FTC settles lawsuit over D-Link security claims

Router manufacturer D-Link agreed to implement sweeping changes to its security program as part of its settlement with the U.S. Federal Trade Commission.

The settlement ends the FTC's lawsuit against D-Link, which accused the vendor of misrepresenting the security of its wireless routers and web cameras. The D-Link security complaint, filed by the FTC in 2017, alleged the company "failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access."

D-Link security issues included using hardcoded login credentials for devices and storing usernames and passwords for mobile apps in clear text on users' devices. According to the FTC, the vendor promoted the "advanced" security of its products, while failing to take basic steps to address preventable flaws. The suit followed an increase in threats, such as the Mirai botnet, that preyed on insecure connected devices.

"We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users' most sensitive personal information to prying eyes," Andrew Smith, director of the FTC's Bureau of Consumer Protection, said in a statement. "Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise."

Under the terms of the settlement, D-Link will implement a "comprehensive software security program" that addresses the flaws and weaknesses in its devices. The D-Link security program will include "security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws and automatic firmware updates, as well as accepting vulnerability reports from security researchers."

D-Link's security program must also undergo biennial third-party assessments from an independent auditor for the next 10 years. D-Link can choose the third party, but the FTC has the authority to approve or reject the company's selection.

D-Link issued a statement that stressed the company was not found liable for any alleged FTC violation, including deceptive marketing practices, and it was not ordered to pay any fines.

"We are pleased to reach an amicable resolution with FTC.  Notably, this Order does not find D-Link Systems liable for any alleged violations," the company said in its statement. "We chose to defend against this litigation based on our strong belief in the quality and security of our products and practices. This settlement allows D-Link Systems to vigorously continue with its current comprehensive software security program and sets a new standard for secure software development practices for IoT devices. Today's announcement further formalizes D-Link Systems' commitment to product quality, which remains a top priority."

D-Link has seen several security vulnerabilities and attacks in recent years, including an IoT botnet that exploited a critical flaw in the vendor's DSL routers and a stolen-D-Link code-signing certificate that threat actors used to sign the Plead backdoor malware.