D-Link Agrees to 10 Years of Security Audits to Settle FTC Charges
Taiwanese networking equipment manufacturer D-Link has agreed to implement a “comprehensive software security program” in order to settle a Federal Trade Commission (FTC) lawsuit alleging that the company didn’t take adequate steps to protect its consumers from hackers.
Your wireless router is the first line of defense against potential threats on the Internet.
However, sadly, most widely-used routers fail to offer necessary security features and have often found vulnerable to serious security flaws, eventually enabling remote attackers to unauthorizedly access networks and compromise the security of other devices connected to it.
In recent years, the security of wireless networks has been more of a hot topic due to cyber attacks, as well as has gained headlines after the discovery of critical vulnerabilities such as authentication bypass, remote code execution, hard-coded login credentials, and information disclosure in routers manufactured by various brands.
In 2017, the US Federal Trade Commission (FTC) filed a lawsuit against D-Link, one of the more popular router manufacturers, over the poor security of its wireless routers, IP cameras, and other Internet-connected devices.
According to the FTC complaint, D-Link allegedly misrepresented the security of its products to its customers, didn’t adequately test its products for well-known and easy-to-fix security flaws, and also failed to secure devices when security vulnerabilities were reported by independent security researchers.
“Defendants D-Link repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well known and easily preventable software security flaws,” the FTC complaint says. “In truth and in fact, Defendants did not take reasonable steps to secure their products from unauthorized access.”
In 2015, D-Link also accidentally published its private code signing keys on the Internet that could have allowed hackers to sign their malware and evade detection.
On Tuesday, the FTC published [PDF] an “amicable” settlement which says D-Link is required to follow proper security planning, threat modeling, vulnerability testing, and remediation before its routers and IP cameras hit the market.
The deal also makes it mandatory for the company to monitor its products for security flaws, automatically update firmware, and set up a system to accept vulnerability reports from security researchers.
Besides this, D-Link has also agreed to go through security audits of its software security program every other year for the next 10 years from a third-party, independent firm, an assessor approved by the FTC.
In a press release, D-Link claims the FTC has not found the company liable for any alleged violations, but ironically the company has reached an amicable resolution with the FTC, as mentioned above.
The FTC settled similar charges with ASUS over the security of its routers in 2016, when the company agreed to undergo independent security audits every 2 years for the next 20 years.