But FTC Has One Month to Amend the Complaint
A federal judge Tuesday dismissed three of six counts in a complaint filed by the U.S. Federal Trade Commission against IoT manufacturer D-Link that alleges the company’s sloppy security practices deceived consumers.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The civil complaint, filed in January in federal court in San Francisco, is one of the most direct challenges by a regulator in a technology area that experts say is plagued by poor security (see FTC vs. D-Link: A Warning to the IoT Industry).
D-Link challenged several parts of the complaint on Federal Rules of Civil Procedure grounds. U.S. District Judge James Donato agreed with some of D-Link’s arguments, but the FTC has until Oct. 20 to amend the counts that were dismissed.
D-Link is represented by Cause of Action, a Washington, D.C.-based group that challenges government regulation. The group hailed Donato’s decision but didn’t acknowledge in a news release that the FTC could amend the counts.
“We are grateful to the court for taking the time to hear the arguments, carefully study the questions presented, and issue a well-reasoned decision on D-Link Systems’ motion to dismiss,” says Michael Pepson, Cause of Action counsel. After the FTC filed the complaint, D-Link called the charges “unwarranted” and “baseless.”
FTC attorneys did not have an immediate comment on whether the agency would file an amended complaint.
D-Link is one of the world’s largest manufacturers of routers, IP surveillance cameras and other internet-connected devices. Those devices have been increasingly targeted by hackers, who have sought to compromise lower-end computing devices for cyberattacks.
In the complaint, the FTC contends the company violated the FTC Act, which addresses deceptive acts and unfair competition. The FTC is asking the court for a permanent injunction that would prevent future violations of the act.
The complaint alleges D-Link marketed its products as secure when many of its devices contain software vulnerabilities and bad design decisions that put consumers at risk.
Donato dismissed count 1, titled “Unfairness,” according to the 10-page ruling. He noted that both parties hotly contested this count. It alleges D-Link failed to “take reasonable steps to secure the software for their routers and IP cameras.” The FTC alleged that D-Link’s actions “caused, or are likely to cause, substantial injury to consumers in the United States.”
But Donato writes that the “FTC does not identify a single incident where a consumer’s financial, medical or other sensitive personal information has been accessed, exposed or misused in any way.”
“The absence of any concrete facts makes it just as possible that DLS’s devices are not likely to substantially harm consumers, and the FTC cannot rely on wholly conclusory allegations about potential injury to tilt the balance in its favor,” according to the opinion.
He also dismissed count 4, “IP camera promotional misrepresentations,” and count 5, “router GUI misrepresentations,” for not meeting civil procedure rules.
The FTC’s complaint is centered around D-Link’s marketing practices. The agency contends that D-Link marketed the routers as secure, but failed to implement proper safeguards.
The complaint cites a list of issues that ring familiar to IoT security watchers: default usernames and passwords and storage of unencrypted login credentials. The agency also contends that D-Link left a private code-signing key on a public website for more than six months. The key could have been used to sign malicious software that would appear to have come from D-Link.
D-Link is one of many IoT manufacturers whose products were attack by Mirai, a type of malware designed to infect routers, IP cameras and digital video recorders.
Mirai is a worm – the term for self-propagating code – that used a long list of default authentication credentials coded into a variety of IoT products. Experts contend the IoT industry has lagged far beyond others in engineering products that reflect prevailing secure coding practices.
Mirai was used to conduct devastating distributed denial-of-service attacks. One of the largest such attacks against a service provider, Dyn, hampered access to websites included PayPal and Spotify in October 2016 (see Botnet Army of ‘Up to 100,000’ IoT Devices Disrupted Dyn).