Millions of Americans are familiar with D-Link routers: They're often rented to consumers by default when they sign up for cable modem packages. But to the FTC, D-Link's routers and webcams are a security risk.
Earlier this month, the FTC announced it was charging the Taiwan-based computer networking equipment manufacturer with putting consumers at risk by leaving "its wireless routers and Internet cameras vulnerable to hackers."
Among the potential issues with D-Link's equipment are "hard-coded" logins and passwords within its camera software that are easily guessed by hackers; a command injection flaw within its router software; a private keycode for D-Link's software on the company's website that was public for six months; and leaving users' login and passwords exposed through D-Link's mobile app in readable text.
D-Link's chief information security officer, William Brown, thinks it was a premature call, as no breaches have been reported.
"The FTC has made unwarranted and baseless charges that D-Link Systems has failed to take reasonable steps to secure the software for their routers and IP cameras' against hacking," said Brown. "D-Link Systems maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IOT) devices. The complaint does not allege any breach of a D-Link Systems device. Instead, the FTC speculates that consumers were placed 'at risk' to be hacked, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries."
D-Link has since announced a partnership with a public interest law firm, Cause of Action Institute, which argues the FTC action is "another instance of the FTC's unchecked regulatory overreach."
What Can Consumers Do?
According to Charles Henderson, global head of X-Force Red at IBM Security, "the consumer market is in a state where no firm is really perfect. Many firms build products for the consumer market [without adopting] security best practices that we see in the corporate world.
"It seems a bit strange to pick one firm out and say 'all your fault,'" he added.
Still, as Engadget points out, "Hackers love D-Link" and frequently use the company's routers to demonstrate vulnerabilities (though it's not the only offender). The Mirai botnet that targeted DNS provider Dyn last year via insecure IoT gadgets, making many top web services temporarily inaccessible, also targeted UK telecom firm TalkTalk and the D-Link router it provided to customers.
ISPs rent out thousands of routers to consumers. "They need a consistent method to access those routers, which probably come from every manufacturing company out there. It's about the path of least resistance—what's easiest and fastest to maintain," Henderson said. Unfortunately, "when they do that, it's usually absent a clear and decisive security policy."
What's a consumer to do if cable companies or manufacturers aren't held responsible? One way to secure routers is to adopt corporate standards at the consumer level, as there isn't a leading certification or set standard for securing devices. The International Organization for Standardization (ISO) issued its own voluntary best practice certification, but it's geared toward corporate entities.
It falls on the consumer to make sure their firmware is up to date by checking a device's support status on a manufacturer's website. If a consumer is renting a router from a cable operator, it likely won't occur to them to change the router's settings, or they might not understand when or how to opt out of a service.
Related
- How to Access Your Wi-Fi Router's SettingsHow to Access Your Wi-Fi Router's Settings
As such, Henderson recommends that consumers continuously check their firmware for support updates on a firm's website, even if they set it to auto update, as devices often fall out of support and companies don't always let consumers know.
At this year's CES, PCMag saw several routers and services that claim to secure IoT gadgets. The Norton Core, for example, offers deep packet inspection to detect threats and "immediately quarantine the device to a segregated network and send an alert to the user." Bitdefender's new Box V2, meanwhile, adds an enhanced assessment tool that scans for weak or default passwords and other vulnerabilities hackers could exploit. Stay tuned to PCMag.com for full reviews of both gadgets when they arrive later this year.
For more, check out 12 Ways to Secure Your Wi-Fi Network.