by Paul Rubell, Esq.
Baby monitors, wi-fi routers and security cameras have one thing in common. These devices connect our homes to the Internet. We lock the doors to our houses. We close curtains in our living rooms and bedrooms to avert the gaze of peeping-Toms and criminals. Manufacturers of connected devices including D-Link advertise their built-in security features to demonstrate how their products protect consumers’ privacy. In January 2017 the Federal Trade Commission instituted a lawsuit against D-Link for false advertising. The FTC charged that D-Link’s “security” is weak and leaves consumers’ front doors wide open to hackers and thieves.
Widespread concerns about the insecurity of the Internet of Things spiraled in 2016 when Mark Zuckerberg disclosed that he covers the camera and microphone on his home laptop. If Mark is concerned about Big Brother and criminals snooping into his living room, we should probably all share his concern.
D-Link’s website headlined its IoT products as “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” The FTC has alleged that D-Link did not deploy even the most basic kinds of privacy features in its camera and router software. As examples, the devices contain hard-wired default usernames and passwords: username GUEST, password GUEST. According to the FTC:
“Hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.”
D-Link’s mobile app is called mydlink Lite. The app requires a user to enter a username and password the first time she deploys the app on a mobile device. After that first occasion, the app stores the user’s login credentials on her mobile device, so that the device keeps her logged on to the app. What’s more, the login information is stored in plain text so that it can be easily and clearly read by anyone snooping on the device.
“subjected consumers to substantial injury. Unauthorized access to sensitive personal information stored on attached USB storage devices, such as financial information, medical information, and private photos and videos, could lead to identity theft, extortion, fraud, or other harm….Consumers had little, if any, reason to know that their sensitive personal information and local networks were at risk.”
Asus’ devices contain a firmware upgrade tool to allow consumers to check whether their routers are using the most current firmware. When consumers click on the “Check” button, the tool indicates that the “router is checking the ASUS server for the firmware update.” However, the FTC found that the tool inaccurately notifies consumers that the router’s firmware is the latest version when in fact newer firmware with critical security updates is available. Asus settled the FTC’s enforcement action and agreed to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.
Technology invites itself into our homes to make life easier and more enjoyable. Tech companies advertise that they add layers of security to protect consumers’ most private information such as finances and the most private places such as their babies’ nurseries and their own bedrooms. Do they? The US government does not think so.