By D. John Hendrickson
The FTC has filed a complaint in the Northern District of California alleging that D-Link Corporation, a Taiwan-based manufacturer, failed to take adequate steps to protect its routers and Internet cameras from readily preventable security flaws, and yet touted the security of its routers in the company’s promotional materials.
The D-Link products at issue allow consumers to, among other things, monitor the security of their homes or the safety of young children by remotely accessing live video and audio feeds using a mobile device or computer. Apparently sensitive to growing consumer concerns over network security and privacy, the company’s website prominently featured claims such as “Easy to Secure” and “Advanced Network Security,” and also included a Security Event Response Policy assuring potential customers that “D-Link prohibits at all times…any intentional product features or behaviors which allow unauthorized access to the device or network, including but not limited to undocumented account credentials, covert communication channels, ‘backdoors’ or undocumented traffic diversion.”
However, according to the Commission, the products are in fact vulnerable to hackers who, among other things, might gain access to a compromised camera and spy on a consumer at home in order to target the individual for a future theft or other crime. The complaint alleges that D-Link’s conduct was “unfair” as contemplated by the FTC Act due to the company’s failure to take reasonable steps to secure its software, and that the company’s advertising claims promoting the security of its products were “deceptive” under the Act. Among the security flaws the FTC identified in the Company’s products were these:
- “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
- a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
- the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
- leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.
It is clear that privacy issues will remain a top priority for the Federal Trade Commission in 2017, especially with regard to the Internet of Things. With this in mind, marketers and their legal counsel should be familiar with the Commission’s report on the Internet of Things and its specific recommendations for companies developing Internet of Things devices. Beyond this, advertisers in this category should be aware that even seemingly “soft” claims such as “Easy to Secure” need to receive a critical second look with a view toward confirming adequate substantiation. While consumers are becoming ever more reliant on connected devices – and while these products offer convenience and efficiency – the implications for potential compromise of network security and consumer privacy are profound and will continue to garner the attention of regulators.