Last week the Federal Trade Commission (FTC) made it clear that it will be taking the security of home networking and IoT devices very seriously.
The U.S. agency said that network equipment-maker D-Link put consumers’ privacy at risk due to the inadequate security of its computer routers and cameras. In a news release, the FTC announced that it filed a complaint against the Taiwan-based D-Link Corporation and its U.S. subsidiary alleging that inadequate security design made wireless routers and Internet cameras vulnerable to attack.
The FTC said D-Link failed to take reasonable steps to secure its routers and Internet cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.
The FTC has also recently charged hardware-maker ASUS and video camera-maker TRENDnet with not adequately designing secure devices for consumers.
“Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
According to the FTC, the D-Link equipment had numerous, and rather pedestrian, flaws:
- “Hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed; a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
- The mishandling of a private key code used to sign into D-Link software; in fact, it was openly available on a public Website for six months
- Leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.
Despite such basic errors in security design, D-Link promoted its products as being “Easy to Secure” and possessing “Advanced Network Security,” said the FTC.
But as any one even remotely aware of security defenses would know, attackers can easily take advantage of hardcoded passwords such as username/password combinations being guest/guest, as well as the other flaws.
A day prior to this compliant, the FTC announced it was kicking off the Internet of Things Challenge to Combat Security Vulnerabilities in Home Devices.
With this project, the FTC hopes volunteers will create a tool to help protect consumers from security vulnerabilities in the Internet of Things. The FTC is offering a cash prize of up to $25,000 for the best technical solution, with up to $3,000 available for up to three honorable mentions. Submissions will be accepted as early as March 1, 2017 and are due by May 22, 2017 at 12:00 p.m. EDT. Winners will be announced in July.
Let’s hope the contest and these recent legal moves spark some interesting ideas and changes from device-makers. I know we’ll need them.