D-Link agrees to 10 years of security audits to settle FTC case

After years of litigation and countless security issues, D-Link has settled its case with the Federal Trade Commission over poor security practices. Under the terms of the settlement, the company has agreed to implement a comprehensive security program for its routers and webcams, including third-party security audits every two years until 2030. The company is also required to check for security vulnerabilities before releasing a product, actively monitor for vulnerabilities once a product is released, and accept reports from third-party security researchers.

“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection in a statement. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”

Security was notoriously bad among the early generation of webcams, but D-Link’s practices were particularly egregious. The webcam was hard-coded to a single, easily guessed password, which could not be changed if it became compromised. Additionally, the mobile app used to login stored its credentials in plain text, greatly increasing the risk of compromise.

Still, those security issues don’t seem to have slowed down the company’s push towards internet-of-things devices. At CES 2019, the company announced a new 5G-capable router, alongside a range of smart plugs, water sensors, and other smart home devices.

https://www.theverge.com/2019/7/4/20682372/d-link-ftc-settlement-security-vulnerability-hacking