In a post-Mirai world, the FTC wants more secure routers from D-Link

The Federal Trade Commission filed a lawsuit against D-Link, and experts said the move was likely to push more secure routers in the wake of the Mirai botnet attacks.

A lawsuit filed by the Federal Trade Commission accused manufacturer D-Link Systems Inc. of failing to secure routers for the past 10 years, and experts think the timing of the action may have to do with recent cyberattacks.

The Federal Trade Commission (FTC) asserted that D-Link did not "take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access." The lawsuit claims D-Link didn't patch flaws, used hardcoded login credentials, failed to protect the private key used to sign D-Link software and more.

"As a result of Defendants' failures, thousands of Defendants' routers and cameras have been vulnerable to attacks that subject consumers' sensitive personal information and local networks to a significant risk of unauthorized access," the lawsuit read. "In fact, the press has reported that Defendants' routers and cameras have been vulnerable to a range of such attacks and have been compromised by attackers, including by being made part of large-scale networks of computers infected by malicious software, known as 'botnets.'"

This referred, at least in part, to the recent incident in which a modified version of the Mirai botnet leveraged vulnerabilities in home routers from D-Link and Zyxel to launch denial-of-service attacks, which disrupted service for nearly 1 million Deutsche Telekom customers in Germany.

Tatu Ylonen, CEO of SSH Communications Security, based in Finland, said designing secure routers and internet-of-things (IoT) devices is critical to quelling attacks like this.

"Using hardcoded credentials is like using poisonous chemicals in a toy, or machine designs known to be likely to break and throw off parts that could hit people. Some level of minimum best practice must be followed in the design of internet-connected devices to protect consumers and businesses from predictable harm," Ylonen told SearchSecurity. "We should start with the very basic, and then raise the bar gradually."

Travis Smith, senior security research engineer at Tripwire Inc., based in Portland, Ore., said there was a "lack of incentive for consumers and manufacturers" to fix issues that can be compromised by botnets, so the FTC may be trying to force manufacturers "to take security more seriously."

One reason the FTC could be motivated to nudge manufacturers is companies have very little chance of losing a software liability suit. Cases as far back as the 1970s have handed down rulings that give software developers enormous leeway to disclaim liability to buyers.

Courts have further tended to view the computer as a single entity in a way that didn't explicitly separate the hardware from its software, although that may change, as experts have said IoT will increase legal liability. Debate over software liability has continued to the present day, but not with any marked change in court behavior, at least in the U.S.

Consumers haven't necessarily been holding the legal system's feet to the fire on this issue, either. "When we look at the implications of events such as Mirai, the consumer or manufacturer was not really affected. It was like someone took your car for a joyride while you were sleeping only to return it unharmed when they were done," Smith told SearchSecurity via email. "You may feel a little bit violated that someone was using your belongings, but at the end of the day, you weren't really affected. Until criminals exploit these devices to harm the device manufacturer and/or the device owner, neither will have much incentive to respond to these types of issues."

The lawsuit against D-Link is not the first time the FTC has attempted to improve the security of internet-connected devices. In 2014, the FTC charged electronics company TRENDnet with lax security in internet-connected baby monitors. And, in 2016, the FTC charged ASUS with misleading consumers about its router security features.

Jamison Utter, vice president at IoT cybersecurity firm Senrio, called this latest FTC lawsuit against D-Link "a powerful warning shot to manufacturers of all consumer electronics to pay attention to design and product safety."

"IoT has moved from being merely 'gadgets' to 'essentials.' Now that so much of our infrastructure is dependent on network connectivity, a breach or lapse of service can affect real people's lives. So, what was once seen as a 'bad design' is now a public health concern," Utter told SearchSecurity. "It might be the first in a number of similar motions to help -- not fix -- the growing issues with consumer electronic devices. Certainly interesting they chose D-Link, but I suspect they won't be the last."

Darren Spruell, threat researcher at RiskIQ, based in San Francisco, told SearchSecurity a push like this could help because "commodity network devices are behind the curve in terms of resiliency," and building more secure routers "does not seem to be a priority for manufacturers."

"The result is the same vulnerabilities we face today that impact this equipment are largely the same classes of vulnerabilities that affected the same types of devices one to two decades ago: default credentials, management interfaces exposed to untrusted networks, lack of HTTPS or other secure transport protocols for management in the default configuration, and unbelievably simple -- and avoidable -- remote code execution vulnerabilities in shipped firmware," Spruell said.

Leo Taddeo, CSO for Cryptzone, based in Waltham, Mass., applauded the FTC for more clearly noting how D-Link and other manufacturers can better secure routers.

"The FTC referenced the security standards set by OWASP, such as failing to conduct pen tests against their application and failing to protect their private key," Taddeo told SearchSecurity. "I think this type of specificity would be welcomed by manufacturers.  As it stands today, the security standards for OEM are not clearly defined."

Tim Matthews, vice president of marketing at Imperva, based in Redwood Shores, Calif., said internet service providers, vendors and users all "share a long tradition of disregarding basic security practices when it comes to internet devices."

"The result of this negligence is the existence of millions of hacker-controlled routers used to attack the internet ecosystem and interconnected networks," Matthews told SearchSecurity. "Any device that connects to the internet, including routers, should be manufactured with security in mind. Users should also share responsibility for securing devices, and manufacturers could easily add a step to the setup procedure that mandates a password change from the default state."

However, Spruell said the industry shouldn't consider issues of router security as something new.

"In 2017, we're not really trying to solve a new problem of IoT security; we're still trying to solve an old problem of consumer CPE [customer premises equipment] devices being sold in configurations that are not secure and should not be connected to the internet," Spruell said. "The thing that really has changed is that the average consumer internet bandwidth speed has increased, making attacks more crippling and attackers more efficient at compromising more devices en masse in shorter periods of time. Perhaps in that context, after decades of effort from vulnerability researchers and security firms trying to impact changes, federal intervention is the next step in calling manufacturers to action."

Next Steps

Learn more about the Mirai botnet disrupting Dyn DNS.

Find out how the release of the Mirai botnet code highlighted bad password security.

Get info on IoT security in 2017.

Dig Deeper on Network security