Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Takes D-Link To Court Citing Lax Product Security, Privacy Perils (networkworld.com)

Posted by msmash on from the see-you-in-court dept.

Reader coondoggie writes: The Federal Trade Commission has filed a complaint against network equipment vendor D-Link saying inadequate security in the company's wireless routers and Internet cameras left consumers open to hackers and privacy violations. The FTC, in a complaint filed in the Northern District of California charged that "D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras." For its part, D-Link Systems said it "is aware of the complaint filed by the FTC." According to the FTC's complaint, D-Link promoted the security of its routers on the company's website, which included materials headlined "Easy to secure" and "Advance network security." But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws such as "hard-coded" login credentials integrated into D-Link camera software -- such as the username âoeguestâ and the password âoeguestâ -- that could allow unauthorized access to the cameras' live feed, etc.

35 of 72 comments (clear)

  1. Who would ever guess that password, though? by dgatwood · · Score: 1

    I mean, next thing you'll tell me is that 1234 is a bad combination for my luggage.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

    1. Re: Who would ever guess that password, though? by thesupraman · · Score: 3, Funny

      More to the point.. Shouldn't they be getting an award for helping the NSA etal in their battle against the global terrorist threat by providing such open access to people's privacy?

      After all.. If you have nothing to hide...

      Isn't this just a company protectively complying with upcoming surveillance requirements that governments are claiming they need to keep us safe from ourselves?

      Isn't any form of privacy protection a form of communism?

      Or they can only be given the award in the UK just yet.. Other backwards governments havn't made such positions against their own people official.. Yet..

    2. Re: Who would ever guess that password, though? by slashrio · · Score: 1

      You didn't catch the sarcasm in his voice? :)

      --
      "Trump!!", the new Godwin.
    3. Re:Who would ever guess that password, though? by msauve · · Score: 1

      1234 is easy to type. Try "username Ãoeguestà and password ÃoeguestÃ".

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    4. Re:Who would ever guess that password, though? by UnknowingFool · · Score: 1

      I don't know what you're talking about. It's a perfect password for a planetary shield.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  2. D-Link doesn't learn or doesn't care (or both) by Ritz_Just_Ritz · · Score: 4, Informative

    They have a history of sluggish or non-existent responses to vulnerabilities going back for many years. About 10 years ago they also had that high profile incident where they were randomly abusing NTP servers belonging to other organizations and they shrugged it off for a long time until there was a big public stink. I don't know why anyone buys that crap or trusts them with any of their data.

    1. Re:D-Link doesn't learn or doesn't care (or both) by bobbied · · Score: 4, Insightful

      Of course they care... Just only as far as there is money in it...

      Look, D-Link sells consumer products and most consumers DON'T CARE about (much less ever THINK about) security. They want a device that does what it's designed to do with a minimum of fuss or mess making it work. They don't want to call technical support, they just want to spend as little as they can in both time and money.

      Where I applaud the FTC's paying attention to such things, I'm thinking this isn't going to be very effective in getting manufacturers to knuckle under and do the security thing the right way. NOBODY (well, almost nobody) will care and they simply don't want to pay the price in dollars and time to get proper security configured in that consumer device.. The only way the FTC makes a dent is by hitting D-Link (and other manufacturers) in the pocket book really hard and I don't think they have enough leverage to do that.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:D-Link doesn't learn or doesn't care (or both) by Luthair · · Score: 1

      I think its more that customers don't even realize its an issue, they perceive they're buying a legitimate brand. The classic example is the Corvair.

    3. Re:D-Link doesn't learn or doesn't care (or both) by HornWumpus · · Score: 1

      Today, even Ralph Nader admits the Corvair was no more dangerous than the classic VW beetle (the IRS super beetle was better though). But he built his career on it, so he doesn't say it loud or often.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    4. Re:D-Link doesn't learn or doesn't care (or both) by rtb61 · · Score: 1

      How about this "To make up for the cost-cutting lack of a front stabilizer bar (anti-roll bar), Corvairs required tire pressures which were outside of the tire manufacturers' recommended tolerances."https://en.wikipedia.org/wiki/Unsafe_at_Any_Speed. So handling was not worse than other cars just as long as you ran the tyres at (15psi front, 26psi rear, when cold; 18 psi and 30psi hot). Yep uh huh, sure.

