back to article D-Link sucks so much at Internet of Suckage security – US watchdog

America's trade watchdog is suing D-Link, alleging the router and security camera vendor failed to implement basic security protections in its gear. The FTC said that its complaint was based on D-Link's failure to take "reasonable steps" to secure its products, putting the privacy of citizens everywhere at risk as a result. " …

  1. Hans 1
    Mushroom

    WTF

    > "D-Link denies the allegations outlined in the complaint[...]"

    Well, you can deny all you want, fancy a list of CVE's ? The vulns have been published, no denying, sir, get your act together!

    1. Voland's right hand Silver badge

      Re: WTF

      Complaint is not on CVEs. Complaint is regarding misrepresentation - Dlink is presenting its products as secure while, as we all know, they leave a lot to be desired in that area.

      1. VinceH

        Re: WTF

        But surely, the combination is what matters: Where any published advertising claims "Secure!" and there are any published CVEs for the advertised product, that is evidence that the advertising is a misrepresentation.

      2. flibble

        Re: WTF

        "Complaint is not on CVEs. Complaint is regarding misrepresentation"

        The complaint does (essentially) cover CVEs /as well as/ misrepresentation.

        To quote 'Count 1' from the actual court filing (linked from the article):

        "In numerous instances, Defendants have failed to take reasonable steps to secure the software for their routers and IP cameras, which Defendants offered to consumers, respectively, for the purpose of protecting their local networks and accessing sensitive personal information."

        1. Anonymous Coward
          Anonymous Coward

          Re: WTF

          FTC should be going after all other Mfrs as well. There just as guilty!

          1. asdf

            Re: WTF

            >FTC should be going after all other Mfrs as well. There just as guilty!

            Unless at least for routers if they open up their hardware so that open source firmware can be written for it (which IT people on here should always check first before buying a router anyway even if want to play stock roulette good to have the option). Sadly the US government seems intent in moving in the opposite direction.

      3. Tom Paine

        Re: WTF

        On that basis, no software should ever be advertised as "secure".

        ...

        On reflection, that's a pretty good idea. "product X is less insecure than Product Y" would be permissible, but "secure-ness" is not a binary state, and is never absolute.

  2. Ralph B

    Sympathy for the Devil

    I'd imagine it's rather a no-win situation for D-Link. They've probably got one set of three letter agencies telling them to put the security holes in and now another one suing them for doing so.

    And it's not as if they even enjoy Cisco's profit margins for doing it.

    1. Jim Cosser

      Re: Sympathy for the Devil

      I'd be really surprised if the weaknesses that are public with the D-Link products are forced on them by government organisations. I suspect occams razor, it's more likely a lack of focus on security.

      Why bother forcing someone if there are plenty on table just through incompetence?

      1. Voland's right hand Silver badge

        Re: Sympathy for the Devil

        I suspect occams razor,

        More likely Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity,"

        In the specific case of DLink it is: "Never attribute to malice that which is adequately explained by outsourcing,". Dlink does not write any of the software for its devices. It does not do hardware either. It slaps a label on something built to a spec defined by marketing. This approach looked quite cute 10 years ago as it allowed to cut costs and let go all those pesky engineers located in high cost locations. Well, I am not sure it looks cost effective any more. Lawsuits from the like of FTC and compliance to consent decrees mandated by the likes of FTC cost way more than any cost savings from not having your own engineering.

        Not taking into account a possible tactical nuke from FTC is even worse as it opens you up to fiduciary duty/FEC strategic nuke.

    2. Sandtitz Silver badge
      Meh

      Re: Sympathy for the Devil

      They've probably got one set of three letter agencies telling them to put the security holes in and now another one suing them for doing so.

      Unlikely.

      D-Link is a Taiwanese company. While that doesn't exclude ties to TLAs, keeping things like these under wraps for years/decades is just impossible since some hw/sw engineers would eventually sell the secrets to other agencies or just send the evidence to Wikileaks or reputable newspapers for them to publish it. That would be damn costly for D-Link.

      D-Link is also just one of many home/smb networking manufacturers and the TLAs would need to pay off so many companies that the truth would surface even sooner. (and cost a lot more for TLAs in bribes)

      I've had the "pleasure" of working with D-Link gear every now and then for close to two decades now and the company has never been the paragon of security. More likely TLAs can just tap into the security holes than command D-Link to produce them.

      The only products I'd consider from them would either be non-configurable devices (L2 switches, antennas etc.) or if the firmware can be replaced with DD-WRT or similar.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sympathy for the Devil

        D-Link has strived to close any issues found in there products as fast as they can. Linksys and Netgear aren't bastions of safety and security and they have a long bad history than D-Link has.

