The Federal Trade Commission’s stated mission is to protect users. The resolution of a long-standing litigation with smart home products manufacturer D-Link Systems Inc. shows the FTC is keeping its promise: buyers of D-Link connected devices will no longer be vulnerable to attacks. Or, at least, not as vulnerable as they are now.
In 2017, the FTC accused D-Link of failing to provide “basic” security protection for its devices. In layman’s terms, the FTC argued that D-Link was selling wireless routers and Internet-connected cameras that offered easy access to attackers, exposing users’ sensitive information and even live video and audio feeds, despite marketing the products as reliable and secure.
The FTC sued the manufacturer that same year, and the lawsuit was settled recently with D-Link’s pledge that it will take all steps mandated by the FTC for enhanced security on its devices.
According to the FTC, the manufacturer failed to “perform basic security software development, including testing and remediation to address well-known and preventable security flaws.” These flaws included the possibility to store mobile app login credentials in readable text on a user’s phone and using hard-coded login credentials on the D-Link camera software.
As part of the settlement, D-Link will implement a “comprehensive” software security program that will make all its devices less vulnerable to an attack. This includes testing for vulnerabilities before a product’s release, accepting vulnerability reports from researchers, constant monitoring to issue fixes for spotted vulnerabilities, security planning and threat modeling.
In addition, for the next 10 years, D-Link is mandated to submit a third-party assessment of the same security program every 2 years.
“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said in a statement.
“Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”
Image credit: geralt
tags
November 14, 2024
September 06, 2024