FTC vs D-Link: All bark, no bite

The government is trying to send a message, but it’s too weak to deliver.

Illustration by D. Thomas Magee

Most routers are bad. Bad to their little router bones. But they were made that way. And when you get one of the bad ones in your home, they sit there like little privacy and security time bombs, just waiting to become conduits of evil in your house.

You think I'm joking. But if you look at the state of router security, then you will know this is a big problem. And it's one that's nearly impossible for normal people to fix.

It's been like this for a long time. As you'd expect, hackers at infosec conferences yelling about abysmal router security have been ignored since well before connecting toasters and vibrators to the internet were someone's reckless IoT fantasy. Some of those presenters have even been harassed because of what they've said about how unsafe routers are.

While consumers remained in the dark, things like botnets grew.

That was, until the Mirai botnet took out half the internet last year -- through routers. Mirai loves routers. That was when most people found out what happens with internet appliances made by companies that give zero fucks about end-user security. That our routers were the gateway for lots of malicious activity. The big collective "we" learned that Mirai was in our homes, but router security was out of our hands.

That's why the Federal Trade Commission went after Taiwan computer-networking-equipment manufacturer D-Link Corp. and its US subsidiary in a new lawsuit this past week.

You see, D-Link routers have been identified as being among the devices used for Mirai botnet attacks.

They're also constantly being used as examples in hacking demonstrations. Hackers love D-Link. The company's products have their own section on popular hardware-hacking site Hack A day. In fact, D-Link has been running buggy firmware for so long that it's a constant source of hacking fun and games. Two recent examples include posts by embedded-device-hacker collective /dev/ttyS, which wrote Hacking the D-Link DIR-890L and What the Ridiculous Fuck, D-Link?!

In a lawsuit filed in federal California court, the FTC accused D-Link of placing consumers in harm's way with misrepresentations about its router and IP camera security. And the company's general lax approach to ensuring its end users were safe in just about every aspect, despite its promises.

The FTC wasn't nice about it. In its complaint, it stated that D-Link included "well-known and easily preventable software security flaws" in its products, and repeatedly failed to test and repair its software to prevent them from being abused. The complaint also says that "security gaps could allow hackers to watch and record people on their D-Link cameras without their knowledge, target them for theft or record private conversations."

The agency said D-Link was failing to ensure people had the most basic security safeguards that infosec-industry cornerstone OWASP has been warning about since 2007 (ouch). FTC also spanked the company for leaking its own private code-signing key in 2015 and leaving it in the open for months. That meant malicious hackers could make malware look like it was safe software coming straight from D-Link.

The government agency also raked D-Link over the coals for having hard-coded access credentials on its IP cameras. This would let anyone with the login spy on the camera's feed, and it can't be changed by the user.

The FTC was indeed making a statement about IoT security. Just one day earlier, the agency had announced its "Internet of Things Home Inspector Challenge" -- a bug bounty.

D-Link clapped back. Mere hours later, the company lashed out with a salty Q&A for its customers, a press release and statements sent to journalists. Chief Information Security Officer William Brown told the press the company "denies the allegations outlined in the complaint and intends to defend itself."

D-Link noted that the FTC didn't point out any specific cases of the company's products being breached in the US. "The FTC speculates that consumers were placed 'at risk' to be hacked," D-Link said, "but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries." The company said it "maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IOT) devices."

Considering that D-Link has retained the Cause of Action Institute, an American public-interest law firm whose mission is government accountability, this is destined to turn into a power struggle long before consumers see the benefits.

Many believe the FTC's complaint against D-Link is a warning shot at the IoT industry.

Personally, I'm not getting my hopes up. And it's not just because the other two major router manufacturers on the planet are just as hackable (like Cisco) and known for committing the same security fails as D-Link (like Huawei).

It's because the FTC hasn't shown us the money -- when it comes to actually punishing companies for screwing users, that is. I'm specifically referring to the Snapchat FTC settlement.

The FTC went after the app with the same argument it has against D-Link: not that the app was proved to have harmed anyone, but that it lied to its users about practically everything, most especially security and its "disappearing" photos.

In May 2014, the FTC announced its settlement agreement with Snapchat, formally acknowledging the app lied about privacy and security, and took user data without consent.

The settlement amounted to little more than a warning to stop lying, and submitting privacy reports to the FTC every six months for 20 years. No fines, restrictions or course-changing controls were imposed. Under the settlement, Snapchat would be free to keep doing what it's good at (bullshitting users about privacy and security).

With that settlement, the FTC certainly sent a message.

One that is easily ignored.