Back in February 2016, the FTC punished ASUS for selling consumer routers that had major security flaws.
Now, the FTC is suing D-Link for failing to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.
In the FTC’s complaint, it alleges that D-Link’s inadequate security measures left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk. All this, while D-Link’s website claimed that its products were “EASY TO SECURE” and had “ADVANCED NETWORK SECURITY.” But despite these claims, the FTC alleged that the company failed to take steps to address the following well-known and easily preventable security flaws:
- “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that can allow unauthorized access to the cameras’ live feed
- the “command injection” software flaw that enables remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet
- mishandling a private key code used to sign into D-Link software, which was openly available on a public website for six months
- leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable, text on their mobile devices, even though there is free software available to secure the information
At RouterCheck, we’re pleased that the FTC takes consumer security seriously, even when the router vendors don’t. Until router vendors are all up to speed, we recommend installing and running RouterCheck, which can diagnose some of these problems. Then visit RouterCheck Support for instructions on resolving the issues you find.