The U.S. Federal Trade Commission (FTC) is suing D-Link for putting its most sensitive personal data at risk by inadequate security on its routers and cameras. D-Link has been criticized for releasing products that lack basic security measures and for being slow to respond when security issues are discovered in those products.
The latest update on this topic indicates that D-Link has agreed to a nearly 10-year security audit to resolve the FTC lawsuit, while making the necessary security enhancements to protect user data. “Manufacturers and sellers of connected devices should be aware that the FTC will hold D-Link accountable for failures that expose user data to the risk of leakage,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.
Hongke Vdoo’s security research team continuously conducts extensive research on industry-leading IoT products from the safety and security field, including network devices and routers. Following the recent FTC lawsuit update against D-Link products, the Hongke Vdoo security research team uses Vdoo’s automated security and analytics solution, Vision, to automatically analyze a variety of network devices. The results show that most connected embedded devices are not well protected. So D-Link is likely not the only manufacturer failing to implement security best practices.
Analysis is done through the router’s firmware binaries. Analysis results for each router are displayed in a detailed report. The reports revealed some potential zero-day vulnerabilities and many critical security issues related to the devices analyzed. Three of these key security issues are described below.
Top threats identified by Vision
Below are three key security issues found in the routers analyzed. Each issue is addressed by a security requirement that explains the security issue identified, details what such issues mean, and what the vendor should do to mitigate risk.
1. Multiple binaries were compiled without critical security flags.
2. The private key is stored on the device.
3. Shell commands are being executed in a CGI script.
Impact of Security Issues
Inadequate implementation of security requirements can increase the probability of a remote attacker successfully exploiting a device or sniffing sensitive data. After a successful attack, the attacker can: take full control of the device – change the device configuration – access the user’s browsing history and transmitted data – install malware to add the device to the botnet, which may allow the attacker to perform other malicious tasks such as DDoS attacks and cryptocurrency mining – using the device as a penetration point for the network (performing lateral movement) – manipulating the transmitted data to execute phishing attacks that could allow attackers to obtain sensitive information such as usernames, passwords and credit card details.
Advice for Equipment Manufacturers
Implement security during the development phase
Security concerns cannot be an afterthought as this can result in costly delays such as time-to-market delays or redundant design changes. Complete neglect could result in lawsuits and reputational damage, as was the case with D-Link.
It is strongly recommended that vendors perform continuous security checks throughout the development lifecycle. For an effective CI process, build an integration between the automation server and the Vision API. Vision automatically analyzes every build every time it completes. After completing the Vision analysis, the developer receives an email with a link to a full report of the analysis results.
To date, the Vision analysis engine has generated more than 900 security requirements that are only displayed when relevant to a specific analyzed device, simplifying implementation in a balanced and prioritized manner. In addition, the Vision analysis engine finds potential vulnerabilities, which are also included in the reports of the analyzed devices. To date, more than 160 zero-day vulnerabilities have been discovered in various product types and common code bases.
Note: These vulnerabilities are best disclosed to the vendor and will be gradually shared after the disclosure period ends and there is enough time to patch the device.
2. Ensure compliance with industry standards
In the event of a security incident, or even just for better marketing positioning, it will be better if the vendor can demonstrate that security is considered by adhering to leading industry standards. Standardization bodies, regulators, and industry groups are working to define standards for appropriate cybersecurity equipment. However, in many cases these standards are difficult to follow because they are not detailed enough.
Vision helps suppliers comply with various regulations, industry standards and best practices by mapping out the safety requirements associated with each standard, while helping D-Link comply with the requirements of the International Electrotechnical Commission (IEC).
3. Embed active real-time protection layers
Even if security measures are properly implemented in the device before it hits the market, new threats are constantly emerging. On-demand mitigation protects devices from new threats, which is made possible by the Hongke Vdoo ERA embedded runtime micro-agent. This acts as an extra layer of protection, making it difficult for attackers to exploit vulnerabilities or security holes.
Appendix – Hongke Vdoo Security Protection Platform
Hongke Vdoo is an end-to-end product security analysis platform that automates all software security tasks throughout the product lifecycle, ensuring that all security issues are prioritized, communicated, and mitigated. The vertically agnostic platform enables device manufacturers and deployers in a variety of industries to extend their product security capabilities across multiple lines of business. Hongke Vdoo’s method of automatically securing connected products enables customers to significantly reduce time to market, reduce resource requirements, increase sales and reduce overall risk.
Responsible editor: haq