FTC Complaint Alleges IoT Vendor’s Security Promises Don’t Match Its Practices

The FTC’s first data security enforcement action in 2017 sends a clear signal to vendors serving the Internet of Things (“IoT”) marketplace: make sure your data security promises match your data security practices.  IoT is in the spotlight following last year’s DDoS attacks—which were reportedly perpetrated by hackers who amplified their attacks using insecure IoT devices.

The FTC’s Jan. 5 complaint in federal court in San Francisco alleges that D-Link Corp., one of the largest manufacturers of Internet-enabled products, such as routers and connected security cameras, had engaged in unfair and deceptive practices as a result of the company’s failure to take reasonable steps to secure this equipment.  The FTC has asked the court to issue a permanent injunction barring D-Link from future violations of the FTC Act. This is the FTC’s second complaint against a router company.  As we explained in prior posts, the FTC settled a complaint against ASUSTek Computer, Inc. for unfair security practices and misrepresentations to consumers about its products’ security.

The FTC alleges that D-Link’s practices failed to:

  • take “reasonable” steps to protect against “widely known and reasonably foreseeable risks of unauthorized access,” specifically arguing that D-Link’s products failed to protect against known flaws identified by the Open Web Application Security Project since 2007
  • protect against “well known and easily preventable” software security flaws like hard-coded user credentials
  • maintain the confidentiality of its private key used to sign update software available on its website because the private key was available on a public website for 6 months
  • use “free software, available since at least 2008” to secure users’ mobile app login credentials

The FTC claims that these failures created risks and harms to consumers that violate the company’s duties under Section 5. Specifically, the fact that attackers could “take simple steps, using widely available tools” to locate and exploit devices meant that there was a “significant” risk to consumers. The FTC cited several potential harms that could permit hackers to: gain unauthorized access to consumers’ sensitive personal information; gain unauthorized access to tax returns or other files stored on devices attached to or making use of routers; engage in covert monitoring of consumers’, and consumers’ children’s, whereabouts; and attempt to download malware masquerading as legitimate security software.

Additionally, the FTC alleges that D-Link misrepresented the strength of the security features of its routers and Internet-enabled cameras, both in its promotional literature and in the user interface.  Notably, the FTC did not allege that any data or security breach had occurred on systems using D-Link’s equipment.

D-Link challenged the FTC’s assertions about its devices’ security in a statement, stating that the agency has only made “vague and unsubstantiated assertions” and that it “will vigorously defend the action”. If the case moves forward in federal district court, it may further test the FTC’s data security authority, similar to the challenges brought by LabMD and Wyndham, where both companies challenged the FTC’s authority to pursue enforcement actions against companies for alleged data security risks. (Readers will recall that the Wyndham case was settled after the Third Circuit held that the FTC’s “unfairness” authority enables it to conduct enforcement actions against companies for having inadequate data security, and that it does not have to set forth specific data security requirements. LabMD’s challenge is ongoing.)

If the case moves forward in federal district court, it may further test the FTC’s data security authority, similar to the challenges brought by LabMD and Wyndham, where both companies challenged the FTC’s authority to pursue enforcement actions against companies for alleged data security risks.

As noted above, the FTC’s interest in companies that manufacture routers, and other Internet-enabled devices for the home, is not surprising. Last year, IoT manufacturers came under heavy scrutiny when a major DDoS attack was perpetrated using the Mirai malware, which looks for IoT devices that have default passwords and exploits them. In the ASUS Complaint, the FTC noted that routers “act as the first line of defense in protecting consumer devices on the local network.” According to the FTC, improved router security leads to improved security for all the devices connected to it; thus, the FTC makes the most of its resources by focusing its investigations on companies that manufacture routers and other “hub” devices.

While the FTC appears to have adopted an aggressive enforcement posture regarding IoT devices, the standard to which it holds D-Link’s security practices is consistent with its prior enforcement action in the ASUS case. For example, both complaints focus on the companies’ alleged failures to protect against vulnerabilities that are well-known or easily preventable (as opposed to expecting that companies should protect against unknown or difficult-to-detect vulnerabilities).

While the ASUS consent decree and D-Link complaint do not provide companies with affirmative guidance on what is, or is not, an “unfair or deceptive” practice, one can reasonably infer what steps companies may wish to take to avoid FTC scrutiny in this area. Three “lessons learned” from the ASUS consent decree and D-Link complaint, are:

  • Use proper authentication protocols – Ensure that any device firmware includes basic security functionality that employs proper user authentication principles. Additionally, the D-Link complaint reminds us that IoT vendors should ensure that the authentication method itself is not compromised; for example, by exposing private keys.
  • Engage in regular testing and remediation –Test for known software vulnerabilities and implement well-known, low-cost security measures to address such risks. The D-Link complaint re-affirms the fact that IoT vendors should be aware of widely known flaws (for example, the FTC cites the list of flaws available on the Open Web Application Security Project), and free security resources that may be available to remediate such flaws.
  • Protect against simple vulnerabilities Do not store user credentials in clear, readable text and do not leave software vulnerable to flaws that would allow remote attackers to gain access. The D-Link complaint re-affirms these basic security principles.

The D-Link case is a clear signal that the FTC intends to scrutinize IoT device manufacturers’ products for security vulnerabilities. Manufacturers can mitigate this risk by paying careful attention to the requirements the FTC has imposed in its consent decrees and keeping abreast of security trends.

 

Please check back soon for updates as this case progresses.