D-Link Settle FTC Charges With 10 Year Security Audit
D-Link has settled its lawsuit with the US Federal Trade Commission (FTC) by agreeing to an independent security audit for the next ten years – affecting its routers and internet connected cameras.
The FTC complaint stemmed from D-Link’s failure to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws, while claiming it offered “advanced network security”.
Flaws included the use of hard-coded login credentials with easy-to-guess usernames and passwords, as well as storing passwords on its app in plain text.
The company has promised to implement a new software security program, as well as conduct security audits from a third-party independent auditor for the next decade.
The program includes testing products for vulnerabilities before release, ongoing monitoring to address security flaws, issue automatic security updates, and accept vulnerability reports from security researchers.
“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.
“Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”
According to the 32-page settlement, D-Link’s new software security program must include a series of unnecessary components, such as:
- Engaging in security planning by enumerating in writing how functionality and features will affect the security of its devices.
- Performing threat modelling to identify internal and external risks to the security of data transmitted using its devices.
- Reviewing source code and testing for vulnerabilities before releasing products using automated static analysis tools.
- Performing ongoing code maintenance by maintaining a database of shared code to be used to help find other instances of a vulnerability when a vulnerability is reported or otherwise discovered.
- Remediation processes designed to address security flaws, or analogous instances of security flaws, identified at any stage of software development process.
- Ongoing monitoring of security research for potential vulnerabilities that could affect its products.
- A process for accepting vulnerability reports from security researchers, which shall include providing a designated point of contact for security researchers, appointing supervisory personnel to validate concerns.
- Warning device owners that a specific model has ceased receiving security updates, at least 60 days before the company decides to stop supporting a model.
“This settlement contrasts sharply with FTC’s other consent orders with IoT companies, which include very broad restrictions on what those companies may say about their products,” D-Link said in a statement.
“Importantly, unlike other IoT matters in which FTC had alleged “deception”, today’s proposed order contains no such restrictions.”