D-Link Settles With FTC, Agrees To Fix Its Shoddy Router Security
from the slowly-getting-the-message dept
While the shoddy Internet of Things sector gets ample heat for being a security and privacy dumpster fire, the traditional network gear sector has frequently been just as bad. A few years ago, for example, hardware vendor Asus was dinged by the FTC for offering paper-mache grade security on the company’s residential network routers. The devices were frequently being shipped with easily guessable default usernames and passwords, and contained numerous, often obvious, security vulnerabilities.
In 2017, the FTC also filed suit against D-Link, alleging many of the same things. According to the FTC, the company’s routers and video cameras, which the company claimed were “easy to secure” and delivered “advanced network security,” were about as secure as a kitten-guarded pillow fort. Just like the Asus complaint, the FTC stated that D-Link hardware was routinely shipped with easily-guessable default usernames and passwords, making it fairly trivial to compromise the devices and incorporate them into DDoS botnets (or worse).
Like any good company, D-Link at the time professed its innocence, insisting there was nothing wrong with its products and that the FTC claims were “vague and unsubstantiated.” Fast forward to this week, when the company struck a settlement with the FTC, and, according to an FTC press release, has agreed to fix security flaws it previously had claimed didn’t exist:
?We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users? most sensitive personal information to prying eyes,? said Andrew Smith, Director of the FTC?s Bureau of Consumer Protection. ?Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.?
It has taken a while, but router manufacturers have started to finally get the message that their routers’ installation process should prompt users to pick a unique username and password before finalizing device setup. As part of D-Link’s agreement, it not only has to implement new and comprehensive security testing protocols, it’s required every two years to obtain independent third-party assessments of its software security programs.
Granted, whether we’re talking about routers or the latest IoT doodad, there are far too many security vulnerabilities out there for the FTC to police them all right now. Which is why efforts by Consumer Reports and others to begin standardizing the inclusion of security and privacy weaknesses in product reviews are going to be so important in educating consumers.