Ensure your IoT devices are secure, or face the consequences. That’s the message being sent to some hardware manufacturers by the Federal Trade Commission. In the aftermath of the ever-increasing number of attacks perpetrated by compromised IoT devices like routers and cameras, the Federal Trade Commission’s Bureau of Consumer Protection has targeted companies such as TrendNet, Asus, and more recently, D-Link.
Back in 2013, the FTC settled its very first action against a manufacturer of IP-enabled consumer products, TRENDnet. TRENDnet’s SecurView cameras were widely used by consumers for a wide range of purposes including home security and baby monitors. By their product name alone, these products were seemingly marketed as “secure." The FTC accused TRENDnet of a number of issues, including:
- Failing to use reasonable security to design and test its software
- Failing to secure camera passwords
- Transmitting user login credentials in the clear
- Storing consumers’ login information in clear, readable text on their mobile devices
In January of 2012, a hacker exposed these flaws and made them public, resulting in almost 700 live feeds being posted and freely available on the internet. These included babies sleeping in their cribs.
Once again the FTC fired a shot across the bow at manufacturers of consumer IoT devices when they leveled a complaint against ASUSTek Computer, Inc. This time, the security of their routers was questioned. ASUS had marketed their consumer line of routers with claims they would “protect computers from any unauthorized access, hacking, and virus attacks” and “protect the local network against attacks from hackers.” However, the FTC found several flaws in the ASUS products, including:
- Easily exploited security bugs in the router’s web-based control panel
- Allowing consumers to set and retain the default login credentials on every router (admin/admin)
- Vulnerable cloud storage options AiCloud and AiDisk that exposed consumers’ data and personal information to the internet.
In 2014, hackers used these and other vulnerabilities in ASUS routers to gain access to over 12,900 consumers’ storage devices.
Now, in 2017, the FTC has targeted D-Link Corporation, a well-known manufacturer of consumer and SMB/SOHO networking products. This complaint alleges that D-Link has “failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information including live video and audio feeds from D-Link IP cameras.”
The FTC complaint goes on to outline how D-Link has promoted the security of its devices with marketing and advertising citing “easy to secure” and “advanced network security," but outlines several issues:
- Hard-coded login credentials (guest/guest) in D-Link camera software
- Software vulnerable to command injection that could enable remote control of consumer devices
- Mishandling of a private code signing key, which was openly available on a public website for six months
- User login credentials store in clear, readable text on mobile device
The severity of an exposed and vulnerable router is amplified by the fact that these are a home networks’ primary means of defense. Once compromised, everything behind that router is then potentially exposed to the hacker, and the FTC emphasizes, could result in computers, smartphones, IP cameras, and IP-enabled appliances to be attacked as a result.
The DDoS Landscape
According to Akamai’s quarterly State of the Internet report, DDoS attacks continue to flourish and evolve as a primary means to attack both consumers and businesses. In Q4 2016, there was a 140% increase in attacks greater than 100Gbps, a 22 percent increase in reflection-based attacks, and a 6 percent increase in Layer 3 and 4 attacks. At the application layer, a 44% increase in SQLi attacks was observed over the same period. These examples are more evidence that these types of attacks are moving ever upwards in the stack.
Not surprisingly, the United States continues to be the largest source of these attacks, accounting for approximately 28 percent of the global web application attacks in Q4 2016. As IoT devices continue to proliferate at exponential rates, and companies like TREN,Dnet, ASUS and D-Link fail to secure them, these numbers may only increase.
There is hope however, that organizations like the FTC can send a strong message to device manufacturers in the upcoming months as they continue to identify and hold accountable the companies that fail to protect consumers, and the rest of us, from exposed and vulnerable devices.
Do you feel the FTC and FCC (or other government organizations) should be more or less involved in the enforcement of IoT security?