Insight

FTC Files Complaint Against Manufacturer of IoT Devices for Deficient Security Measures

The FTC, on Jan. 5, 2017, filed a complaint in the Northern District of California against an IoT device manufacturer and its U.S. subsidiary for failure to take reasonable steps to secure the products that they sell to the United States market.

FTC & Cyber Security
Françoise Gilbert

Françoise Gilbert

January 30, 2017 09:04 AM

Electronic communications are crucial to the operation of devices connected to the Internet (IoT devices). Therefore, keeping these devices secure must be a high priority. Security vulnerabilities or deficiencies can both cause the unauthorized disclosure or modification of highly sensitive information collected by the IoT device, and cause the IoT device itself to become a conduit for harmful attacks on other devices or equipment connected to the Internet.

The FTC, on Jan. 5, 2017, filed a complaint in the Northern District of California against an IoT device manufacturer and its U.S. subsidiary for failure to take reasonable steps to secure the products that they sell to the United States market. The complaint alleges that security flaws in the products and misrepresentations about the security features of the products constitute unfair or deceptive acts or practices that violate Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC requests a permanent injunction to prevent future violations of the FTC Act.

The complaint was filed against D-Link Corporation (D-Link), a Taiwanese corporation headquartered in Taipei City, Taiwan and its subsidiary D-Link Systems, Inc., (DLS), a California corporation located in Fountain Valley, California; (D-Link and DLS collectively “Defendants”). D-Link designs, develops, markets, and manufactures networking devices, including consumer routers and IP cameras. DLS provides marketing and after-sale services integral to D-Link’s operations.

Since the filing of the complaint, the Defendants have vigorously denied the FTC’s allegations. Their declaration is posted on D-Link’s U.S. website.

D-Link Devices

The devices at stake in this action are routers and IP cameras that consumers use to monitor activities within their household (such as those of young children) or the security of their home while they are away. The IP cameras are connected to routers that forward data packets along a network. Like other routers, these routers also play a key role in securing consumers’ home networks, functioning as a hardware firewall for the consumer’s local network, and acting as the first line of defense in protecting the consumer’s equipment connected to the local network against malicious incoming traffic from the Internet.

IP cameras and routers can be remotely accessed through D-Link’s free “mydlink Lite” mobile application. The application is designed to require the user to enter a user name and password (login credentials) when the user first uses the app on a mobile device. After that, the application stores the user’s login credentials on that mobile device, keeping the user logged into the mobile app on that device.

FTC Claims

The FTC claims that security deficiencies caused Defendants’ routers and cameras to be vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access and that the Defendants misrepresented the security capability of their products.

Deficient Security Measures

The FTC pointed to a number of deficiencies in the product design. In its complaint, it claims that the Defendants failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including well-known flaws ranked among the most critical and widespread web application vulnerabilities for the past 10 years. These deficiencies included, among others, failure to:

  • take reasonable testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws, such as “hard-coded” user credentials and other backdoors, and command injection flaws, which allow remote attackers to gain control of consumers’ devices;
  • take reasonable steps to maintain the confidentiality of the private key that D-Link used to sign its software, including by failing to adequately restrict, monitor, and oversee handling of the key, resulting in the exposure of the private key on a public website for approximately six months; and
  • use software, available at no cost since at least 2008, to secure users’ mobile app login credentials instead of storing those credentials in clear, readable text on a user’s mobile device.

