The Federal Trade Commission files suit against the router and webcam company, saying security was inadequate in its Internet of Things devices.
The Federal Trade Commission is taking D-Link to court, accusing the company of poor security practices for its routers, web cameras, baby monitors and other products.
The lawsuit (PDF), filed in San Francisco’s district court, argues that D-Link failed to meet security standards from 2007, leaving widespread vulnerabilities open to hackers.
The commission alleges that D-Link coded easy to crack login credentials into its camera software, enabling hackers to easily spy on the company’s customers.
The FTC also accuses D-Link of failing to encrypt passwords on its mobile app, instead leaving the codes in plain text on devices for anyone nearby to read. D-Link also failed to address a “command injection” software flaw, which would let hackers hijack routers from remote locations, according to the FTC.
“As a result of Defendants’ failures, thousands of Defendants’ routers and cameras have been vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access,” the FTC said in its complaint.
If a customer’s router was hacked, the FTC said, attackers could redirect users to fake websites where the hackers would be able to retrieve sensitive information through phishing. Hacked surveillance cameras are the leading soldiers in botnets, zombie armies of compromised smart devices used for distributed denial of service attacks.
In an October DDoS attack that took down web favorites like Netflix, Spotify and Twitter, hundreds of thousands of security cameras from around the world were hacked and used to overwhelm the services with floods of data requests.
The FTC is worried hackers have been exploiting security flaws in D-Link’s cameras to use the devices in similar assaults. It accused the company of lying about its practices in its ads, in which D-Link promised “advanced network security.”
In a statement, D-Link said it would fight the FTC’s lawsuit, pointing out that the complaint says buyers were at risk but fails to point out any examples of actual hacking.
“D-Link Systems, Inc. will vigorously defend itself against the unwarranted and baseless charges made by the Federal Trade Commission,” the company said in its statement.