from the cutting-edge-incompetence dept
If you've been paying attention, you've probably noticed that the so-called Internet of Things isn't particularly secure. Hardware vendors were so excited to market a universe of new internet-connected devices, they treated things like privacy, security, and end-user control as afterthoughts. As a result, we've now got smart TVs, smart tea kettles, WiFi-connected barbies and all manner of other devices that are not only leaking private customer data, but are being quickly hacked, rolled into botnets, and used in historically unprecedented new, larger DDoS attacks.
This isn't a problem exclusive to new companies breaking into the IoT space. Long-standing hardware vendors that have consistently paid lip service to security are fueling the problem. Asus, you'll recall, was dinged by the FTC last year for marketing its routers as incredibly secure, yet shipping them with easily-guessed default username/login credentials and cloud-based functionality that was easily exploitable.
The FTC is back again, this time suing D-Link for routers and video cameras that the company claimed were "easy to secure" and delivered "advanced network security," yet were about as secure as a kitten-guarded pillow fort. Like Asus, D-Link's hardware also frequently ships with easily-guessed default login credentials. This frequently allows "hackers" (that term is generous since it takes just a few keystrokes) to peruse an ocean of unsecured cameras via search engines like Shodan, allowing them to spy on families and businesses in real time.
According to the FTC, D-Link's hardware also consistently suffers from a number of other vulnerabilities the regulator says the company simply refused to seriously address, including command injection software flaws that let remote attackers take control of consumers' routers via any IP address. D-Link is also accused of mishandling the private key used to sign into D-Link software (said key was openly available on a public website for six months), and of leaving users' login credentials for the mobile D-Link app unsecured in clear, readable text directly on the mobile device.
Needless to say, the FTC thinks D-Link should have done a little more to keep its products, and by proxy the internet at large, more secure:
“Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”Unsurprisingly, D-Link didn't think much of the FTC lawsuit, quickly posting a new FAQ and a press release implying that because the FTC didn't cite specific products and document clear instances of harm, there's no problem. The statement laments the FTC's "unwarranted allegations" and "contested 2-1 decision" to hold D-Link to account:
"The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted," said William Brown, chief information security officer, D-Link Systems, Inc. "We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems' products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices."Granted you only need to spend a few moments with IoT-specific search engines to realize how common poorly-secured webcams (from D-Link and everybody else) are. And D-Link's router hardware has been well-represented in the recent rise of DDoS attacks on companies like Dyn. So the end result of this neglect should be pretty clear, and given the agency's recent warnings (pdf), the FTC's crackdown (which may or may not persist under a new administration) shouldn't be a surprise. Companies had every opportunity to prioritize privacy and security in their products, but instead chose to pay lip service to the concept.