Saturday, January 07, 2017

FTC Takes Action Against Insecure IoT Devices from D-Link

I still love to listen to GRC's Steve Gibson on the program Security Now! A few weeks back, Steve said "The S in IoT is for Security" which made me laugh perhaps far too much. As we discover more with each passing day, it seems there is no Security in the Internet of Things.
All of my readers will be well familiar by now with the Mirai botnet, which has demonstrated the capability to cause enormous DDOS attacks, including the 665 Gbps attack against Brian Krebs and the Dyn DNS Attack which crashed a substantial portion of the US Internet.

Both of these attacks were caused by an assortment of Internet of Things devices that have default vulnerabilities or default userid and passwords that in many cases not only are not reset by the users who install these devices in their homes, but in many cases CANNOT be changed! When several people have asked me what I think the answer was going to be to this problem, I've replied that this seems like a Consumer Protection issue and that I hoped the Federal Trade Commission would intervene. While some companies have issued voluntary recalls, such as XiongMai Technologies of China, who makes many whitebox DVR and IP-connected webcam components that are embedded into devices made by other manufacturers, most are washing their hands of responsibility.
Sample: XM Camera components

XiongMai claims (in a Chinese press release) that in their case the widely abused telnet problem was fixed in April of 2015, but they already had many million devices installed before that date.  Their letter to the Chinese Ministry of Justice about the issue is on the same link.

The FTC's Carrot 

The FTC seems to be taking a Carrot and Stick approach. The Carrot came first.  First, all the way back in November of 2013, the Federal Trade Commission held a special Workshop on Security & Privacy in the Internet of Things, gathering formal comments (including tweets) about the presented materials.  This led to their release in January of 2015 of a 71-page report "Internet of Things: Privacy and Security in a Connected World", as well as a 12-page report for IoT system designers called "Careful Connections: Building Security in the Internet of Things"

The FTC is also offering a $25,000 prize in a contest they are calling the IoT Home Inspector Challenge for the best idea on how to remediate the millions of vulnerable devices currently being abused on the Internet.    The competition will officially launch in March 2017 and run through July 2017.

But as warned about in the Jan 2015 report, the FTC also has a stick.  And D-Link just became the next to get hit with it!

The FTC's Stick: D-Link Gets Hit

The FTC released a trio of news announcements about the lawsuit that they filed in California against D-Link:

This first article focuses on the fact that D-Link knew how important security was to their consumers, and they took extra effort to stress the security of their devices in their advertisement.  FTC reporter Leslie Fair says: 

"D-Link Corporation and D-Link Systems, Inc., develop and sell routers, IP cameras, baby monitors and other products designed to integrate consumers’ home networks. If the company’s ads are any indication, D-Link was well aware of consumers’ concern about keeping those networks secure. Promising “Advanced Network Security,” D-Link’s promotional materials assured buyers that their routers “support the latest wireless security features to help prevent unauthorized access, be it from a wireless network or from the Internet.” Other ads touted a D-Link product as “not only one of the finest routers available, it’s also one of the safest.” Even the package for D-Link’s Digital Baby Monitor featured a lock icon with the phrase “Secure Connection” next to a picture of an adorable baby. The company repeated many of those security promises in the interactive interfaces consumers used to set up their D-Link products."

This article says that the lawsuit is primarily because D-Link failed to take "reasonable steps to prevent well-known security flaws."  Some examples listed include:

  • D-Link allegedly hard-coded login credentials into D-Link camera software that could allow unauthorized access to cameras’ live feed.
  • D-Link allegedly left users’ login credentials for its mobile app unsecured in clear, readable text on consumers’ devices.
  • D-Link allegedly mishandled its own private key code used to sign into D-Link software and as a result, it was publicly available online for six months.
  • D-Link allegedly failed to take reasonable steps to prevent command injection, a known vulnerability that lets attackers take control of people’s routers and send them unauthorized commands.
2. FTC sues D-Link over router and camera security flaws 

In this article, Consumer Education Specialist, Ari Lazarus, offers some tips to consumers for before and after they buy their router:

  • Before you buy or replace a device, do research online. Use search engines to find reviews, but be skeptical about the source of the information. Is it from an impartial security expert, a consumer, or the company itself?
  • Download the latest security updates. To be secure and effective, update the software that comes with your device. Check the manufacturer’s website regularly for new software and updates.
  • Change your pre-set passwords. Change the device’s default password to something more complex and secure.

This is the main report of the legal actions taken by the FTC against D-Link, with links to all filed documents, including the 45 page FTC Complaint for Permanent Injunction and Other Equitable Relief, with a 14 page complaint, followed by thirty pages of supporting documentation, including pictures of packaging and marketing claims that promise security.

The complaint alleges that the company failed to take steps to address "well-known and easily preventable security flaws" and gives several examples (which I provide context for in the links for each):

  • "hard-coded" login credentials in D-Link camera software, often the "guest/guest" userid and password (these devices were among those targeted by the Mirai botnet)
  • a software flaw known as "command injection" that allow hackers to execute unauthorized commands on D-Link routers (see for example CVE-2015-2049, CVE2015-2050, CVE-2015-2051) - security researcher Pierre Kim advised consumers to throw the security-flawed DWR-932B router in the trash, after documenting 20 known vulnerabilities.
  • mis-handling of a private key code used to sign in to D-Link software, leaving the code on a publicly accessible website for more than six months (as discussed in Ars Technica in September 2015)
  • leaving users' login credentials for D-Link's mobile applications unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information (this refers to the "mydlink Lite" app
mydlink Lite mobile app stored userid and pass in plaintext on mobile device


 The actual complaint says that the FTC is bringing suit "to obtain permanent injunctive relief and other equitable relief against Defendants for engaging in unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), in connection with Defendant's failure to take reasonable steps to secure the routers and Internet-protocol cameras they designed for, marketed, and sold to United States consumers."

We'll have to wait to see what the outcome of this suit will be, however in other IoT cases, the defendant has settled.

Other Actions of FTC Swinging Its Stick

 The action against D-Link is the third taken by the FTC.  

In February of 2016, the FTC announced a settlement with ASUS over their deceptive and misleading conduct related to the security of their routers.  In the FTC complaint against ASUS
, the FTC points out that ASUS claimed their routers offered "SPI intrusion detection" and "DoS protection" and that its routers could "protect computer from any unauthorized access, hacking, and virus attacks."  But 918,000 of those routers had a userid and password of "admin/admin" and the AiCloud and AiDisk features were full of vulnerabilities that put the advertised "secure cloud storage" data at risk.  ASUS agreed to submit voluntarily to security audits FOR THE NEXT TWENTY YEARS as part of their settlement.

In February of 2014, TRENDNET, a company that makes IP-connected webcams, advertised that their cameras were secure,  claiming that their Direct Video Stream Authentication setting would secure their video streams if they set a personal userid and password, rather than using the default passwords.  Hackers quickly showed that they could access every TRENDNET camera and view their live video streams, without any userid or password being provided.  The FTC settlement required TRENDNET to contact all customers to let them know about a security patch that would correct the situation, and require them to provide two years of technical support.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.