FTC sues maker of routers, baby monitors over security

Cyberattack on Twitter, Netflix, and more may have come from webcams
Cyberattack on Twitter, Netflix, and more may have come from webcams

American regulators are stepping up their crackdown on makers of devices -- like baby monitors -- that can easily be hacked.

On Thursday, the Federal Trade Commission sued D-Link, claiming it lacks security measures in its home internet routers, cameras and baby monitors.

"If your router isn't secure, it exposes your entire home system," FTC Chairwoman Edith Ramirez said in an interview with CNNMoney. "We're trying to convey to companies that security needs to be top of mind. They need to make sure they have reasonable security in place to protect personal information."

It's these types of basic flaws that allowed hackers to infect thousands of devices and create the powerful Mirai botnet that took out a portion of the internet in October.

The lawsuit seeks to force the company to improve its security. It lists "security failures" that plague the company's devices, which are extremely popular with consumers worldwide.

For example, D-Link devices have default passwords that are hard-coded onto the machines -- meaning that they can't be changed. This D-Link problem has been documented by many security researchers. According to the FTC, some D-Link devices also have flaws that serve as backdoors.

These are elementary mistakes that make it extremely easy for a hacker to remotely tap into a person's devices -- then spy on a family's internet traffic, steal their personal documents or even watch their baby.

Gadget makers have been warned to avoid some of these obvious flaws since at least 2007.

"The company failed to take steps to address well-known and easily preventable security flaws," the FTC said in a statement.

The FTC also noted that D-Link made a major blunder when it exposed the company's coveted "signing key" for six months in 2015 on a public website. Tech companies are supposed to jealously guard these powerful keys because they prove that a software update is legitimate. Hackers who manage to grab them can more easily infect devices.

In the lawsuit, regulators accuse D-Link of "promotional misrepresentations" because products are advertised as secure -- although the FTC insists they are not. Even when consumers add security features, the backdoors remain.

According to the FTC, the list of flawed devices includes D-Link's Digital Baby Monitor Day/Night Cloud Camera and Wireless N Network Camera. Also affected are the tube-shaped Whole Home Router 1000 (DIR-645), the flat Wireless N Dual Band Router (DIR-815), small Mobile Wireless Router (DIR-412), and the Wireless N 300 Router (DIR-615).

D-Link, which is based in Taiwan, said in a statement that it "denies the allegations" and would fight back against the U.S. regulator.

The FTC sued D-Link and its U.S. subsidiary in San Francisco's federal court.

The agency has gone after other makers of home routers for similar claims. For example, ASUS settled charges with the FTC in 2016.

These types of simple-yet-damaging technical flaws are rampant in internet-connected devices, especially in routers and cameras. That's part of the reason why criminal hackers can so easily tap into people's home laptops and corporate computer networks.

The FTC's role in protecting American consumers is gaining importance as manufacturers race to connect everyday household items to the internet. Appliance makers are making internet-connected refrigerators and laundry machines the norm.

This week, hundreds of corporations are showcasing internet-connected technology at the CES 2017 in Las Vegas. Future Fords will let an owner remotely start their car by speaking to their Amazon Echo home hubs, which constantly listen to the environment around them.

Yet computer security experts recently warned Congress that gadget manufacturers are increasingly making devices that are easy to hack and control remotely.

"Unchangeable passwords and unpatchable devices create massive externalities and are akin to a public health issue," warned Joshua Corman, director of cyber statecraft for the Atlantic Council.

The head of the FTC told CNNMoney she wants U.S. legislators to draft a law that forces manufacturers to secure their products.

CNNMoney Sponsors