive" business practices for promising "security". In addition, they interpret "security" different from the cybersecurity community.

This needs to be stressed because right now in our industry, there is a big discussion of product liability, insisting that everything attached to the Internet needs to be secured. People will therefore assume the FTC action is based on "liability".

Instead, all six counts are based upon the fact that D-Link offers its products for securing networks, and claims they are secure. Because they have backdoor passwords, clear-text passwords, command-injection bugs, and public private-keys, the FTC feels the claims of security to be untrue.​
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top