        I work with D-Link products everyday and there products are solid and safe. Never have had any issues on this front.

        1. Trevor_Pott Gold badge

          Re: Sympathy for the Devil

          Pull the other one, it's got bells on.

        2. Dan 55 Silver badge
          Headmaster

          Re: Sympathy for the Devil

          "I work with D-Link products everyday and there products..."

          If there's one thing worse than an astroturfer, it's one who can't even get the grammar right.

        3. redpawn

          Re: Sympathy for the Devil

          djzoey,

          Are they safe by virtue of sitting in a well lit room, regularly cleaned and in a locked building, or are they safe because you don't plug them in?

        4. Lotaresco

          Re: Sympathy for the Devil

          "I work with D-Link products everyday and there products are solid and safe. "

          Hmm well they may be safe there, wherever "there" is, but here they are buggy, fragile and useless. I've got a shoebox full of failed D-Link products and none at all working. All the Draytek products bought at the same time still work reliably.

    3. Ian Michael Gumby
      WTF?

      @Ralph B Re: Sympathy for the Devil

      I'd imagine it's rather a no-win situation for D-Link. They've probably got one set of three letter agencies telling them to put the security holes in and now another one suing them for doing so.

      Uhm, do you realize that this is a Chinese company ... actually Taiwanese.

      Not sure how much pull a US based 3 letter agency has with a foreign government...

      1. Anonymous Coward
        Go

        Re: @Ralph B Sympathy for the Devil

        Uhm, do you realize that this is a Chinese company ... actually Taiwanese.

        Not sure how much pull a US based 3 letter agency has with a foreign government...

        Taiwan's existence is utterly dependent upon the US Government, since China regards it as Chinese territory, so the Taiwanese Government is probably even more craven than the Brits when it comes to US requests. If the Americans lost interest in Taiwan even for a couple of days, "Taiwan, Province of China" would become a stark, and rather bloody, reality instead of just the official United Nations name for the country.

  3. Martin hepworth

    test case?

    Probably a test case before they start on others as D-Link are no worse or better than many other manufacturers in my experience

  4. BebopWeBop

    A good start, but a long way to go

  5. BinkyTheMagicPaperclip Silver badge

    DLink are a bit shit? Oh, *such* a surprise!

    DLink have always been third rate re-badgers of generic chipsets with near zero effort on their part. They occasionally release a decent product by accident (based on a more quality chipset they can't break themselves). Their only advantage is that they're cheap.

    They're a bare fraction above unknown Chinese manufacturers.

  6. Wolfclaw

    Dum-link products are just tacky trash and I hope the FTC hit them big style in the wallet, only way for manufacturers to get their acts together.

  7. Robert Helpmann??
    Flame

    They don't even talk a good game

    "D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers private data is always our top priority."

    When someone starts out with claims that customers always come first, the opposite is typically the truth. Let's turn the page back a few days to another El Reg article: 414,949 D-Link cameras, IoT devices can be hijacked over the net. I wonder how many Krebs had pointed at him during his last DDoS attack.

    1. Anonymous Coward
      Anonymous Coward

      Re: They don't even talk a good game

      Translation: "The [financial] security of our products[' revenue] and the protection of our customers['] private data[, e.g. credit card numbers, continuing to providing said revenue] [are] always our top priorit[ies]."

      So the problem isn't the security flaws, it's that the public found out about them. In that light, the attack on Krebs actually supported their "top priority". Aside from the Streisand effect.

      </tinfoil hat>

  8. Anonymous Coward
    Stop

    http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10069

    All other Mfrs are just as guilty! Netgear is currently having security issues and has a bad history of it.

    Other major router mfrs also use 3rd party internals and chip sets as well. D-Link uses Broadcom and I don't think Broadcom is categorized as "generic." Neither is Qualcom.

    I wouldn't say that 30 years in business should be called "zero effort."

    D-Link make good solid products.

    1. Frank Marsh
      FAIL

      D-Link needs to pay its astroturfers better

      djzoey: I might have accepted that your personal experience with D-Link products has been good. But when you join the forums solely to post 3 times on the glory of D-Link, you outed yourself.

      How much would D-Link have to pay so that you took the time to at least create a few posts on other stories? And maybe to think through your posts, so that the shilling for D-Link was just a little less transparent...

      1. Anonymous Coward
        Anonymous Coward

        Re: D-Link needs to pay its astroturfers better

        Good call! That guy is astroturfin' like crazy.

