Electronic communications are crucial to the operation of devices connected to the Internet (IoT devices). Therefore, keeping these devices secure must be a high priority. Security vulnerabilities or deficiencies can both cause the unauthorized disclosure or modification of highly sensitive information collected by the IoT device, and cause the IoT device itself to become a conduit for harmful attacks on other devices or equipment connected to the Internet.
The FTC, on Jan. 5, 2017, filed a complaint in the Northern District of California against an IoT device manufacturer and its U.S. subsidiary for failure to take reasonable steps to secure the products that they sell to the United States market. The complaint alleges that security flaws in the products and misrepresentations about the security features of the products constitute unfair or deceptive acts or practices that violate Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC requests a permanent injunction to prevent future violations of the FTC Act.
The complaint was filed against D-Link Corporation (D-Link), a Taiwanese corporation headquartered in Taipei City, Taiwan and its subsidiary D-Link Systems, Inc., (DLS), a California corporation located in Fountain Valley, California; (D-Link and DLS collectively “Defendants”). D-Link designs, develops, markets, and manufactures networking devices, including consumer routers and IP cameras. DLS provides marketing and after-sale services integral to D-Link’s operations.
Since the filing of the complaint, the Defendants have vigorously denied the FTC’s allegations. Their declaration is posted on D-Link’s U.S. website.
The devices at stake in this action are routers and IP cameras that consumers use to monitor activities within their household (such as those of young children) or the security of their home while they are away. The IP cameras are connected to routers that forward data packets along a network. Like other routers, these routers also play a key role in securing consumers’ home networks, functioning as a hardware firewall for the consumer’s local network, and acting as the first line of defense in protecting the consumer’s equipment connected to the local network against malicious incoming traffic from the Internet.
IP cameras and routers can be remotely accessed through D-Link’s free “mydlink Lite” mobile application. The application is designed to require the user to enter a user name and password (login credentials) when the user first uses the app on a mobile device. After that, the application stores the user’s login credentials on that mobile device, keeping the user logged into the mobile app on that device.
The FTC claims that security deficiencies caused Defendants’ routers and cameras to be vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access and that the Defendants misrepresented the security capability of their products.
Deficient Security Measures
The FTC pointed to a number of deficiencies in the product design. In its complaint, it claims that the Defendants failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including well known flaws ranked among the most critical and widespread web application vulnerabilities for the past 10 years. These deficiencies included, among others, failure to:
- take reasonable testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws, such as “hard-coded” user credentials and other backdoors, and command injection flaws, which allow remote attackers to gain control of consumers’ devices;
- take reasonable steps to maintain the confidentiality of the private key that D-Link used to sign its software, including by failing to adequately restrict, monitor, and oversee handling of the key, resulting in the exposure of the private key on a public website for approximately six months; and
- use software, available at no cost since at least 2008, to secure users’ mobile app login credentials instead of storing those credentials in clear, readable text on a user’s mobile device.
Misrepresentations about Security
The FTC took particular notice of the public statements and claims of security made by the Defendants in their marketing documents. The FTC complaint points to numerous security statements that the Defendants made about the security of their routers and IP cameras in the “Security Event Response Policy,” and in the product brochures and user manuals available from their website, such as:
- under a bolded, italicized, all-capitalized heading, “EASY TO SECURE,” a statement that ‘the router supports the latest wireless security features to help prevent unauthorized access,” or
- under a bolded, italicized, all-capitalized heading, “ADVANCED NETWORK SECURITY,” a statement that “the router ensures a secure Wi-Fi network through the use of WPA/WPA2 wireless encryption”;
- under a bolded heading, “Advanced Network Security,” a statement that the router supports the latest wireless security features to help prevent unauthorized access,” … and that the router “utilizes Stateful Packet Inspection Firewalls (SPI) to help prevent potential attacks from across the Internet,” or
- under a heading “128-bit Security Encryption,” a statement that the router “protects your network with 128-bit AES data security encryption – the same technology used in E-commerce or online banking” and “With hassle-free plug and play installation, and advanced Wi-Fi protected setup, the [router] is not only one of the fastest routers available, its [sic] also one of the safest.”
Unfair and Deceptive Practices
The FTC’s complaint includes one count claiming unfairness and five counts claiming deceptive practices. In the Unfairness Count, the FTC claims that the Defendants’ failure to take reasonable steps to secure the products they offered to consumers for protecting their local networks and sensitive information caused, or was likely to cause substantial injury.
The deceptiveness prong of the complaint, in four different counts, argues that the Defendants’ claims (i) that their routers and IP cameras were secure from unauthorized access and control and (ii) claims with respect to the Security Event Response Policy were deceptive.
What Effect on IoT Device Manufacturers and Sellers
IoT device manufacturers and resellers should be aware of the significant security and compliance risks that might attach to their products and should take appropriate measures that are adapted to the nature of these risks. For several years, the FTC, as well as the information security community have voiced their concerns over the significant security deficiencies of many IoT devices, and the potential drastic consequences of these deficiencies. This type of security issues are recurring and becoming increasingly serious. It is becoming clear to all that IoT devices can be especially vulnerable to security deficiencies and that the exploitation of these security deficiencies by bad actors can cause significant damages.
The FTC, in January 2015, published a Staff Report Internet of Things, Privacy and Security in a Connected World (IoT Staff Report) outlining issues and providing recommendations. It has also investigated the practices of two IoT device manufacturers and resellers in circumstances, and with products, similar to those in the D-Link case. In the Matter of TRENDnet, Inc. was settled in February 2014, and In the Matter of ASUSTeK Computer, Inc., in July 2016. D-Link is the FTC’s third initiative in the IoT market.
The two FTC enforcement actions against TRENDnet, Inc. and ASUSTeK Computer, Inc. concluded with settlements that provide guidance for the IoT industry. In both cases, the consent decree provides for:
supervision by the FTC of the investigated company’s security practices for 20 years from the date of the settlement; and
a requirement to put in place a broad range of measures – from design to distribution to consumers – intended to increase the security of the relevant IoT devices and the company’s operations.
Similar actions are expected to come either at the initiative of the FTC or that of other enforcement agencies such as State Attorneys General. Class action suits have already been filed in cases involving security deficiencies in connected objects, for example, connected vehicles.
The fact that many IoT devices are relatively inexpensive does not excuse a lack of appropriate security measures adapted to the nature of the product, the information collected, and the risks to which the device, its users, and others might be exposed. These security measures will be expected, at a minimum, to meet the requirements described in generally accepted information security practices for the industry, which are also outlined in the FTC consent decrees.
A complete, efficient, appropriate, current information security program that provides adequate security measures for the development, manufacture, use, operation and support of IoT devices requires numerous technical, physical, and administrative measures and constant updates. A rigorous process should be followed.
It is clear from the FTC’s recent actions that enforcement agencies and consumers expect that those who place IoT devices on the market will have exercised appropriate efforts to ensure these adequate security measures are carefully planned, fully integrated in all phases of the product design, development, and operation, and adequately described in product documentation.