In its latest enforcement action in the realm of the Internet of Things, the Federal Trade Commission filed suit against D-Link Corporation, a Taiwan-based computer networking equipment manufacturer and its U.S. subsidiary, alleging that the defendants failed to employ adequate security measures for their wireless routers and surveillance cameras.
Although D-Link promoted the security of its routers with claims like “EASY TO SECURE” and “ADVANCED NETWORK SECURITY,” the company neglected to take easy steps to avoid security flaws, the agency asserted in its California federal court complaint. According to the agency, D-Link accepted hard-coded login credentials and the use of “command injection,” which allowed remote attackers to take control of routers by sending commands over the Internet.
The defendants also openly displayed a private key code used to sign into D-Link software on a public website for six months and allowed user login credentials on D-Link’s mobile app to remain in clear, readable text on mobile devices—despite the availability of free software that could have secured the information, the FTC alleged.
All of these errors left consumers vulnerable, the agency said, as a hacker could take advantage of a compromised router to obtain stored files (tax returns, for example), redirect a consumer to a fraudulent website, or leverage the router to attack other devices on consumers’ local networks such as smartphones, computers, and other connected appliances.
As for the unsecure cameras, D-Link’s actions placed consumers at risk of having their personal activities and conversations recorded and watched or their locations monitored, which could make theft or other crimes much easier to commit, the agency told the court.
The suit seeks a permanent injunction against future violations of the Federal Trade Commission Act, as well as costs.
Motion to Dismiss
The Cause of Action Institute (CoA Institute) filed D-Link’s Motion to Dismiss in response to the FTC lawsuit which claims are based on D-Link’s “failure to secure devices from cyberattacks!” The CoA Institute Motion was filed on January 31, 2017 and is set for a hearing on March 9, 2017 and stated that the FTC claims were merely “government overreach…without any evidence of consumer injury” and states that the FTC failed to support its allegations of that D-Linked to take reasonable steps to security routers and IP cameras, nor identify any specific security data breaches. As well the Motion contained this summary about the FTC’s lawsuit:
Pleading legal conclusions couched as hypothetical, speculative factual allegations requiring unwarranted deductions, as the FTC has done here, is insufficient.
This case will continue no matter what since the FTC now has an opportunity to file a Response to the CoA Institute’s Motion to Dismiss to which the CoA Institute will likely file a Reply. Even if the Motion to Dismiss is granted it is likely the federal judge will allow the FTC to refile its Complaint.