Insight

FTC Files Complaint Against Manufacturer of IoT Devices for Deficient Security Measures

The FTC, on Jan. 5, 2017, filed a complaint in the Northern District of California against an IoT device manufacturer and its U.S. subsidiary for failure to take reasonable steps to secure the products that they sell to the United States market.

FTC & Cyber Security
Françoise Gilbert

Françoise Gilbert

January 30, 2017 09:04 AM

Electronic communications are crucial to the operation of devices connected to the Internet (IoT devices). Therefore, keeping these devices secure must be a high priority. Security vulnerabilities or deficiencies can both cause the unauthorized disclosure or modification of highly sensitive information collected by the IoT device, and cause the IoT device itself to become a conduit for harmful attacks on other devices or equipment connected to the Internet.

The FTC, on Jan. 5, 2017, filed a complaint in the Northern District of California against an IoT device manufacturer and its U.S. subsidiary for failure to take reasonable steps to secure the products that they sell to the United States market. The complaint alleges that security flaws in the products and misrepresentations about the security features of the products constitute unfair or deceptive acts or practices that violate Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC requests a permanent injunction to prevent future violations of the FTC Act.

The complaint was filed against D-Link Corporation (D-Link), a Taiwanese corporation headquartered in Taipei City, Taiwan and its subsidiary D-Link Systems, Inc., (DLS), a California corporation located in Fountain Valley, California; (D-Link and DLS collectively “Defendants”). D-Link designs, develops, markets, and manufactures networking devices, including consumer routers and IP cameras. DLS provides marketing and after-sale services integral to D-Link’s operations.

Since the filing of the complaint, the Defendants have vigorously denied the FTC’s allegations. Their declaration is posted on D-Link’s U.S. website.

D-Link Devices

The devices at stake in this action are routers and IP cameras that consumers use to monitor activities within their household (such as those of young children) or the security of their home while they are away. The IP cameras are connected to routers that forward data packets along a network. Like other routers, these routers also play a key role in securing consumers’ home networks, functioning as a hardware firewall for the consumer’s local network, and acting as the first line of defense in protecting the consumer’s equipment connected to the local network against malicious incoming traffic from the Internet.

IP cameras and routers can be remotely accessed through D-Link’s free “mydlink Lite” mobile application. The application is designed to require the user to enter a user name and password (login credentials) when the user first uses the app on a mobile device. After that, the application stores the user’s login credentials on that mobile device, keeping the user logged into the mobile app on that device.

FTC Claims

The FTC claims that security deficiencies caused Defendants’ routers and cameras to be vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access and that the Defendants misrepresented the security capability of their products.

Deficient Security Measures

The FTC pointed to a number of deficiencies in the product design. In its complaint, it claims that the Defendants failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including well-known flaws ranked among the most critical and widespread web application vulnerabilities for the past 10 years. These deficiencies included, among others, failure to:

  • take reasonable testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws, such as “hard-coded” user credentials and other backdoors, and command injection flaws, which allow remote attackers to gain control of consumers’ devices;
  • take reasonable steps to maintain the confidentiality of the private key that D-Link used to sign its software, including by failing to adequately restrict, monitor, and oversee handling of the key, resulting in the exposure of the private key on a public website for approximately six months; and
  • use software, available at no cost since at least 2008, to secure users’ mobile app login credentials instead of storing those credentials in clear, readable text on a user’s mobile device.

Misrepresentations about Security

The FTC took particular notice of the public statements and claims of security made by the Defendants in their marketing documents. The FTC complaint points to numerous security statements that the Defendants made about the security of their routers and IP cameras in the “Security Event Response Policy,” and in the product brochures and user manuals available from their website, such as:

  • under a bolded, italicized, all-capitalized heading, “EASY TO SECURE,” a statement that ‘the router supports the latest wireless security features to help prevent unauthorized access,” or
  • under a bolded, italicized, all-capitalized heading, “ADVANCED NETWORK SECURITY,” a statement that “the router ensures a secure Wi-Fi network through the use of WPA/WPA2 wireless encryption”;
  • under a bolded heading, “Advanced Network Security,” a statement that the router supports the latest wireless security features to help prevent unauthorized access,” … and that the router “utilizes Stateful Packet Inspection Firewalls (SPI) to help prevent potential attacks from across the Internet,” or
  • under a heading “128-bit Security Encryption,” a statement that the router “protects your network with 128-bit AES data security encryption – the same technology used in E-commerce or online banking” and “With hassle-free plug and play installation, and advanced Wi-Fi protected setup, the [router] is not only one of the fastest routers available, its [sic] also one of the safest.”

