The U.S. Federal Trade Commission has slapped D-Link, maker of IP cameras, routers and smart home equipment with a lawsuit, sayng the company's products were insecure and put customers' privacy at risk.
Similar cases were brought by the agency against PC and tablet maker ASUS and TRENDnet. The latter sells video cameras. Such products provide a tempting attack surface for hackers and need to be secured, an FTC official said in a statement:
“Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
D-Link touted that its routers were "easy to secure" and had "advanced network security," but in fact had common security flaws, such as hard-coded login credentials with simple constructs, such as "guest" for both username and password. Other alleged holes included command injection, wherein a hacker can send a device nefarious commands over the Internet; and the exposure of users' login credentials.
The security flaws in D-Link's products could be used by hackers to steal sensitive personal information or control other devices on the user's local area network, according to the FTC's complaint, the full version of which is available at this link.
Analysis: The FTC's actions could move the needle on the IoT security debate
Constellation has written much about the lack of strong and cohesive IoT security standards and enforcement amid a time when the number of connected devices is exploding due to consumer interest and a Gold Rush mentality among manufacturers. The FTC's lawsuits against device makers could help force the issue in a positive way, says Constellation Research VP and principal analyst Steve Wilson.
"The US has a mixed reputation worldwide for its light-touch security regulations and its unusual lack of general data privacy law," Wilson says. "But what the US does have is strictly enforced consumer protection statutes. If a company makes a promise to its customers, and then breaks that promise, then the FTC has the power and the inclination to come down hard."
On privacy matters, the FTC has taken strong actions against Facebook and the privacy seal provider Truste for failing to live up to their own standards, Wilson notes" "Now the FTC is looking closely at what businesses mean when they say their products are 'secure.' This could get very interesting."
"In my view, the entire security industry has cheapened the word secure," Wilson adds. "When a business claims to comply with security standards, it means they've been audited against their own IT policy, which can be a dense and arbitrary list of procedures. ecurity-compliant products and businesses still get breached. In fact, security professionals will tell you that breaches are inevitable."
The last point may serve as interesting fodder for the FTC's enforcement efforts around IoT security. "What does 'secure" mean if a breach is actually inevitable? Where does that leave consumers?" Wilson says. "If your bank said 'it's inevitable actually that we will be robbed' then no way could they use the word 'secure.' If a toy manufacturer said 'the paint on this doll's house might actually be toxic' then no way could they call it 'safe.'"
Got a few minutes? Take Constellation's 2017 Digital Transformation Survey and see how your organization stacks up against others pursuing digital transformation. Constellation will send you a copy of the results.
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.