Misrepresentations about Security

The FTC took particular notice of the public statements and claims of security made by the Defendants in their marketing documents. The FTC complaint points to numerous security statements that the Defendants made about the security of their routers and IP cameras in the “Security Event Response Policy,” and in the product brochures and user manuals available from their website, such as:

  • under a bolded, italicized, all-capitalized heading, “EASY TO SECURE,” a statement that ‘the router supports the latest wireless security features to help prevent unauthorized access,” or
  • under a bolded, italicized, all-capitalized heading, “ADVANCED NETWORK SECURITY,” a statement that “the router ensures a secure Wi-Fi network through the use of WPA/WPA2 wireless encryption”;
  • under a bolded heading, “Advanced Network Security,” a statement that the router supports the latest wireless security features to help prevent unauthorized access,” … and that the router “utilizes Stateful Packet Inspection Firewalls (SPI) to help prevent potential attacks from across the Internet,” or
  • under a heading “128-bit Security Encryption,” a statement that the router “protects your network with 128-bit AES data security encryption – the same technology used in E-commerce or online banking” and “With hassle-free plug and play installation, and advanced Wi-Fi protected setup, the [router] is not only one of the fastest routers available, its [sic] also one of the safest.”

Unfair and Deceptive Practices

The FTC’s complaint includes one count claiming unfairness and five counts claiming deceptive practices. In the Unfairness Count, the FTC claims that the Defendants’ failure to take reasonable steps to secure the products they offered to consumers for protecting their local networks and sensitive information caused, or was likely to cause substantial injury.

The deceptiveness prong of the complaint, in four different counts, argues that the Defendants’ claims (i) that their routers and IP cameras were secure from unauthorized access and control and (ii) claims with respect to the Security Event Response Policy were deceptive.

What Effect on IoT Device Manufacturers and Sellers

IoT device manufacturers and resellers should be aware of the significant security and compliance risks that might attach to their products and should take appropriate measures that are adapted to the nature of these risks. For several years, the FTC, as well as the information security community have voiced their concerns over the significant security deficiencies of many IoT devices, and the potential drastic consequences of these deficiencies. This type of security issues are recurring and becoming increasingly serious. It is becoming clear to all that IoT devices can be especially vulnerable to security deficiencies and that the exploitation of these security deficiencies by bad actors can cause significant damages.

The FTC, in January 2015, published a Staff Report Internet of Things, Privacy and Securityin a Connected World (IoT Staff Report) outlining issues and providing recommendations. It has also investigated the practices of two IoT device manufacturers and resellers in circumstances, and with products, similar to those in the D-Link case. In the Matter of TRENDnet, Inc. was settled in February 2014, and In the Matter of ASUSTeK Computer, Inc., in July 2016. D-Link is the FTC’s third initiative in the IoT market.

The two FTC enforcement actions against TRENDnet, Inc. and ASUSTeK Computer, Inc. concluded with settlements that provide guidance for the IoT industry. In both cases, the consent decree provides for:

  • supervision by the FTC of the investigated company’s security practices for 20 years from the date of the settlement; and
  • a requirement to put in place a broad range of measures – from design to distribution to consumers – intended to increase the security of the relevant IoT devices and the company’s operations.

Similar actions are expected to come either at the initiative of the FTC or that of other enforcement agencies such as State Attorneys General. Class action suits have already been filed in cases involving security deficiencies in connected objects, for example, connected vehicles.

The fact that many IoT devices are relatively inexpensive does not excuse a lack of appropriate security measures adapted to the nature of the product, the information collected, and the risks to which the device, its users, and others might be exposed. These security measures will be expected, at a minimum, to meet the requirements described in generally accepted information security practices for the industry, which are also outlined in the FTC consent decrees.

A complete, efficient, appropriate, current information security program that provides adequate security measures for the development, manufacture, use, operation, and support of IoT devices requires numerous technical, physical, and administrative measures and constant updates. A rigorous process should be followed.

It is clear from the FTC’s recent actions that enforcement agencies and consumers expect that those who place IoT devices on the market will have exercised appropriate efforts to ensure these adequate security measures are carefully planned, fully integrated in all phases of the product design, development, and operation, and adequately described in product documentation.

Related Articles

Are You Equipped to Manage the Internet of Things?


by Morgan Gebhardt

Are IoT technologies nice-to-have “apps” or necessary business components?

