On January 5, 2017, the Federal Trade Commission (“FTC”) filed a complaint against computer networking hardware manufacturer D-Link Corporation, alleging that the company’s wireless routers, IP cameras, and other “Internet of Things” (IoT) products failed to implement basic security features, thus exposing consumers to heightened risks for privacy violations, malware, and hacking attacks. The complaint alleges that, despite publicly touting its products as featuring “advanced network security” and being among the “safest” in the industry, D-Link did not implement reasonable cyber security measures. An explanatory blog post provided by the FTC and the complaint against D-Link can be viewed online.
According to the complaint, D-Link’s actions unfairly and deceptively put consumer’s information and security at risk by, among others:
-
Leaving hard-coded username/password login credentials in its camera software, permitting unauthorized remote access to the video feed from a camera;
-
Leaving consumer login information in unencrypted plaintext form in a D-Link mobile application; and
-
Failing to secure the encryption key used to digitally sign genuine D-Link software, resulting in the key being publicly available on line for several months.
The FTC has previously brought similar enforcement actions against computer hardware maker ASUS and camera manufacturer TRENDNet. The explosion in the number and capability of IoT devices is leading to a number of other security concerns, including use of compromised IoT devices in Distributed Denial of Service (DDoS) attacks. Given this ongoing concern, we anticipate the FTC will continue to bring enforcement actions against companies who misrepresent the security status of their products and services. Companies operating in this area would be well served to review and consider the FTC’s advice for businesses related to IoT security found here.