D-Link promises the FTC no more safety failures in produced equipment

Internet of things producer D-Link promised to undertake more-advanced security measures in the FTC settlement

D-Link will have to form a list of security strategies regarding the upcoming 20 years to ensure no more flaws in their products

The well-known company D-link^[1] which produces wireless routers, cameras, and other products, now has to follow a new set of rules set by the US Federal Trade Commission (FTC). D-link will be committed to perform regular equipment check-ups for at least two decades after signing the agreement with the FTC. Nevertheless, the organization will need to create a security plan for the upcoming 20 years to ensure full security of its products:^[2]

IT IS ORDERED that Defendant shall, for a period of twenty (20) years after entry of this Order, continue with or establish and implement, and maintain, a comprehensive software security program (“Software Security Program”) that is designed to provide protection for the security of its Covered Devices, unless Defendant ceases to market, distribute, or sell any Covered Devices.

D-Link was accused in the original complaint in 2017 of not providing comprehensive security features to its products:

• failing to react to experts' warnings about well-known vulnerabilities.
• using hard-coded credentials inside the software.^[3]
• providing false claims that the company's produced gadgets are entirely safe to use.

All of these failures have been described as harm done to the customers' rights.^[4]

The Comprehensive Software Security Program

Ensuring proper security measures in the future is not the only obligation D-Link has to endure, however. The Comprehensive Software Security Program which the company is enrolled in is designed explicitly to be documented. Additionally, the updates on the progress, as well as lab test results on most recent vulnerabilities must be provided to the FTC at least once a year.

Nevertheless, according to the statement which has been released by the United States Federal Trade Commission, D-Link will need to ensure that well-experienced and reliable staff that is adequately trained is taking care of the work, and regular flaw testing for each new product is carried out.

Additionally, D-Link will have to undergo extensive third-party security audits for the next ten years, and the auditor will be chosen by the FTC. However, the hardware maker will get to choose which certifications must be acquired by the auditor before allowing the action to take place.

FTC lawsuits are filed to prevent future cybersecurity attacks, and hardware manufacturers should take that into consideration

The director of the US Federal Trade Commission claims that when releasing equipment to the world, each company needs to be a 100% sure that claims about the products' safety are reasonable, otherwise, the security of millions of citizens can be compromised. However, there were some arguments with D-Link as the organization claimed that no direct harm was caused to its clients. The company has strong beliefs in its security systems and software.

Finally, both sides came to a compromise that crucial security steps will be taken to ensure that no possible damage and harm to customers will occur in the future. While the FTC is looking forward to convincing the world about the comprehensive security, D-Link is looking at this as an opportunity to strengthen and develop its safety systems.

However, the failures of D-Link security measure implementations did not go unnoticed by cybercriminals. Researchers claim that the hacker group has been noticed spreading Satori Internet-of-things botnet via the software and pushing it to subscribers of Verizon and similar services. Other similar incidents led to credential theft and malware injection on the targeted systems.^[5]