Manage the Internet of Things

Cyber School


by Elizabeth S. Fitch and Theodore M. Schaer

Cybersecurity and the Claims and Litigation Management Alliance’s School of Cyber Claims

Cyber School

Trending Articles

Johnny Depp and Amber Heard: The Best Lawyers Honorees Behind the Litigation


by Gregory Sirico

Best Lawyers takes a look at the recognized legal talent representing Johnny Depp and Amber Heard in their ongoing defamation trial.

Lawyers for Johnny Depp and Amber Heard

The Real Camille: An Interview with Johnny Depp’s Lawyer Camille Vasquez


by Rebecca Blackwell

Camille Vasquez, a young lawyer at Brown Rudnick, sat down with Best Lawyers CEO Phillip Greer to talk about her distinguished career, recently being named partner and what comes next for her.

Camille Vasquez in office

Announcing The Best Lawyers in The United Kingdom™ 2023


by Best Lawyers

The results include an elite field of top lawyers and firms from the United Kingdom.

The Best Lawyers in The United Kingdom 2023

Announcing The Best Lawyers in France™ 2023


by Best Lawyers

The results include an elite field of top lawyers and firms from France.

Blue, white and red strips

Announcing The Best Lawyers in Germany™ 2023


by Best Lawyers

The results include an elite field of top lawyers and firms from Germany.

Black, red and yellow stripes

Education by Trial: Cultivating Legal Expertise in the Courtroom


by Margo Pierce

The intricacies of complex lawsuits require extensive knowledge of the legal precedent. But they also demand a high level of skill in every discipline needed to succeed at trial, such as analyzing technical reports and deposing expert witnesses.

Cultivating Legal Expertise in the Courtroom

Announcing the 2022 Best Lawyers® in the United States


by Best Lawyers

The results include an elite field of top lawyers listed in the 28th Edition of The Best Lawyers in America® and in the 2nd Edition of Best Lawyers: Ones to Watch in America for 2022.

2022 Best Lawyers Listings for United States

Announcing The Best Lawyers in Belgium™ 2023


by Best Lawyers

The results include an elite field of top lawyers and firms from Belgium.

Black, yellow and red stripes

Announcing the 2022 Best Lawyers™ in France


by Best Lawyers

The results include an elite field of top lawyers and firms, including our inaugural Best Lawyers: Ones to Watch recipients.

Announcing the 2022 Best Lawyers™ in France

We Are Women, We Are Fearless


by Deborah S. Chang and Justin Smulison

Athea Trial Lawyers is a female owned and operated law firm specializing in civil litigation, catastrophic energy, wrongful death and product liability.

Athea Trial Law Female Leadership and Success

Choosing a Title Company: What a Seller Should Expect


by Roy D. Oppenheim

When it comes to choosing a title company, how much power exactly does a seller have?

Choosing the Title Company As Seller

What If Johnny Depp and Amber Heard Had a Premarital Agreement?


by John M. Goralka

Oh, the gritty details we’re learning from the latest court battle between Johnny Depp and Amber Heard. This unfortunate airing of dirty laundry may have been avoided with a prenup. Should you think about getting one yourself?

What If Johnny Depp & Amber Heard Had Prenup?

Announcing the 2022 Best Lawyers™ in Germany


by Best Lawyers

The results include an elite field of top lawyers and firms, including our inaugural Best Lawyers: Ones to Watch recipients.

Announcing the 2022 Best Lawyers™ in Germany

U.K. Introduces Revisions to Right-to-Work Scheme and Immigration Rules


by Gregory Sirico

Right-to-Work Scheme and Immigration Rules in

What the Courts Say About Recording in the Classroom


by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

Destiny Fulfilled


by Sara Collin

Was Angela Reddock-Wright destined to become a lawyer? It sure seems that way. Yet her path was circuitous. This accomplished employment attorney, turned mediator, arbitrator and ADR specialist nonpareil discusses her career, the role of attorneys in society, the new world of post-pandemic work and why new Supreme Court Justice Ketanji Brown Jackson represents the future.

Interview with Lawyer Angela Reddock-Wright