The agency says the company’s wireless routers, IP cameras, and other IoT products failed to implement basic security features.
The FTC has filed a lawsuit against D-Link for deceptive advertising related to IoT security, the agency announced Jan. 5.
The agency said that D-Link’s routers, IP cameras and other products fail to include basic security features despite their advertising and labeling saying otherwise. The suit says this deception is putting consumer’s privacy and security at risk.
“Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”
The complaint alleges that D-Link’s claims in its “Security Event Response Policy” and in its promotional materials are false. The complaint further alleges that the company failed to take the necessary steps to address well known and easily preventable security flaws. As examples the complaint cited:
- Alleged hard coding of login credentials into D-Link camera software.
- Alleged transmittal of user information in clear, unencrypted text.
- Alleged mishandling of its own private key code, making it publicly available for six months.
- Alleged failure to prevent command injection, a known vulnerability.
The FTC has previously sued ASUS and TRENDnet. The agency provides guidelines and advice for ensuring IoT security here. So far D-Link has not publicly responded to the suit.