Unfair and Deceptive Practices

The FTC’s complaint includes one count claiming unfairness and five counts claiming deceptive practices. In the Unfairness Count, the FTC claims that the Defendants’ failure to take reasonable steps to secure the products they offered to consumers for protecting their local networks and sensitive information caused, or was likely to cause substantial injury.

The deceptiveness prong of the complaint, in four different counts, argues that the Defendants’ claims (i) that their routers and IP cameras were secure from unauthorized access and control and (ii) claims with respect to the Security Event Response Policy were deceptive.

What Effect on IoT Device Manufacturers and Sellers

IoT device manufacturers and resellers should be aware of the significant security and compliance risks that might attach to their products and should take appropriate measures that are adapted to the nature of these risks. For several years, the FTC, as well as the information security community have voiced their concerns over the significant security deficiencies of many IoT devices, and the potential drastic consequences of these deficiencies. This type of security issues are recurring and becoming increasingly serious. It is becoming clear to all that IoT devices can be especially vulnerable to security deficiencies and that the exploitation of these security deficiencies by bad actors can cause significant damages.

The FTC, in January 2015, published a Staff Report Internet of Things, Privacy and Securityin a Connected World (IoT Staff Report) outlining issues and providing recommendations. It has also investigated the practices of two IoT device manufacturers and resellers in circumstances, and with products, similar to those in the D-Link case. In the Matter of TRENDnet, Inc. was settled in February 2014, and In the Matter of ASUSTeK Computer, Inc., in July 2016. D-Link is the FTC’s third initiative in the IoT market.

The two FTC enforcement actions against TRENDnet, Inc. and ASUSTeK Computer, Inc. concluded with settlements that provide guidance for the IoT industry. In both cases, the consent decree provides for:

  • supervision by the FTC of the investigated company’s security practices for 20 years from the date of the settlement; and
  • a requirement to put in place a broad range of measures – from design to distribution to consumers – intended to increase the security of the relevant IoT devices and the company’s operations.

Similar actions are expected to come either at the initiative of the FTC or that of other enforcement agencies such as State Attorneys General. Class action suits have already been filed in cases involving security deficiencies in connected objects, for example, connected vehicles.

The fact that many IoT devices are relatively inexpensive does not excuse a lack of appropriate security measures adapted to the nature of the product, the information collected, and the risks to which the device, its users, and others might be exposed. These security measures will be expected, at a minimum, to meet the requirements described in generally accepted information security practices for the industry, which are also outlined in the FTC consent decrees.

A complete, efficient, appropriate, current information security program that provides adequate security measures for the development, manufacture, use, operation, and support of IoT devices requires numerous technical, physical, and administrative measures and constant updates. A rigorous process should be followed.

It is clear from the FTC’s recent actions that enforcement agencies and consumers expect that those who place IoT devices on the market will have exercised appropriate efforts to ensure these adequate security measures are carefully planned, fully integrated in all phases of the product design, development, and operation, and adequately described in product documentation.

Related Articles

IN PARTNERSHIP

Federal Trade Commission’s Proposal Sets Noncompete World on Fire: Justified Fears?


by David J. Carr

A recent FTC proposed rule that would bar noncompete agreements could have major impacts against the working class.

Blue maze walls and bright circles with small outline of person walking through

Copyright in Cyberspace: Read the Fine Print


by Alastair Donaldson

Copyright is an exclusive right to do things like copying, reproduction, performance or communication of subject matter that qualifies for copyright protection.

Copyright in Cyberspace

Are You Equipped to Manage the Internet of Things?


by Morgan Gebhardt

Are IoT technologies nice-to-have “apps” or necessary business components?