        I have a couple of their products. The tiny Ethernet switch is pretty harmless, but the security camera I picked up on sale was a known threat, which was why it was so cheap. I never let it on the open Internet, I keep it up to date (as if that even helps), and it only writes to the SD card, never to their questionable cloud service. I find them slightly worse than the rest of the players in their market, but they have their uses, if you don't go nuts and try and use their cloud, they have some okay cheap gear for the home network. But security is not "job one" over there. :)

      2. Anonymous Coward
        FAIL

        Re: D-Link needs to pay its astroturfers better

        Well I would post more on these articles, and not Forums since is are articles. However these articles and this new site seems vary biased against Mfrs and anyone trying to play the devils advocate here. Which leads me to believe that most of you and by looked at how you post and "grammar and typing" have zero knowledge and experience on what goes one behind the scenes of Mfr'g and how routers really work. However this is only one minor site and regardless of whats said here. Things move on and life goes on. I'm sure that everyone including D-Link and ALL the other Mfrs will have lessons learned. It's not biggy for me. I post when and where I choose and bring additional information to the table, where good or bad. I'm not biased either way. If you think I'm a AstroTurfer then cool. You can say the same about yourselves and this site. We call them trolls here. Doesn't bother me. Seems to bother you that someone posts there opinion that doesn't agree with you. Truth hurts sometimes.

        Enjoy and have a great evening.

        1. redpawn

          Re: D-Link needs to pay its astroturfers better

          djzoey,

          You might get more sympathy if you were promoting the clubbing of baby seals.

          Playing the devils advocate is one thing but shilling for a company that has sh*t for security and little regard for its customers is another. The fact that there are other companies which are also sh*t does not in any way excuse D-Link.

        2. Trevor_Pott Gold badge

          Re: D-Link needs to pay its astroturfers better

          Hi, djzoey. My day job is working with vendors. Normally, I write marketing content for them. You know, whitepapers, blogs, technical marketing content, or channel-facing stuff like sell sheets or training. Some of this leads into consulting with the customers, often spanning the whole of the organization.

          On the side, I write for technology magazines (including The Register), and have a tech consulting business where I am the systems administrator for a number of clients. (Keeps me honest if I actually have to work at the coalface from time to time!) I even write software.

          Among the software I have written is code for embedded systems. These include (but are not limited to) switches and routers. I have even been responsible for packaging my code along with a standardized switching or routing operating system (both Linux and VxWorks) and creating firmware images, along with QA, bug fixing and more.

          I thusly submit my experience as someone who has greater than "zero knowledge and experience on what goes one behind the scenes of Mfr'g and how routers really work". I won't speak for any of the other commenters directly, but I suspect many have equal or greater experience.

          As a D-Link customer, I have become appalled by how D-Link handles updates. As someone who operates in the broader IT industry at multiple levels, I'm not just appalled at how D-Link handles updates, I'm furious at what I believe to be criminal negligence on D-Link's part that has affected not just the millions of D-Link customers, but potentially billions of individuals via second-order effects related to the compromise of D-Link products as a result of the aforementioned negligence.

          As a consultant, I am horrified by the business decisions made and I believe they will ultimately be hugely detrimental to D-Link. As a channel partner, I'm terrified by what D-Link's decisions mean in terms of shifting a truly abominable support burden to the channel partner. As an IT marketing writer, I'm saddened by pretty much everything you have written in this thread.

          The real question that needs to be asked is - despite your assertions - will D-Link learn from this? And if so, what will they learn?

          Register readers will, I'm sure, be nearly unanimous in what we hope that D-Link will learn. Regulatory entities and security professionals are pretty up front about what they want D-Link to learn. But D-Link themselves? I personally have my doubts that A) they're corporately capable of learning lessons and B) they give enough fucks to do so.

          The time where the security of unattended computers (from switches and routers to more modern "internet of things" devices) can be blatantly neglected is coming to a sharp end. The problems are now affect so many people that the ongoing criminal neglect of IT vendors has attracted regulatory attention. This is becoming a politically important issue requiring regulatory intervention to resolve.

          Now, I don't know if you've noticed, but when politicians have to regulate something they don't understand, they tend to be pretty damned heavy handed about it. The wrist slap D-Link is going to get from the FTC is irrelevant. You and I both know they don't have the ability to hit D-Link for enough to matter in the medium term. D-Link doesn't care about the FTC's intervention, and from a purely business sense, nor should it.