      --
      Chaos - everything, everywhere, everywhen
    5. Re:D-Link doesn't learn or doesn't care (or both) by slashrio · · Score: 2

      Not so long ago I looked for a firmware update for my D-Link and found it on their website.
      HTTP!
      So I sent an email asking whether it would be possible to send it over an encrypted channel, or at least get a PGP signature.
      The reply was that kind of corporate content-less off-topic help-desk level shit that we are used to receiving, so I spent a phone call to the company.
      Got a giggling girl on the line who assured me that there was no problem with that, there hans't ever been one and there wouldn't be any in the foreseeable future.
      So I told her her manager was stupid, that I was stupid to have bought that brand, and that I'd never buy that brand ever again.
      According to her that was ok, no problem.
      I think they are rightly sued now...

      --
      "Trump!!", the new Godwin.
    6. Re:D-Link doesn't learn or doesn't care (or both) by operagost · · Score: 1

      Nader is a selfish cock whose data on the Corvair suspension issue was obsolete, as it had already been fixed for the 1965 model year. Instead of correcting his book before publishing it, he put it on the market to quickly collect his profit and contributed to the failure of the (now much safer) Corvair and probably causing many people to lose their jobs.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  3. Re:is aware of the complaint filed by the FTC by Z00L00K · · Score: 3, Insightful

    They are just starting with someone, almost every consumer grade supplier have security holes in their products and they just leave support for your device about a year after you bought it.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  4. Re:is aware of the complaint filed by the FTC by Wycliffe · · Score: 2

    They are just starting with someone, almost every consumer grade supplier have security holes in their products and they just leave support for your device about a year after you bought it.

    This is exactly what I'm worried about. Having "guest/guest" hardcoded is ridiculous but I'm not sure I like the idea of the government deciding what is and is not secure enough. Will it get to the point where only giant companies can release products or accept credit cards because no one else is capable of getting their products certified as secure?

  5. Take TP-Link also by fuzzyf · · Score: 3, Interesting

    Purchased a TP-Link router that turned out to have a backdoor.
    https://tech.slashdot.org/stor...

    Asking support about it I got the answer back that "We will not fix it. Just make sure nobody get access to your local network".

    Both TP-Link and Lenovo are on my do-not-buy list.

    1. Re:Take TP-Link also by Dozy+Lizard · · Score: 1

      TP-Link make some of the most cost effective, well supported hardware. For OpenWRT.

  6. EULA Escape? by Bugler412 · · Score: 1

    Not sure if it would hold off the FTC, but the EULA of these products likely give D-Link full immunity from civil lawsuits like most consumer level software or equipment.

    1. Re:EULA Escape? by krelvin · · Score: 2

      FTC is getting them for false advertising, has nothing to do with the EULA. This is the federal government suing not the consumer.

      The issue is they are saying their products are secure when they have many vulnerability outstanding that should be easy to fix and they have not. So they are not safe to use.

    2. Re:EULA Escape? by HiThere · · Score: 2

      Don't believe the EULA limitations. A lot of them are just there as intimidation. Which terms are enforceable depend on your state, and local laws trump the EULA.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    3. Re:EULA Escape? by Bugler412 · · Score: 1

      don't get me wrong, I think it's good that the FTC is doing this. But those restrictive terms in typical EULAs should be illegal, and likely many are if actually challenged in court, but consumers need redress for defective products, FTC fining them and pressuring for "better next time" is good, but does nothing for the people that bought the defective gear.

    4. Re:EULA Escape? by Bugler412 · · Score: 1

      and how much legal runaround, attorney fees, etc. you are willing to deal with. SIgh

  7. Re:What about Crisco/Nutgear?? by viperidaenz · · Score: 1

    I thought Netgear was a Cisco competitor.
    Cisco brand their consumer crap Linksys

  8. Why is this an FTC issue? by mea2214 · · Score: 1

    So D-Link has buggy insecure code. Can't the marketplace correct for this? Do I care if someone gets the live feed of my camera watching my front door? No. When will the FTC go after Comcast and AT&T for abusing their monopoly status? Or how about Microsoft for spying on me without disclosing what they're doing and upgrading and rebooting my PC without my consent? Why do those companies get a free pass?

    1. Re: Why is this an FTC issue? by cyber-vandal · · Score: 1

      It hasn't so far and there's no sign it will.

  9. Why is this a problem? by ilsaloving · · Score: 1

    I don't see what the issue is. If people want to buy an insecure device that will compromise their well-being, then they should be allowed to. I thought the whole point of capitalism was, "Do whatever it takes to make money", and regulation gets in the way of that!

    Thankfully Trump will put an end to this "You need to put out a product that isn't shit" nonsense.

  10. Re:is aware of the complaint filed by the FTC by Motherfucking+Shit · · Score: 2

    This is exactly what I'm worried about. Having "guest/guest" hardcoded is ridiculous but I'm not sure I like the idea of the government deciding what is and is not secure enough.

