The US Federal Trade Commission (FTC) has filed a legal complaint against Taiwan-based networking firm D-Link and its US subsidiary, claiming that "inadequate" cybersecurity measures leave users of its wireless routers and web-connected cameras at risk of hacking.
The complaint, filed in a Californian District court, details how the FTC believes D-Link has neglected the security of its internet-of-things (IoT) product range, a move it alleged could leave both consumer privacy – and personal information – wide open to compromise.
The firm's routers and Internet Protocol (IP) cameras could potentially leak sensitive consumer data, including live video and audio feeds from D-Link IP cameras, the US watchdog said.
According to the legal filing, hackers could exploit D-Link's products via "simple" exploits.
Vulnerabilities in the products, the FTC said, could give an attacker the ability to "monitor a consumer's whereabouts" or "watch and record their personal activities and conversations".
Furthermore, the filing said D-Link had "failed to take steps to address well-known and easily preventable security flaws". These included weak hard-coded passwords and a "command injection" software flaw than could allow hackers to attack routers remotely.
According to the complaint, D-Link promoted the security of its routers on the company's website, which included materials headlined "Easy to Secure" and "Advanced Network Security". The FTC said this was untrue, and the legal manoeuvre was now being made in order to protect consumers' privacy and security.
"Hackers are increasingly targeting consumer routers and IP cameras – and the consequences for consumers can include device compromise and exposure of their sensitive personal information," Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a statement.
"When manufacturers tell consumers that their equipment is secure, it's critical that they take the necessary steps to make sure that's true," she added.
The FTC said it has also brought legal cases against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras. The move comes after a sharp spike in cybercriminals using unprotected IoT devices to launch attacks against unwitting web users.
In response to the litigation, D-Link said it "denies the unwarranted allegations" outlined in the FTC complaint and that it will "vigorously defend the action." It added: "The FTC has made vague and unsubstantiated allegations relating to routers and IP cameras."
Last year, an unprecedented attack, using an IoT-powered botnet called Mirai, was used to target the DNS provider Dyn. As a consequence of the attack, which used the power of web-connected cameras and routers to direct waves of traffic against Dyn's servers, huge swathes of the internet were left offline in the US, impacting websites including Netflix, Reddit and Twitter.
This article was updated on 6 January [17:00] to add in a statement from D-Link.
Read the full legal filing below: