The FTC has been keeping a close watch on the Internet of Things since the Internet of Things became a thing to watch. That includes law enforcement actions against companies alleged to have sold vulnerable connected devices that put consumers’ sensitive information at risk. Affected devices could even become – in effect – zombies that do the bidding of malicious botnets that threaten the Internet. The settlement of the FTC’s case against D-Link offers a reminder of both the threats that vulnerable IoT and smart home products pose to consumers and the practices that prudent IoT companies routinely implement.
Connected device seller D-Link promised consumers “advanced network security.” But according to the FTC’s complaint, the company failed Security 101. Vulnerabilities in D-Link routers and Internet-connected cameras left sensitive consumer information, including live video feeds, exposed to third parties and vulnerable to hackers. The complaint alleged that D-Link didn’t adequately test its products for well-known and easy-to-fix security flaws before putting the insecure devices into consumers’ hands and homes. D-Link’s software development shortcomings also failed to identify and eliminate hard-coded login credentials on its camera software that were easy to figure out. (It wouldn’t take a Bletchley Park codebreaker to deduce that it was “guest.”) D-Link also stored login credentials for its app in clear, readable text on users’ mobile devices.
All that will change under the settlement D-Link just signed. The proposed order requires the company to implement a comprehensive software security program, including specific steps to ensure its connected cameras and routers are secure. That means security planning, threat modeling, and testing and remediation before products hit the market. But security for IoT devices is an ongoing process, not a punch list of pre-release tasks. That’s why the proposed order requires D-Link to monitor its products for security flaws, automatically update firmware, and set up a system to accept vulnerability reports from security researchers.
And the FTC will be able to check D-Link’s work. D-Link must get independent, third-party assessments of its software security program every other year for the next decade from an assessor approved by the FTC. What’s more, the settlement requires the assessor to take a deep dive into D-Link’s security practices. He or she can’t just take management’s word for it. The order also spells out procedures to guarantee FTC access to the documents necessary to assess D-Link’s compliance – and to assess the assessor. And similar to other recent settlements, a senior manager must certify every year that the company is in compliance with the order.
In addition, the settlement includes protections for consumers who currently own devices covered by the order. D-Link must automatically push fixes to devices set up to receive them and must provide clear step-by-step instructions to all consumers explaining how to patch their devices themselves.
One notable feature of this order is D-Link’s option to have the assessor certify the company’s compliance with the International Electrotechnical Commission’s standard for the secure product development lifecycle. The order provides that if D-Link gets the necessary IEC compliance certifications, that will meet the requirement of a comprehensive software security program. Of course, that provision is a no-go if D-Link provides misleading information during the audit and assessment process.
What can other Internet of Things companies do to implement safer security practices? For starters, they can Start with Security, which advises companies to “Apply sound security practices when developing new products.” A few practical pointers:
- Train your engineers in secure coding.
- Verify that privacy and security features work.
- Test for (and remediate) common vulnerabilities.
Other tips to consider: the baker’s dozen basics detailed in the FTC brochure, Careful Connections: Building Security in the Internet of Things.