FTC sues D-Link for ‘insecure’ routers and IP cameras

You know those IP cameras and routers that ship with security holes that have been kicking around since the dark ages? Like the IP cameras that are drop-dead simple to remotely take over and use to spy on babies and their parents via their baby monitors…

…all thanks to having hard-coded credentials – “guest” for a user name and password, to be precise – along with command injection vulnerabilities and other flaws that have been on OWASP’s top web app vulnerabilities list since at least 2007.

Well, the US Federal Trade Commission knows about those cameras, just like it knows about routers that ship with the same security sins. Last week, it took steps to deal with one manufacturer of networking gear it says has been failing to properly secure its products and has been leaving consumers vulnerable to some nasty hacking.

The FTC on Thursday filed a complaint (PDF) against D-Link, maker of wireless routers and internet-enabled cameras, in federal district court.

The suit alleges that the company hasn’t bothered to protect routers and IP cameras from very common, very old, very well-known holes on OWASP’s web app vulnerability list.

These are holes that let hackers easily take over routers, IP cameras and other networking gear.

Pretty serious stuff, the FTC says, given how routers are key to securing consumers’ home networks: not only do they forward data packets along a network, but they also function as that local network’s hardware firewall and act as the first line of defense in protecting consumer devices – be they computers, mobile phones, IP cameras or any other connected appliances.

The FTC says that D-Link has “repeatedly” failed to do reasonable software testing and remediation to protect routers and IP cameras against easily preventable software security flaws, including hard-coded user credentials, other backdoors, and command injection flaws, which open the consumer devices to being taken over by remote attackers.

The FTC is also charging D-Link with spilling its private code-signing key on to the public web for all to see, and misuse, for six months in 2015.

Anybody with ill intent could use that key to sign malware so it would look like a legitimate D-Link app that would be trusted by Microsoft Windows and be allowed to run on, and infect, computers.

D-Link certainly isn’t the only one to put its private keys out there for public consumption. In fact, the internet is crowded with servers with private keys that are anything but. A 2015 report from a European security consultancy called SEC Consult found that the count was up to 4.5m servers with un-private/should-really-be private keys.

The FTC says D-Link has a third security failure: it hasn’t used free software, available since at least 2008, that would secure users’ mobile app login credentials. Instead, it’s stored the credentials in clear, readable text on a user’s mobile device.

These are the kinds of security failings that enable hackers to take over consumers’ computers and pull them into botnets, the FTC noted.

In fact, remote attackers have been able to search for vulnerable devices over the internet, using readily available tools.

The potential harm to consumers, according to the complaint:

• Compromised routers can give miscreants unauthorized access to sensitive personal information. For example, a compromised router could send a victim to a spoofed financial website, where the attacker could intercept their login credentials. Also, a tampered-with router could access tax returns kept on an attached storage device.
• A compromised router can be used to launch an attack on other devices on the local network, such as computers, smartphones, IP cameras or connected appliances.
• IP cameras can be hijacked for the purposes of spying, and we’re talking way more than baby monitors. We’ve seen one site that allows strangers to spy on people via security webcams delivering live feeds from bedrooms, other rooms in residential homes, offices, shops, restaurants, bars, swimming pools and gymnasiums.
• Publicly posting a key that should be private puts people at significant risk of downloading malware signed by malicious actors using D-Link’s key.

All this, in spite of D-Link’s mention of state of the art security technologies in its marketing materials, the FTC said, outlining use of terms such as “Advanced Network Security”. “128-bit Security Encryption” and the like.

From the complaint:

The risk that attackers would exploit these vulnerabilities to harm consumers was significant.

The complaint covers five counts of misrepresentation and one count of unfairness.

D-Link, which is based in Taiwan and works with partner company D-Link Systems, in California, said last week that the charges are “unwarranted and baseless”, and added:

D-Link Systems rejects the FTC’s allegations and firmly believes that its processes and procedures related to security were more than reasonable.

D-Link Systems maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IoT) devices.

The company said that the FTC mentioned risk to D-Link to customers but didn’t specify any actual breach of a D-Link device. Instead, the FTC merely “speculated” that consumers were at risk, according to D-Link.

D-Link CIO William Brown said:

The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted.

Brown said the company will “vigorously defend the security and integrity” of its routers and IP cameras and is “fully prepared to contest the complaint.”

More from Brown:

Furthermore, we are continually working to address the overall security features of D-Link Systems’ products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices.

We’ve reported on D-Link problems in the past. Its routers were found vulnerable to DNS hijacking in February 2015, and a router flaw dubbed Joel’s Backdoor was found a few years prior to that: one that provided easy backdoor access to the administration interface on a number of the company’s routers.

But of course it’s not only D-Link routers that have had issues. In January 2014 we reported how Sercomm products, which include routers under the Linksys and Netgear brands, had problems with unauthorized admin access, and more recently, we discussed a remote access bug in Netgear routers.

So even if you don’t use D-Link products, the risks that the FTC cited are real.

When he wrote up the Sercomm issue, Paul Ducklin noted that you could mitigate the risk of that router hole by ensuring you’re doing Wi-Fi security properly.

He suggested using WPA2 with a long and hard-to-guess passphrase (you only need to enter it once on each device). Paul also suggested that we don’t rely on security short-cuts like network name hiding or MAC address filtering. It’s always worth having another look at Paul’s guide to store user passwords safely, too.

They don’t give you the security you think they will, and here’s why

To secure your baby monitor or other IP camera, check out these tips.

Also, check out the latest Chet Chat podcast for more discussion on this.