D-Link Settles With FTC, Agrees To Fix Its Shoddy Router Security

from the slowly-getting-the-message dept

While the shoddy Internet of Things sector gets ample heat for being a security and privacy dumpster fire, the traditional network gear sector has frequently been just as bad. A few years ago, for example, hardware vendor Asus was dinged by the FTC for offering paper-mache grade security on the company's residential network routers. The devices were frequently being shipped with easily guessable default usernames and passwords, and contained numerous, often obvious, security vulnerabilities.

In 2017, the FTC also filed suit against D-Link, alleging many of the same things. According to the FTC, the company's routers and video cameras, which the company claimed were "easy to secure" and delivered "advanced network security," were about as secure as a kitten-guarded pillow fort. Just like the Asus complaint, the FTC stated that D-Link hardware was routinely shipped with easily-guessable default usernames and passwords, making it fairly trivial to compromise the devices and incorporate them into DDoS botnets (or worse).

Like any good company, D-Link at the time professed its innocence, insisting there was nothing wrong with its products and that the FTC claims were "vague and unsubstantiated." Fast forward to this week, when the company struck a settlement with the FTC, and, according to an FTC press release, has agreed to fix security flaws it previously had claimed didn't exist:

“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”

It has taken a while, but router manufacturers have started to finally get the message that their routers' installation process should prompt users to pick a unique username and password before finalizing device setup. As part of D-Link's agreement, it not only has to implement new and comprehensive security testing protocols, it's required every two years to obtain independent third-party assessments of its software security programs.

Granted, whether we're talking about routers or the latest IoT doodad, there are far too many security vulnerabilities out there for the FTC to police them all right now. Which is why efforts by Consumer Reports and others to begin standardizing the inclusion of security and privacy weaknesses in product reviews are going to be so important in educating consumers.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ftc, privacy, routers, security
Companies: d-link

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • icon
    That Anonymous Coward (profile), 8 Jul 2019 @ 7:33pm

    If only there were some rules for bare basic requirements with nice fines attached, that didn't require a long court case that never gets anywhere but a settlement.

    It is one thing to be vulnerable to say HeartBleed in the first month after its disclosed, but a year later new routers shipping with a well documented vulnerability should result in fines that keep going until the fix is pushed & publicized.

    Consumers are fickle & often forget those companies they hate that burned them before because something shiny distracts them. Give us more data and we'll pump up your credit score - Equifax
    Advertising this new program that gives you credit for paying utilities and the like (of course it might not actually raise the rate lenders see when examining you in tiny white print on a slightly different shade of white on the screen). People are signing up, and handing more information to a company that lied, lied, lied, screwed everyone, and dumped their stock before telling the world about it so they could cash out.

    Every maker wants to offer the newest bestest cool things...
    99.9% of people have no idea how it helps them but they've heard the words so it must be important... they bolt on all of these features most users have no use or need for never making sure it functions on the most basic levels.

    We need to stop accepting that 'hackers' are super powered demons & that no one can stop them so why even try.
    Shipping a router with admin admin & default open to being accessed from the web should be costly to the maker.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jul 2019 @ 3:42am

    Hey wait.

    about as secure as a kitten-guarded pillow fort.

    That might actually be a bit more secure that it sounds.

    I know I would probably be distracted by the kitten

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jul 2019 @ 11:28am

    were about as secure as a kitten-guarded pillow fort

    Stand and deliver, sir.

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)


Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.