    The FTC isn't trying to appoint itself arbiter of the IoT, this is just a standard Truth in Advertising case. The problem isn't that the devices weren't secure, it's that they weren't secure but D-Link's marketing said they were. If D-Link hadn't made misleading claims like "advanced network security" when promoting products that shipped with backdoors, we wouldn't be having this discussion.

    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
  11. Re:is aware of the complaint filed by the FTC by Dutch+Gun · · Score: 1

    UL certification for electrical safety is done as an independent third-party audit, but is licensed by the government to do so. Certification is not legally mandated, but nearly everyone does it, because most large companies will not buy products without it.

    I think perhaps a similar system for electronic security audits could work in the same way. To get and maintain a favorable rating, you must demonstrate:

    a) reasonable and good-faith efforts have been made to ensure security and privacy (no default passwords, no back doors, etc)
    b) current industry standards and guidelines have been adhered to
    c) a simple or automated patching mechanism is available if security issues are discovered.
    d) duration of security support is explicitly listed on packaging.

    Or something like that - that's just off the top of my head.

    At least users can be reasonably assured of security by looking for a simple label. That seems like a reasonable compromise between "government mandated security rules" and the current "zero security" state of affairs. And it's seemed to work out reasonably well for electrical safety.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  12. Actually that's exactly what Obama's FTC is saying by raymorris · · Score: 1

    > If people want to buy an insecure device that will compromise their well-being, then they should be allowed to.

    Actually that's the FTC's position. The company fraudulently advertised the product as having "advanced security" and "easy to secure." That's the law suit - "if people want to buy insecure/secure, then they should be allowed to", companies may not lie and deliver the opposite of what they sold the customer. The result of the law suit will probably be that the company will stop advertising security.

  13. Re:Actually that's exactly what Obama's FTC is say by ilsaloving · · Score: 1

    What if it IS "Advanced Security", but just not advanced enough? I mean, compared to what we had in the 90s, it most certainly is advanced. :)

  14. Re: You have NO balls unidentifiable ac troll by mmell · · Score: 1

    Hey Al . . . You do realize you're talking to yourself, right? Never a good sign . . .

  15. Re: You have NO balls unidentifiable ac troll by mmell · · Score: 1
    COOL! I see we're getting to know each other . . . we're on a first-name basis. Now, we need to work on those people skills.

    But to clear up a point . . . I'be noticed you like to accuse everyone in sight of being exactly what you are. A shame . . . I even tried to treat you civilly here on more than one occasion (even apologizing for my own mistakes made in anger), but you seem unable to recognize such a gesture. You apparently have no emotional background upon which to base adult interaction.

    In closing . . . I'm sorry to see that doctors have been unable to identify or cure whatever's wrong with you. Let us all know when you mature. Until then, please feel free to follow-post me; your derision is as much a badge of honor as a +5 post here on Slashdot.

  16. Consumers do care by phorm · · Score: 1

    most consumers DON'T CARE about (much less ever THINK about) security.

    No, most consumers don't think about IMPLEMENTING security. That's because they trust that the makers of their devices are smarter than them, and wouldn't make deliberate decisions that hurt security (like hardcoded admin logins). This is after people like me hammered in the idea that to be (more) secure on the internet, you need to use a router and not plug in directly.

    It's in the same vein as trusting the person who makes your car that it won't cheat on emissions, accelerate without the pedal being pressed, etc etc.

    In other words, a case of misplaced trust - or a vendor who violates said trust - not lack of caring...

    1. Re:Consumers do care by bobbied · · Score: 1

      Not that I disagree, but the point here is that companies like D-Link don't really care until it benefits them financially. Should consumers stop buying their products because of a perception that they lack the necessary security, you can bet that the company will do two things. First, they will develop some kind of security "fix" for all their products... Second they will start a PR "We Care About Security" push to change the perception.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:Consumers do care by phorm · · Score: 1

      "Security is our #1 Priority"

      (until the next scandal, when something else becomes #1)

  17. Re: Talk about overreach and inconsistent by knorthern+knight · · Score: 1

    > This. They're only doing it because D-Link is a Taiwanese company.
    > We're seeing racist Trump in action. If he wasn't racist he'd go after
    > Microsoft because of their security problems that they refuse to fix.

    Errr, uhhhm, Trump is still 2 weeks away from being sworn in as president. A year ago, they were blaming everything on global warming. Now they're blaming everything on Trump.

    --

    I'm not repeating myself
    I'm an X window user; I'm an ex-Windows user