The Federal Trade Commission (FTC) filed a complaint against D-Link saying the company failed to secure its routers and internet-connected cameras.
If the FTC's complaint is accurate, this is the latest example companies putting their customers and the rest of the internet at risk via faulty security. Hacking a router or IP camera doesn't just make it easy to compromise someone's personal information or snoop on them--it also provides the platform needed to conduct large-scale attacks on critical infrastructure. One company's failing can lead to problems for countless individuals and organizations.
Yet many companies are either disinterested in security or unable to keep pace with malicious actors. On the router side, Netgear recently introduced a bug bounty program after one researcher's disclosure of critical flaws in the company's routers went unnoticed for roughly four months. IP cameras have also had issues: Bitdefender found many problems with an unidentified company's products, and multiple backdoors were discovered in Sony's devices.
The FTC discovered many issues with D-Link's products. The commission said that basic credentials like using "guest" as both a username and password were hard-coded into the devices; that a private key code used to log in to D-Link's software was available on a public website for six months; that the routers were vulnerable to command injection attacks; and that login credentials for the company's mobile app were stored in plain text on the device.
Here's how these failings could have been exploited, according to the FTC:
According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances. [...] The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.
Insecure products can also lead to problems outside the home. Internet of Things (IoT) products were implicated in an attack that brought down popular websites like Twitter, Spotify, and many others in November, and Institute for Critical Infrastructure Technology warned in December that these gizmos could threaten entire nations. Hopefully the FTC joining the chorus of calls for improved security will help make these attacks less likely in the future.