The FTC filed a complaint about D-Link regarding security issues stemming from an alleged failure to protect its webcams and routers from hackers. According to the FTC, D-Link failed to adequately test their products to recognize security flaws and left them susceptible to attacks.
In a statement, D-Link strongly denied these claims, writing that the "security of our products and protection of our customers private data is always our top priority.” The router maker calls the FTC's claims "vague and unsubstantiated allegations" and notes that the Commission fails to mention "any breach of any product sold by D-Link Systems."
Consumer Reports reached out to the FTC for comment and the agency referred us to their public statement.
The FTC's allegations could not have come at a worse time for D-Link, since the company this week is showing off its latest products at the Consumer Electronics Show, the big tech trade show in Las Vegas.
If you're concerned about your router, here's what you should know.
How serious is the problem?
Craig Young, a researcher at the digital security company Tripwire, says the problems identified by the FTC are quite serious. Compromised webcams could have been used to surreptitiously spy on their owners and affected routers could also be used to launch cyberattacks. But Young also pointed out that other router manufacturers have also been found to have serious security flaws.
“There is no reason to believe that most other companies are doing any better with security, " Young said. "So there is not much sense in discontinuing use of the router or camera just to move to another likely vulnerable device.”
Other security experts concurred. "You don't know if your router is better because there's an almost total lack of information," Bruce Schneier, a well-known security expert and author who has written about routers, said. "There's a lot of really bad stuff out there." Part of the problem comes down to economics, he said: While companies such as Apple and Google can spend heavily to protect their products, router and internet camera makers work with low margins and often source their components from third parties.
The solution, according to Peiter Zatko, a prominent security expert better known as Mudge, would be "a security label similar to that of the NLEA [Nutrition Labeling and Education Act] Nutritional Label on food products" that would show how well products met important security and privacy criteria. Then consumers could choose products based on how securely they are engineered. Zatko is the cofounder of Cyber Independent Testing Lab (CITL), a nonprofit that develops methods to evaluate software security. "You need to be able to quantify and measure, to bring data and facts to the forefront," he said.
How do I know if I'm affected?
In its complaint, the FTC has said "As a result of Defendants’ failures, thousands of Defendants’ routers and cameras have been vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access."
However, neither the FTC nor D-Link have identified specific model lines that might be the cause of these concerns, so it's impossible to know precisely which cameras and routers might be affected. We specifically asked D-Link if the company could verify that the routers it is currently shipping are secured against all known vulnerabilities. A spokeswoman referred us to the company's official statement, saying "the FTC complaint does not allege any breach of any product sold by D-Link Systems in the US."
According to D-Link, the possible vulnerabilities are not exclusive to its routers but common among all internet-connected devices. D-Link assures potential buyers that they maintain "a robust range of procedures to address potential security issues." On D-Link's support site, the company has many firmware updates that are supposed to address security vulnerabilities, among other things.
But few routers update their firmware automatically. So its possible that, if there is a security vulnerability with your router and there is a fix available, unless you have actively updated its firmware, it may still be exposed. Without these updates, personal data and even information about user bank accounts could be at risk.
Older routers could be at particular risk, since many have passed their "end of support" period, meaning the manufacturer has stopped issuing firmware updates.
What should I do?
Consumers should follow best practices for routers and internet-connected devices in general. Make sure to change any default usernames and passwords that may have been on your device when it shipped. Create different passwords for the different devices in your home and, for that matter, your online accounts. Routinely check for updates for your specific model.
Also consider purchasing a new router. During CES, a number of companies (including D-Link) introduced models with built-in automatic updates. And newer models are more likely to see updates than those five years or older. Internet of things (IoT) devices are increasingly becoming the target for malicious hackers, so automatic updates are increasingly vital for the safety of your data.
For more advice see Young's article, Six Tips to Improve Your Router’s Security.
How do I update my D-Link Router?
- Visit D-Link's Support Website
- Navigate to your product's specific page
- Find and download the latest firmware
- Once the firmware is downloaded, open a web browser (like Chrome or Microsoft Edge) and enter "http://dlinkrouter" or "http://192.168.0.1" into the address bar to access your router on your home network, then login with your username and password.
- Click on the Tools tab and then click on Firmware. Under Firmware Upgrade click on the Browse button and navigate to the .bin file downloaded in Step 3.*
- Select and open the file.
- Click on Upload to upgrade firmware. Avoid unplugging, powering down, or otherwise disrupting the router while the firmware is being upgraded. Click on Continue when a prompt appears.
*While the procedure to update routers varies from device to device, most of these steps will be applicable and the differences are relegated to the specific menu items in Step 5. Update: This story has been updated to include comments from Bruce Schneier and Peiter Zatko.
More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples
Consumer Reports has no relationship with any advertisers on this website. Copyright © 2006-2017 Consumers Union of U.S.