D-Link agrees to improve its security in the FTC settlement

by Gabriel E. Hall - -

D-Link agreed to improve its systems security as a part of FTC settlement

D-Link Settlement

The 2017 US Federal Trade Commission (FTC) lawsuit against D-Link finally reached an end. The US authorities accused the high-profile Taiwanese networking hardware manufacturer of not adequately protecting its devices and ignoring the warnings of most critical software vulnerability reports.

According to the original complaint published in 2017, D-Link failed on multiple occasions:[1]

Defendants have failed to take reasonable steps to protect their routers and IPcameras from widely known and reasonably foreseeable risks of unauthorized access, including by failing to protect against flaws which the Open Web Application Security Project has rankedamong the most critical and widespread web application vulnerabilities since at least 2007.

The actions of the hardware maker put millions of US citizens privacy and online safety at risk, as routers and cameras users all over the country were vulnerable to cyber attacks.

The leading IoT manufacturer was accused of using hard-coded and easily-guessable credentials in its camera software, claiming the hardware is entirely safe from unauthorized intrusions and storing mobile app login details in the plain text, in addition to failing to secure the devices from well-known vulnerabilities.

As a result, D-Link agreed to implement new security measures, as well as including necessary changes to its manufacturing, documentation, security testing, and other processes.

Comprehensive Software Security Program will last 20 years

In order to remediate the situation, D-Link was forced to agree to many conditions set by the FTC, including entering the Software Security Program that is set to last for at least 20 years:[2]

IT IS ORDERED that Defendant shall, for a period of twenty (20) years after entry of this Order, continue with or establish and implement, and maintain, a comprehensive software security program (“Software Security Program”) that is designed to provide protection for the security of its Covered Devices, unless Defendant ceases to market, distribute, or sell any Covered Devices.

Some of the new responsibilities of the IoT manufacturer include:

  • Establish dedicated employees maintaining, assessing and writing the contents for the program throughout the years;
  • Planning security processes and testing software for vulnerabilities before new device releases;
  • Performing threat assessment to identify internal and external risks related to the software inside the company's manufactured devices;
  • Setting up automatic firmware updates;
  • On-going training for employees and vendors responsible for development and review of software for the produced hardware, etc.

Additionally, D-Link also agreed to undergo extensive audits every two years for the next ten years in order to reach the security compliance certification. The documentation of these audits must also be provided to the US Federal Trade Commission for the next five years.

D-Link embraced the changes and agreed to the settlement 

It is clear that the D-Link failed to protect its devices, along with many users from cyber attacks, and, during the past 2.5 years, cybercriminals were widely abusing manufacturer's slipups.

In June last year, Satori botnet authors managed to exploit critical code execution flaw in D-Link devices that were used by Verizon and other ISP users.[3] In July 2018, threat actors managed to steal D-Link provided security certificate, which allowed them to push malware to thousands of devices.[4] As a result, hackers could steal passwords and control the device remotely via the backdoor.

D-Link agreed with the settlement, as John Vecchione, the CEO and lead trial counsel for D-Link, expressed the following thoughts:[5]

This case will have a lasting impact and, we hope, positively shape public policy in the important areas of technology, data security, and privacy.  The Court's dismissal of the Complaint's 'unfairness' claim for failure to plead actual consumer harm will hopefully refocus FTC's efforts on practices that actually injure identifiable consumers, providing technology companies with additional certainty necessary for permissionless and evolving innovation. 

Prevent websites, ISP, and other parties from tracking you

Private Internet Access is a VPN that can prevent your Internet Service Provider, the government, and third-parties from tracking your online and allow you to stay completely anonymous. The software provides dedicated servers for torrenting and streaming, ensuring optimal performance and not slowing you down. You can also bypass geo-restrictions and view such services as Netflix, BBC, Disney+, and other popular streaming services without limitations, regardless of where you are.

A VPN is also crucial when it comes to user privacy. Online trackers such as cookies can not only be used by social media platforms and other websites but also your Internet Service Provider and the government. Even if you apply the most secure settings via your web browser, you can still be tracked via apps that you are connected to the internet. Besides, privacy-focused browsers like Tor is are not an optimal choice due to diminished connection speed.

Therefore, to stay completely anonymous and prevent the ISP and the government from spying on you, you should employ Private Internet Access VPN. It will allow you to connect to the internet while being completely anonymous, prevent trackers, ads, as well as malicious content. Most importantly, you will prevent the illegal surveillance activities that NSA and other governmental institutions are performing behind your back.

 

Recover your lost files quickly

Unforeseen circumstances can happen at any time while using the computer: it can turn off due to a power cut, a Blue Screen of Death (BSoD) can occur, or random Windows updates can decide to reboot the machine when you went away for a few minutes. As a result, your schoolwork, important documents, and other data might be lost.

Additionally, you might also be attacked by malware that can corrupt your Windows or encrypt files with a robust encryption algorithm, and ask for a ransom in Bitcoin for the decryption tool. Cybercriminals might not deliver what they promised, however, so it is better to attempt alternative file recovery methods that could help you to retrieve at least some portion of the lost data.

Data recovery software is one of the options that could help you recover your files. Once you delete a file, it does not vanish into thin air – it remains on your system as long as no new data is written on top of it. Data Recovery Pro is recovery software that searchers for working copies of deleted files within your hard drive. By using the tool, you can prevent loss of valuable documents, school work, personal pictures, and other crucial files.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate computer expert

Gabriel E. Hall is an expert troubleshooter who has been working in the information technology industry for years.

Contact Gabriel E. Hall
About the company Esolutions

References


Your opinion regarding D-Link agrees to improve its security in the FTC settlement