FTC Sues Taiwanese Company Over Router Data Security

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Taiwan-based D-Link Corp. and its U.S. subsidiary D-Link Systems Inc. put U.S. consumer privacy at risk by failing to take reasonable steps to secure the wireless routers and webcams they sold, the FTC alleged in a Jan. 5 federal court complaint ( FTC v. D-Link Corp. , N.D. Cal., No. 3:17-cv-00039, complaint filed 1/5/17 ).

Companies engaged in the exploding internet of things (IoT) market that produces devices linked to the web have been on notice from commission statements and the insights of attorney analysts that the FTC intended to turn enforcement attention to them this year. The D-Link court filing in the U.S. District Court for the Northern District of California is the first concrete evidence of that focus in 2017.

D-Link Systems President William Brown told Bloomberg BNA Jan. 5 that the company “denies the allegations outlined in the complaint and is taking steps to defend the action.” Brown said that the security of D-Link’s products and the protection customers’ private data “is always our top priority.”

With the rise of ubiquitous internet connectivity, the number of IoT devices—including routers, webcams and other connected devices—is expected to increase up to 50.1 billion by 2020. In October, cybercriminals took advantage of security vulnerabilities in connected devices to launch a distributed denial-of-service attack that shut down numerous websites, including Netflix Inc. and Twitter Inc., by overloading them with traffic.

Privacy and security attorneys previously told Bloomberg BNA that the FTC will likely turn its attention to data security cases involving IoT in 2017.

Preventable Flaws

According to the FTC’s complaint D-Link promoted the security of its routers as “easy to secure” and that they provided “advanced network security.”

The complaint asserted that the company violated Section 5 of the FTC Act by unfairly treating consumers through lax data security and also by misrepresenting to consumers the security of its products.

However, the FTC alleged, that the D-Link’s products had many “well-known and easily preventable security flaws,” including “hard-coded” login credentials—such as username “guest” and password “guest”—integrated into camera’s software, which could grant unauthorized access to the camera’s live feed. The company’s software also contained a flaw that could allow remote hackers to take control of the routers, the FTC said.

“By using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations,” the FTC said in a statement.

This isn’t the first time that the FTC has taken action over router data security. In July, the FTC finalized an administrative settlement with Taiwan-based ASUSTeK Computer Inc. over allegations that security flaws in the company’s router put consumers’ home networks at risk.

The FTC is represented by Cathlin Tully. Counsel for D-Link couldn’t be immediately identified.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security