On January 6, the Federal Trade Commission (FTC) announced that it had filed a complaint against Taiwanese D-Link Corp. and its U.S. subsidiary, D-Link Systems Inc. (D-Link), alleging the company made deceptive claims about the security of its products and engaged in unfair practices that put U.S. consumers’ privacy at risk. The case is noteworthy for the fact that the FTC did not cite an actual breach affecting D-Link’s devices; rather, it brought the action based on alleged potential harm to consumers that could result from security vulnerabilities associated with the devices.
D-Link sells networking equipment that integrates consumers’ home networks, such as routers, internet protocol (IP) cameras, baby monitors and home security cameras. These devices allow consumers to monitor the safety of their homes, young children and even pets by allowing access to live feeds from their cameras using their mobile devices or a computer.
The FTC alleges that D-Link failed to protect against “widely known and reasonably foreseeable risks of unauthorized access” to the routers and cameras, thus endangering the privacy and security of their customers. These failures, the FTC asserts, could lead to the exploitation of the devices and exposure of consumer information to attackers.
The FTC’s complaint alleges that D-Link failed to take reasonable steps to secure the routers and IP cameras for U.S. consumers. In particular, the complaint alleges that D-Link failed to do the following:
- Take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws that would potentially allow remote attackers to gain control of consumers’ devices.
- Take reasonable steps to maintain the confidentiality of the “signature” key that D-Link used, which resulted in the exposure of the private key on a public website for approximately six months.
- Use free software, available since at least 2008, to secure users’ mobile app login credentials, instead storing those credentials in clear, readable text on users’ mobile devices.
The FTC further alleges that D-Link made numerous false claims in its marketing materials as to the security of its routers and IP cameras. The complaint requests that the court enter a permanent injunction to prevent future violations of the FTC Act by D-Link and award costs to the FTC.
Following the FTC complaint, D-Link posted a response on its website stating that the company will “vigorously defend” the claims against it, and that it “maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IoT) devices.”
This latest complaint follows other FTC actions focused on the privacy and security risks associated with increasingly ubiquitous IoT devices. Companies involved in IoT device design and manufacturing should take precautions and guard against potential exposure of consumer information.
In January 2015, an FTC Staff Report on the Internet of Things offered guidance for companies on best practices to address consumer privacy and security risks. Recognizing that there is no “one size fits all” approach to tackling privacy risks posed by IoT devices, the FTC indicates that companies should consider the following suggestions:
- Build security measures into devices from the outset and at every stage of development – don’t wait to implement retroactive security measures after the devices have already been produced and sold.
- Consistently maintain up-to-date software to secure consumer personal information, and ensure regular software testing. Any identified vulnerabilities should be remediated promptly, connected devices should be monitored throughout their life cycles and security patches should be issued to cover known risks.
- Take steps to implement reasonable access control measures for IoT devices, including making sure proprietary device signatures remain confidential.
- Accurately describe the products’ safety and security features in marketing and promotional materials.
A year and a half later, in June 2016, the FTC responded to a Request for Comments on the IoT that had been issued by the National Telecommunications and Information Administration. In its response, the FTC called out safety risks and threats to personal information posed by IoT devices, as well as IoT vulnerabilities that have the capability to facilitate attacks on other systems.