D-Link logo

The US Federal Trade Commission (FTC) has filed a lawsuit against D-Link, a Taiwanese hardware manufacturer, for misrepresentations about the security of various devices it sold in the US, and for failing to take action and secure devices when security flaws were reported.

According to the FTC's complaint, available in full at the end of the article, the US organization is accusing D-Link of gross negligence when it comes to fixing security flaws in its devices.

As a result of D-Link's failure to take actions, the FTC says that hackers have taken control over US consumers' D-Link devices, and have utilized them for various cybercrime operations, but also used the access to these devices to spy on users, such as intercepting web traffic and watching audio and video streams.

The Commission specifically cites products such as wireless routers and Internet cameras (IP cameras, DVRs, and baby monitors).

D-Link has failed to address security bugs in due time

Among the issues the FTC has taken to heart, the complaint mentions the following security mishaps:

  • Hardcoded login credentials included in D-Link's firmware, which are also easy to guess. For example, a username of "guest" with the password "guest."
  • A command injection security flaw that allows attackers to take control of D-Link devices
  • Login credentials for the D-Link mobile app saved in clear text on the user's phone.
  • Mishandling private keys that D-Link's staff left on a public server for more than six months.

Furthermore, the FTC says that D-Link had intentionally promoted its products on its websites and brochures using terms as "easy to secure" and "advanced network security." The Commission argues that D-Link has misrepresented its products by failing to address security issues.

D-Link is the second Taiwanese hardware vendor that the FTC has sued. The first was ASUS, with whom the FTC had reached a settlement in February 2016.

According to the settlement's terms, ASUS agreed to submit itself to independent security audits for the next 20 years.