Manage the Internet of Things

Cyber School


by Elizabeth S. Fitch and Theodore M. Schaer

Cybersecurity and the Claims and Litigation Management Alliance’s School of Cyber Claims

Cyber School

Trending Articles

Announcing the 2023 The Best Lawyers in America Honorees


by Best Lawyers

Only the top 5.3% of all practicing lawyers in the U.S. were selected by their peers for inclusion in the 29th edition of The Best Lawyers in America®.

Gold strings and dots connecting to form US map

Announcing the 2022 Best Lawyers® in the United States


by Best Lawyers

The results include an elite field of top lawyers listed in the 28th Edition of The Best Lawyers in America® and in the 2nd Edition of Best Lawyers: Ones to Watch in America for 2022.

2022 Best Lawyers Listings for United States

2021 Best Lawyers: The Global Issue


by Best Lawyers

The 2021 Global Issue features top legal talent from the most recent editions of Best Lawyers and Best Lawyers: Ones to Watch worldwide.

2021 Best Lawyers: The Global Issue

The U.S. Best Lawyers Voting Season Is Open


by Best Lawyers

The voting season for the 31st edition of The Best Lawyers in America® and the 5th edition of Best Lawyers: Ones to Watch® in America is officially underway, and we are offering some helpful advice to this year’s voters.

Golden figures of people standing on blue surface connected by white lines

How To Find A Pro Bono Lawyer


by Best Lawyers

Best Lawyers dives into the vital role pro bono lawyers play in ensuring access to justice for all and the transformative impact they have on communities.

Hands joined around a table with phone, paper, pen and glasses

The Best Lawyers in Australia™ 2024 Launch


by Best Lawyers

Best Lawyers is excited to announce The Best Lawyers in Australia™ for 2023, including the top lawyers and law firms from Australia.

Australian Parliament beside water at sunset

How Palworld Is Testing the Limits of Nintendo’s Legal Power


by Gregory Sirico

Many are calling the new game Palworld “Pokémon GO with guns,” noting the games striking similarities. Experts speculate how Nintendo could take legal action.

Animated figures with guns stand on top of creatures

What the Courts Say About Recording in the Classroom


by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

Inflation Escalation


by Ashley S. Wagner

Inflation and rising costs are at the forefront of everyone’s mind as we enter 2023. The current volatile market makes it more important than ever to understand the rent escalation clauses in current and future commercial lease agreements.

Suited figure in front of rising market and inflated balloon

The Upcycle Conundrum


by Karen Kreider Gaunt

Laudable or litigious? What you need to know about potential copyright and trademark infringement when repurposing products.

Repurposed Products and Copyright Infringemen

8 Different Types of Criminal Defenses in Law


by Best Lawyers

Learn about the different types of criminal defenses available in law, including innocence, self-defense, insanity and more. Protect your rights today.

Silver handcuffs laying on finger printed papers

Best Lawyers: Ones to Watch in America for 2023


by Best Lawyers

The third edition of Best Lawyers: Ones to Watch in America™ highlights the legal talent of lawyers who have been in practice less than 10 years.

Three arrows made of lines and dots on blue background

A Celebration of Excellence: The Best Lawyers in Canada 2024 Awards


by Best Lawyers

As we embark on the 18th edition of The Best Lawyers in Canada™, we are excited to highlight excellence and top legal talent across the country.

Abstract image of red and white Canada flag in triangles

Wage and Overtime Laws for Truck Drivers


by Greg Mansell

For truck drivers nationwide, underpayment and overtime violations are just the beginning of a long list of problems. Below we explore the wages you are entitled to but may not be receiving.

Truck Driver Wage and Overtime Laws in the US

Choosing a Title Company: What a Seller Should Expect


by Roy D. Oppenheim

When it comes to choosing a title company, how much power exactly does a seller have?

Choosing the Title Company As Seller

The 2024 Best Lawyers in Spain™


by Best Lawyers

Best Lawyers is honored to announce the 16th edition of The Best Lawyers in Spain™ and the third edition of Best Lawyers: Ones to Watch in Spain™ for 2024.

Tall buildings and rushing traffic against clouds and sun in sky