FTC's Lawsuit Should Make You Feel Very Insecure About the IoT
Feb 14, 2017 12:03 PM PT
Even though D-Link expressly promised that many of its wireless devices had the highest level of security available, the Federal Trade Commission last month filed a lawsuit that alleges otherwise.
The FTC filing includes copies of online marketing materials and technical specifications for D-Link's products (including its digital baby monitor and wireless routers), and flatly declares that "thousands of Defendants' routers and cameras have been vulnerable to attacks that subject consumers' sensitive personal information and local networks to a significant risk of unauthorized access."
The FTC's Mission
It has been the role and responsibility of the FTC to protect U.S. consumers since it was established in 1914 -- long before the existence of the Internet or the Internet of Things. The FTC's original purpose was to prevent unfair methods of competition in commerce as part of the battle to "bust the trusts." Then in 1938, Congress further broadened the FTC's enforcement powers to protect consumers against "unfair and deceptive acts or practices."
As result of its expanded jurisdiction and enforcement authority, the FTC gives U.S. consumers an expectation that they can rely on the express promises made by all manufacturers. However, what makes D-Link's alleged misrepresentations worse is that the consumer IoT is vulnerable to criminal cyberintrusions, since consumers are exposed without their knowledge.
D-Link failed to make reasonable efforts to test the software that controls its routers and IP cameras for preventable security flaws, and it failed to maintain the confidentiality of users' private security keys for logins, the lawsuit alleges.
For example, D-Link's mobile devices since 2008 have displayed users' login credentials in clear readable text. Hence, although D-Link customers relied upon D-Link's express promises that its routers and IP cameras were secure, their privacy has been compromised for years.
What Did D-Link Promise?
D-Link's website, user manuals, and promotional brochures all included express promises about security features designed to make customers feel confident that its products were safe, including express promises that D-Link products were "easy to secure."
D-Link expressly stated that its routers used "advanced network security," including securing WiFi with "dual-active firewalls," and that they supported "the latest wireless security features to help prevent unauthorized access, be it from over a wireless network or from the Internet."
D-Link also promised that the routers had 128-bit security encryption.
D-Link highlighted the security with its IP cameras specifically placing the word "SECURITY" across the bottom of each page in capital letters and vivid colors. With its baby monitors, D-Link promoted security on the side of the boxes to give parents an extra sense of comfort.
Even after D-Link's failures came to light in 2013, the company's product support page for another two years touted its commitment to product security.
D-Link claimed that during product development it expressly prohibited any features that would "allow unauthorized access to the device or network, including but not limited to undocumented account credentials, covert communication channels, 'backdoors' or undocumented traffic diversion."
The Cause of Action Institute last month filed a Motion to Dismiss the FTC lawsuit, which is set for a hearing on March 9.
The claims constitute "government overreach ... without any evidence of consumer injury," the COA Institute asserted.
The FTC failed to support its allegations that D-Linked failed to take reasonable steps to secure routers and IP cameras, and it did not identify any specific security data breaches, the motion states.
Of course, the FTC now has an opportunity to file a response to the CoA Institute's Motion to Dismiss, and it will have to provide the court with some additional evidence to support its allegations.
Only then will the public have a better understanding of the basis of the FTC's lawsuit.
How Secure Are Routers?
Ironically, the day before the FTC filed its complaint against D-Link, it announced the IoT Home Inspector Challenge to "combat security vulnerabilities in home devices." The top prize is US$25,000, and the deadline for entries is May 22, 2017.
Of course, D-Link's Motion to Dismiss may be resolved before the May deadline.
How Safe Are You?
There will be roughly 8.4 billion devices connected to the Internet of things in 2017, up 31 percent from 2016, and there will be 20.4 billion connected devices by 2020, Gartner has forecast.
So, if the FTC is only partially correct and D-Link only has some insecure IoT devices, the cybersecurity risk nevertheless remains unbelievably high.