Insight

FTC Files Complaint Against Manufacturer of IoT Devices for Deficient Security Measures

The FTC, on Jan. 5, 2017, filed a complaint in the Northern District of California against an IoT device manufacturer and its U.S. subsidiary for failure to take reasonable steps to secure the products that they sell to the United States market.

FTC & Cyber Security
Françoise Gilbert

Françoise Gilbert

January 30, 2017 09:04 AM

Electronic communications are crucial to the operation of devices connected to the Internet (IoT devices). Therefore, keeping these devices secure must be a high priority. Security vulnerabilities or deficiencies can both cause the unauthorized disclosure or modification of highly sensitive information collected by the IoT device, and cause the IoT device itself to become a conduit for harmful attacks on other devices or equipment connected to the Internet.

The FTC, on Jan. 5, 2017, filed a complaint in the Northern District of California against an IoT device manufacturer and its U.S. subsidiary for failure to take reasonable steps to secure the products that they sell to the United States market. The complaint alleges that security flaws in the products and misrepresentations about the security features of the products constitute unfair or deceptive acts or practices that violate Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC requests a permanent injunction to prevent future violations of the FTC Act.

The complaint was filed against D-Link Corporation (D-Link), a Taiwanese corporation headquartered in Taipei City, Taiwan and its subsidiary D-Link Systems, Inc., (DLS), a California corporation located in Fountain Valley, California; (D-Link and DLS collectively “Defendants”). D-Link designs, develops, markets, and manufactures networking devices, including consumer routers and IP cameras. DLS provides marketing and after-sale services integral to D-Link’s operations.

Since the filing of the complaint, the Defendants have vigorously denied the FTC’s allegations. Their declaration is posted on D-Link’s U.S. website.

D-Link Devices

The devices at stake in this action are routers and IP cameras that consumers use to monitor activities within their household (such as those of young children) or the security of their home while they are away. The IP cameras are connected to routers that forward data packets along a network. Like other routers, these routers also play a key role in securing consumers’ home networks, functioning as a hardware firewall for the consumer’s local network, and acting as the first line of defense in protecting the consumer’s equipment connected to the local network against malicious incoming traffic from the Internet.

IP cameras and routers can be remotely accessed through D-Link’s free “mydlink Lite” mobile application. The application is designed to require the user to enter a user name and password (login credentials) when the user first uses the app on a mobile device. After that, the application stores the user’s login credentials on that mobile device, keeping the user logged into the mobile app on that device.

FTC Claims

The FTC claims that security deficiencies caused Defendants’ routers and cameras to be vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access and that the Defendants misrepresented the security capability of their products.

Deficient Security Measures

The FTC pointed to a number of deficiencies in the product design. In its complaint, it claims that the Defendants failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including well-known flaws ranked among the most critical and widespread web application vulnerabilities for the past 10 years. These deficiencies included, among others, failure to:

  • take reasonable testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws, such as “hard-coded” user credentials and other backdoors, and command injection flaws, which allow remote attackers to gain control of consumers’ devices;
  • take reasonable steps to maintain the confidentiality of the private key that D-Link used to sign its software, including by failing to adequately restrict, monitor, and oversee handling of the key, resulting in the exposure of the private key on a public website for approximately six months; and
  • use software, available at no cost since at least 2008, to secure users’ mobile app login credentials instead of storing those credentials in clear, readable text on a user’s mobile device.

Misrepresentations about Security

The FTC took particular notice of the public statements and claims of security made by the Defendants in their marketing documents. The FTC complaint points to numerous security statements that the Defendants made about the security of their routers and IP cameras in the “Security Event Response Policy,” and in the product brochures and user manuals available from their website, such as:

  • under a bolded, italicized, all-capitalized heading, “EASY TO SECURE,” a statement that ‘the router supports the latest wireless security features to help prevent unauthorized access,” or
  • under a bolded, italicized, all-capitalized heading, “ADVANCED NETWORK SECURITY,” a statement that “the router ensures a secure Wi-Fi network through the use of WPA/WPA2 wireless encryption”;
  • under a bolded heading, “Advanced Network Security,” a statement that the router supports the latest wireless security features to help prevent unauthorized access,” … and that the router “utilizes Stateful Packet Inspection Firewalls (SPI) to help prevent potential attacks from across the Internet,” or
  • under a heading “128-bit Security Encryption,” a statement that the router “protects your network with 128-bit AES data security encryption – the same technology used in E-commerce or online banking” and “With hassle-free plug and play installation, and advanced Wi-Fi protected setup, the [router] is not only one of the fastest routers available, its [sic] also one of the safest.”