          But the FTC intervention heralds something for more damning for D-Link: the cautious gaze or wary elected officials, in the USA and everywhere else. If D-Link (and the other vendors) don't get their houses in order the FTC slapdown will be but the first of a series of increasingly more uncomfortable regulatory interventions ultimately resulting in crushing new regulations that will drive commodity vendors whose business model is built on peddling shit without support out of business.

          Thus, being perfectly clear about this: D-Link has three choices: shut down the company and return all the money to shareholders, get pummeled into oblivion by increasingly punitive fines and eventually obliterated by regulation, or start properly supporting the things you sell.

          You choose. Choose wisely.

          Now, if you want to call me a "troll" for saying the above, that's fine. But I think we'll leave it to the reader to decide if I have the experience necessary to make the analysis I just emitted believable.

    2. Trevor_Pott Gold badge

      @djzoey

      I use D-link products. A lot. I live in the SMB space, and for a long time D-link was all they could afford. And I must say: you're full of shit.

      Are D-link reliable (within limits), and relatively long-lasting? Yes. The problem is that D-link is worse about updates than an Android phone manufacturer.

      If all you want is a modest devices that performs the advertised duties as of the date of manufacture, you're good. Thing is, that isn't good enough, and hasn't been since the 90s.

      At a *bare minimum*, security flaws need to be patched, and they just aren't. Beyond that, D-link should continue updating the firmware of a given device until they are ready to retire the model. This is where D-link's customer-hostile policies really shine through.

      Take, for example, the DGS-1216T. It comes in two hardware versions: A and D. Version A has a terrible firmware that is not only bug-ridden, it can't even do basic VLANs properly! Version D, however, had the ability to upgrade to a new firmware that enabled basic functionality (like VLANs). Massive - massive - feature gap, but both hardware revisions are called the same model!

      So here you might be a small business, with a bunch of DGS-1216T units deployed, and learn that at some point in the future you need to start using VLANs. You log into one of your DGS-1216T units, find out that it's possible to use, and set about making the rest of your IT purchases based on the assumption that all is well.

      Then, at deployment time, you go to log into your switches to enable VLANs across the fabric and, low and behold, not all the DGS-1216T units have the same functionality, nor is there firmware to bring them to feature parity. Well, shit.

      And that - that right there - is what life with D-link is like.

      Product neglect. Rampant product neglect. Marketing rules to the point that D-link won't even create new model names for what are, functionally and realistically, new products with distinct feature differences.

      If I had the money, I'd sue the buggers myself.

      30 years in business should be enough to learn how not to be complete assholes. Unfortunately, it just made D-link.

    3. John Smith 19 Gold badge
      WTF?

      AC without AC icon.

      Smarter than the average.

      And they say Marketing never talks to IT.

      1. Dan 55 Silver badge

        Re: AC without AC icon.

        When a user is deleted they become an AC. He or she wasn't an AC before.

        1. Lotaresco

          Re: AC without AC icon.

          "When a user is deleted they become an AC. He or she wasn't an AC before."

          A quick search shows that "djzoey" is a prolific poster in the D-Link support forums. Always posting breathless feel-good opinion and shouting down anyone who dares to say that there may be a problem with a D-Link product. This is typical of his line of patter:

          "Might have to wait for morning. I don't' know enough but I know they are good and my stuff works great man. I love this router. Im off to play BF3. Might send a PM. Good luck."

          A definite turfer. Hell, he's dumb enough to be a moon chromer.

  9. Anonymous Coward
    Anonymous Coward

    Why pick on them alone?

    Their security is terrible and they should be forced to address it, but they aren't any worse than Netgear, Linksys, Asus etc. This action should be filed against multiple companies, as it is a problem with most consumer routers. As well as most consumer cable modems, DSL modems, IP cameras, and so on.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why pick on them alone?

      Probably due to that they are astroturfers for NG, LS and Asus. Have zero knowledge of what they talk about and rather be biased against which is easy for them. Truth hurts them. Life goes on.

    2. Trevor_Pott Gold badge

      Re: Why pick on them alone?

      DougS: Short version? Netgear are cleaning up their own house. Linksys are too. Asus are too big to fight with as a first go-round. The rest are too hard to get at.

      D-Link have a significant US presence, are small enough to be a great test case, and can't show that they've made any significant movement towards righting the ship whatsoever. They're easy pickings, and the FTC needs to establish precedent before going after everyone else.

      This isn't about D-Link. They're irrelevant to the larger agenda. This is all about setting the stage for minimum security standards as a regulatory requirement. The FTC wants to make the power grab and claim enforcement before Congress gets around to it. This is mostly because "what do we do about the internet of shit" has started to become an election issue.

