D-Link to implement comprehensive software security program to settle FTC complaint

Source: D-Link

D-Link Systems reached an agreement to settle the lawsuit filed against it by the Federal Trade Commission (FTC).

In 2017, the FTC sued the D-Link for allegedly misrepresenting the security of its devices including internet routers and internet-connected cameras.

The consumer watchdog argued that the smart home products manufacturer failed to implement reasonable measures to secure its routers and Internet Protocol (IP) cameras. As a result, the company put at risk the sensitive information and privacy of consumer.

According to FTC, the company did not perform basic secure software development including testing and remediation to address well-known and preventable security flaws.

In a statement, Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said, “We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes.”

“Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise,” he added.

Specific steps to be implemented by D-Link

On Tuesday, the FTC announced that D-Link agreed to implement comprehensive software security program to settle the lawsuit.

As part of the agreement, the company will take specific steps to make sure that its Internet-connected cameras and routers are secure. It will implement the following:

  1. security planning
  2. threat modeling,
  3. sting for vulnerabilities before releasing products
  4. ongoing monitoring to address security flaws
  5. automatic firmware updates
  6. accepting vulnerability reports from security researchers

Additionally, D-Link agreed obtain biennial, independent, third-party assessments of its software security program for ten years.

Furthermore, under the settlement agreement,  FTC has the authority to approve the third-party assessor selected by D-Link.

On the company has the option to have the assessor certify its compliance with the secure product development standard set by the International Electrotechnical Commission, an international standard setting organization.