Unfair and Deceptive Practices

The FTC’s complaint includes one count claiming unfairness and five counts claiming deceptive practices. In the Unfairness Count, the FTC claims that the Defendants’ failure to take reasonable steps to secure the products they offered to consumers for protecting their local networks and sensitive information caused, or was likely to cause substantial injury.

The deceptiveness prong of the complaint, in four different counts, argues that the Defendants’ claims (i) that their routers and IP cameras were secure from unauthorized access and control and (ii) claims with respect to the Security Event Response Policy were deceptive.

What Effect on IoT Device Manufacturers and Sellers

IoT device manufacturers and resellers should be aware of the significant security and compliance risks that might attach to their products and should take appropriate measures that are adapted to the nature of these risks. For several years, the FTC, as well as the information security community have voiced their concerns over the significant security deficiencies of many IoT devices, and the potential drastic consequences of these deficiencies. This type of security issues are recurring and becoming increasingly serious. It is becoming clear to all that IoT devices can be especially vulnerable to security deficiencies and that the exploitation of these security deficiencies by bad actors can cause significant damages.

The FTC, in January 2015, published a Staff Report Internet of Things, Privacy and Securityin a Connected World (IoT Staff Report) outlining issues and providing recommendations. It has also investigated the practices of two IoT device manufacturers and resellers in circumstances, and with products, similar to those in the D-Link case. In the Matter of TRENDnet, Inc. was settled in February 2014, and In the Matter of ASUSTeK Computer, Inc., in July 2016. D-Link is the FTC’s third initiative in the IoT market.

The two FTC enforcement actions against TRENDnet, Inc. and ASUSTeK Computer, Inc. concluded with settlements that provide guidance for the IoT industry. In both cases, the consent decree provides for:

  • supervision by the FTC of the investigated company’s security practices for 20 years from the date of the settlement; and
  • a requirement to put in place a broad range of measures – from design to distribution to consumers – intended to increase the security of the relevant IoT devices and the company’s operations.

Similar actions are expected to come either at the initiative of the FTC or that of other enforcement agencies such as State Attorneys General. Class action suits have already been filed in cases involving security deficiencies in connected objects, for example, connected vehicles.

The fact that many IoT devices are relatively inexpensive does not excuse a lack of appropriate security measures adapted to the nature of the product, the information collected, and the risks to which the device, its users, and others might be exposed. These security measures will be expected, at a minimum, to meet the requirements described in generally accepted information security practices for the industry, which are also outlined in the FTC consent decrees.

A complete, efficient, appropriate, current information security program that provides adequate security measures for the development, manufacture, use, operation, and support of IoT devices requires numerous technical, physical, and administrative measures and constant updates. A rigorous process should be followed.

It is clear from the FTC’s recent actions that enforcement agencies and consumers expect that those who place IoT devices on the market will have exercised appropriate efforts to ensure these adequate security measures are carefully planned, fully integrated in all phases of the product design, development, and operation, and adequately described in product documentation.

Related Articles

IN PARTNERSHIP

Federal Trade Commission’s Proposal Sets Noncompete World on Fire: Justified Fears?


by David J. Carr

A recent FTC proposed rule that would bar noncompete agreements could have major impacts against the working class.

Blue maze walls and bright circles with small outline of person walking through

Copyright in Cyberspace: Read the Fine Print


by Alastair Donaldson

Copyright is an exclusive right to do things like copying, reproduction, performance or communication of subject matter that qualifies for copyright protection.

Copyright in Cyberspace

Are You Equipped to Manage the Internet of Things?


by Morgan Gebhardt

Are IoT technologies nice-to-have “apps” or necessary business components?

