Friday, January 06, 2017

Notes about the FTC action against D-Link

Today, the FTC filed a lawsuit[*] against D-Link for security problems, such as backdoor passwords. I thought I'd write up some notes.

The suit is not "product liability", but "unfair and deceptive" business practices for promising "security". In addition, they interpret "security" different from the cybersecurity community.

This needs to be stressed because right now in our industry, there is a big discussion of product liability, insisting that everything attached to the Internet needs to be secured. People will therefore assume the FTC action is based on "liability".

Instead, all six counts are based upon the fact that D-Link offers its products for securing networks, and claims they are secure. Because they have backdoor passwords, clear-text passwords, command-injection bugs, and public private-keys, the FTC feels the claims of security to be untrue.

The key point I'm trying to make is that D-Link can resolve the suit (in theory) by simply removing all claims of "security". Sure, it can claim it supports stateful-inspection firewalls and WPA2, but not things like "WPA2 security". (Sure, the FTC may come back with a new lawsuit -- but it would solve the points raised in this one).

On the other hand, while "deception" is the law the FTC uses, their obvious real intent is to improve security. They intend for D-Link to remove it's security weakness, not to change its claims. The lawsuit is also intended to scare all IoT makers into securing their products, not to remove claims of security.

We see this intent in other posts on the FTC website. They've long been talking about IoT security. Recently, they announced a contest giving out $25,000 to the best solution for patching out-of-date IoT devices [*]. It's a silly contest, but shows what their real intent is.

Thus, the language of the lawsuit is very much about improving security, while the actual counts are about unfair/deceptive practices.

This is nonsense for a number of reasons. Among their claims is that D-Link lied to their customers for saying "you need to change the default password to secure the device", because the device still had a command-injection bug. That's a shocking departure from common sense. We in the cybersecurity community repeatedly advise people to change passwords to make devices more secure, ignoring any other insecurity that might exist. It means I'm just as deceptive as D-Link is.

The FTC's action is a clear violation of "due process". They didn't create a standard ahead of time of bugs that it would consider making a product "insecure", but instead arbitrarily punished D-Link for not meeting an unknown standard "secure". They never published a document saying "you can't advertise your product as being 'secure' if it contains this list of problems".

More to the point, their idea of "secure" is at odds with the cybersecurity community. We would indeed describe WPA2 as secure, regardless of some other feature of the device that makes it insecure. Most IoT devices are intended to be used behind a firewall anyway, so the only attack surface is the WiFi network. In such cases, the device can have backdoor passwords up the ying-yang, and we in the cybersecurity community will still call this "secure".

This is important because no product will ever be perfectly secure. Ten years from now, hackers will still discover some bug in some IoT product that nobody considered before, and the FTC will come down on them and punish them for deceptive practice. This is also counterproductive to the FTC's goals: if they are going to be so unfair about it, they are going to create incentives for companies to produce the wrong solution, to stop advertising their products as "secure".

The consequence of this action against D-Link is that the FTC is going to create an enormous chilling effect on innovation. As apps and IoT devices proliferate, the FTC is going to punish those on the forefront creating new and innovative products. At the same time, it's going to have little impact on actual security. They'll raise the price of brand-name products, while still being unable to target the white-box/no-name products that contain most of the vulnerabilities.

D-Link's makes a standard claim that we always make in the security industry:

...and then the FTC sues them for it.

1 comment:

mark said...

Hello friends U Need Any Help on hacking for the following try i have used him so many times and he never fails me he is the best hacker i have ever employed . Thank me later.

*Cheating Spouse *University grades changing *Bank accounts hack *Twitters hack *email accounts hack *Grade Changes hack *Website crashed hack *server crashed hack *Retrieval of lost file/documents *Erase criminal records hack *Databases hack *Sales of Dumps cards of all kinds *Untraceable Ip *Individual computers hack *Websites hack *Facebook hack *Control devices remotely hack *Burner Numbers hack *Verified Paypal Accounts hack *Any social media account hack *Android & iPhone Hack *Word Press Blogs hack *Text message interception hack *email interception hack