      The FTC has to move now, or they lose their chance. D-Link is just the wrong company, doing the wrong thing at the wrong time.

      1. John Smith 19 Gold badge
        Unhappy

        "D-Link have a significant US presence, are small enough to be a great test case, "

        Indeed.

        D-Link are low hanging fruit in this and the fact they have a significant US presence means the FTC can do them some financial damage. I'd be very strongly surprised if D-Link have a leg to stand on and I doubt they will be the last unless US mfg's show very clear signs they are moving to toward making their products more secure and more updateable.

        It's well past time every company that made an internet connected product factored in an upgrade program as part of it's product development plans. If the hardware runs Linux it's not a black art, it's a package manager. Hard coded passwords are a development smell. It's (barely) defensible if no one knows how to avoid it but that fact is it can be avoided, and once avoided the approach can be reused for the next project. Why is it that only the crap code ever seems to be reused?

      2. BinkyTheMagicPaperclip Silver badge

        Re: Why pick on them alone?

        The problem with Asus is that their basic functionality works, but extended functionality may not. If you're using mass market functionality their engineering is usually solid. Stray into more rarely used functionality (i.e. anything that is mostly used on operating systems other than Windows, or some of their more rarely used hardware configurations (workstation motherboards with PCI-X slots, etc)) and you may well be stuffed.

        Dlink may be fractionally better than they used to be, but both on firmware and driver updates they're lacking. That's a problem if the released driver doesn't work in a system, for whatever reason. When buying Dlink or a random unknown third party manufacturer, the overwhelming concern should be its ability to work with generic drivers, assuming the chipset is not custom..

  10. Version 1.0 Silver badge
    WTF?

    Cheap - Reliable - Secure ... pick any two.

    D-Link is a Taiwan based company - you are buying cheap and functional gear at a very low price so quit complaining - security costs money, well made, reliable kit costs money - but you wanted cheap.

    Realistically there's plenty of reliable, regularly updated and supported kit out there that provides the same functionality as D-Link products - but they are going to cost you more. It's your choice so quit complaining.

    1. Trevor_Pott Gold badge

      Re: Cheap - Reliable - Secure ... pick any two.

      Bullshit on all counts. But keep peddling there, sonny.

      Switches, routers and cameras of the sort D-Link makes aren't all that expensive to keep in support, if you know what you're doing. Unfortunately, internal politics, egos and technical pride make these sorts of things nearly impossible.

      We're long past the days where you can claim, for example, that Linux is inadequate for running a switch or a router. There are even distributions that run on the very gear D-Link sells. Working with these sorts of communities, and in cooperation with other vendors, can result in systems that keep themselves up to date, have decent QA, formal beta programs, release rings and so forth.

      Of course, that then requires agreeing on standards, putting aside egos and thinking of the customer. So don't expect it to happen without regulatory intervention.

      Oh, look, that's exactly what's about to happen...

    2. JLV
      Facepalm

      Re: Cheap - Reliable - Secure ... pick any two.

      >so quit complaining

      BS. There's no reason the stuff has to be so toxic. FFS you can probably pick up wrt54s w better software.

      It's like saying "your car was cheap so who cares if its gas tank ruptures on rear collisions?".

      'sides, one thing we've been learning with DDOSs lately is that this kinda crap presents risks beyond it's immediate owners.

    3. Terry Cloth
      Stop

      Re: Cheap - Reliable - Secure ... pick any two.

      @Version 1.0: ``[...]but they are going to cost you more. It's your choice so quit complaining.''

      Unfortunately, there are many examples of technologies that humanity's survival depends on costing more. We can no longer allow people to build cars the cheapest way---we require them to have expensive catalytic converters. Most of us are realizing that we can't afford the cheapest way to generate electricity (though as a result, we're developing new methods that cost less). The Internet is opening our eyes to the fact that, for society's own good, we can't afford to let people sell the cheapest software.

    4. Lotaresco

      Re: Cheap - Reliable - Secure ... pick any two.

      "It's your choice so quit complaining."

      So, if I may summarise, your view is "Eat shit, 17E15 flies can't be wrong."

  11. Anonymous Coward
    Anonymous Coward

    spread the word on review sites!

    Updated the top of my 1 star review of a D6xx on Amazon.

    No need for an url. Just suggest search terms, plenty of coverage to find :-)

  12. ecofeco Silver badge

    D-Link?

    How is this company still in business?

    1. Gnosis_Carmot

      Re: D-Link?

      "How is this company still in business?"

      The complete cluelessness of the general public.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like