Manage the Internet of Things

Cyber School


by Elizabeth S. Fitch and Theodore M. Schaer

Cybersecurity and the Claims and Litigation Management Alliance’s School of Cyber Claims

Cyber School

Trending Articles

2025 Best Lawyers Awards Announced: Honoring Outstanding Legal Professionals Across the U.S.


by Jennifer Verta

Introducing the 31st edition of The Best Lawyers in America and the fifth edition of Best Lawyers: Ones to Watch in America.

Digital map of the United States illuminated by numerous bright lights.

Unveiling the 2025 Best Lawyers Awards Canada: Celebrating Legal Excellence


by Jennifer Verta

Presenting the 19th edition of The Best Lawyers in Canada and the 4th edition of Best Lawyers: Ones to Watch in Canada.

Digital map of Canadathis on illuminated by numerous bright lights

Discover The Best Lawyers in Spain 2025 Edition


by Jennifer Verta

Highlighting Spain’s leading legal professionals and rising talents.

Flags of Spain, representing Best Lawyers country

Unveiling the 2025 Best Lawyers Editions in Brazil, Mexico, Portugal and South Africa


by Jennifer Verta

Best Lawyers celebrates the finest in law, reaffirming its commitment to the global legal community.

Flags of Brazil, Mexico, Portugal and South Africa, representing Best Lawyers countries

Presenting the 2025 Best Lawyers Editions in Chile, Colombia, Peru and Puerto Rico


by Jennifer Verta

Celebrating top legal professionals in South America and the Caribbean.

Flags of Puerto Rico, Chile, Colombia, and Peru, representing countries featured in the Best Lawyers

Prop 36 California 2024: California’s Path to Stricter Sentencing and Criminal Justice Reform


by Jennifer Verta

Explore how Prop 36 could shape California's sentencing laws and justice reform.

Illustrated Hands Breaking Chains Against a Bright Red Background

Tampa Appeals Court ‘Sends Clear Message,” Ensuring School Tax Referendum Stays on Ballot


by Gregory Sirico

Hillsborough County's tax referendum is back on the 2024 ballot, promising $177 million for schools and empowering residents to decide the future of education.

Graduation cap in air surrounded by pencils and money

Find the Best Lawyers for Your Needs


by Jennifer Verta

Discover how Best Lawyers simplifies the attorney search process.

A focused woman with dark hair wearing a green top and beige blazer, working on a tablet in a dimly

Paramount Hit With NY Class Action Lawsuit Over Mass Layoffs


by Gregory Sirico

Paramount Global faces a class action lawsuit for allegedly violating New York's WARN Act after laying off 300+ employees without proper notice in September.

Animated man in suit being erased with Paramount logo in background

The Human Cost


by Justin Smulison

2 new EU laws aim to reshape global business by enforcing ethical supply chains, focusing on human rights and sustainability

Worker wearing hat stands in field carrying equipment

Introduction to Demand Generation for Law Firms


by Jennifer Verta

Learn the essentials of demand gen for law firms and how these strategies can drive client acquisition, retention, and long-term success.

Illustration of a hand holding a magnet, attracting icons representing individuals towards a central

Social Media for Law Firms: The Essential Beginner’s Guide to Digital Success


by Jennifer Verta

Maximize your law firm’s online impact with social media.

3D pixelated thumbs-up icon in red and orange on a blue and purple background.

ERISA Reaches Its Turning Point


by Bryan Driscoll

ERISA litigation and the laws surrounding are rapidly changing, with companies fundamentally rewriting their business practices.

Beach chair and hat in front of large magnify glass

How Client Testimonials Fuel Client Acquisition for Law Firms


by Nancy Lippincott

Learn how client testimonials boost client acquisition for law firms. Enhance credibility, engage clients and stand out in a competitive legal market.

Woman holding blurb of online reviews

Critical Period


by Maryne Gouhier and Armelle Royer

How the green-energy raw materials chase is rewriting geopolitics

Overhead shot of mineral extraction plant

Best Lawyers Expands With New Artificial Intelligence Practice Area


by Best Lawyers

Best Lawyers introduces Artificial Intelligence Law to recognize attorneys leading the way in AI-related legal issues and innovation.

AI network expanding in front of bookshelf