IoT Ecosystem
July 9, 2019
By Ruth Artzi

The FTC Lawsuit over D-Link: Technical Perspective of Routers Security

Introduction

The U.S. Federal Trade Commission (FTC) sued D-Link for putting consumers’ most sensitive personal data at risk due to the inadequate security of its routers and cameras. D-Link was criticized for releasing products which lack basic security measures, and for responding late when security issues were discovered in these products.

The most recent update on this topic indicates that D-Link has agreed to 10 years of security audits to settle the FTC lawsuit, along with making the required security enhancements to protect users’ data. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to the risk of compromise,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.

This is just one example of many demonstrating that to prevent regulatory actions against them, vendors should pay rigorous attention to security measures.

Technical Overview

VDOO's security research team is constantly conducting broad-scale research of leading IoT products from the fields of safety and security, including network devices and routers. Following the recent update on the FTC lawsuit over D-Link products, the VDOO security research team has used Vision™, VDOO’s automated security and analysis solution, to automatically analyze various network devices. Our experience tells us that the majority of connected embedded devices are not well secured. Therefore, we assume D-Link is not the only manufacturer who has failed to implement security best practices.

The analysis was done by using the firmware binary files of the routers. The analysis results of each router were displayed in a detailed report. These reports revealed a few potential zero-days and many critical security issues which are relevant to the analyzed devices. Three out of the many critical security issues are detailed below.

Major Threats Discovered by Vision™

Below are a few examples of critical security issues that were found in the analyzed routers. Each issue is addressed by a security requirement that explains what are the device-specific findings, what are the implications of such an issue, and what the vendor should do to mitigate the risk.

Security issue: Multiple binaries compiled without critical security flags. 1st

Security issue: Private keys are stored on the device. 2nd

Security issue: Shell commands are being executed in CGI scripts. 3rd

The vendor’s development team can implement these security requirements by following the step-by-step guidance that appears in the analysis report by Vision™.

Possible Implications of the Security Issues

Inadequate implementation of the previously mentioned security requirements may increase the chances of a successful exploitation of the device or sniffing of sensitive data by a remote attacker. Upon a successful attack, the attacker can:

  • Gain full control of the device
  • Change configuration of the device
  • Access the user’s browsing history and transferred data
  • Install malware for adding the device to a botnet, which may allow the attacker to perform other nefarious tasks such as DDoS attacks and cryptocurrency mining
  • Use the device as an infiltration point for the network (performing lateral movement)
  • Manipulate transferred data to perform phishing attacks that may allow the attacker to obtain sensitive information such as usernames, passwords, and credit card details

Recommendations for Device Makers

1. Implement security during the development phases

Security cannot be addressed only as an afterthought, as this may lead to costly outcomes like delays in time to market or redundant design changes. If completely ignored, it can lead to a lawsuit and reputational damage as in the case of D-Link.

It is highly recommended that vendors perform ongoing security checks during the entire development life cycle. For an effective CI process, integration is possible between the build automation servers and the Vision™ API. This integration allows an automated analysis by Vision™ each time a build is completed. Upon completion of the Vision™ analysis, the developers receive an email with a link to the full report of the analysis results.

To date, the Vision™ analysis engine generates more than 900 security requirements which are displayed only if relevant to the specific analyzed device, in a balanced and prioritized way to simplify the implementation. In addition, the Vision™ analysis engine discovers potential vulnerabilities which are also included in the report of the analyzed device. To date, more than 160 zero-day vulnerabilities have been discovered in various product types and common code libraries.

Note: These vulnerabilities were disclosed to the vendors in accordance with responsible disclosure best practices and will be shared gradually after the disclosure periods are concluded and enough time is given to patch the devices.

2. Make sure to comply with industry standards

In case of a security incident, or even only for a better marketing positioning, the vendor is better off when able to prove that security was taken under consideration by complying with leading industry standards. Standardization bodies, regulators, and industry groups are working to define the criteria for properly cyber-secure devices. However, in many cases these criteria are hard to follow since they are too generic.

Vision™ helps the vendor to comply with various regulation, industry standards, and best practices by mapping out which of the security requirements are relevant to each standard. This capability could certainly have helped D-Link in adhering the International Electrotechnical Commission (IEC) requirements.

Dashboard

3. Embed an active real-time protection layer

Even when security has been properly implemented in the device before it is released to the market, new threats are constantly continuing to emerge. Protecting the device against new threats is possible with on-demand mitigation capabilities, as can be achieved by an embedded runtime micro-agent. This acts as an additional protection layer that makes it really difficult for an attacker to exploit vulnerabilities or security gaps.

VDOO ERA™ is an agent which is automatically tailored to the device it is protecting, without imposing a notable effect on its functionality and performance.

About VDOO

VDOO was established in 2017 to pioneer embedded systems security with an end-to-end solution of security automation, certification, and protection. The VDOO founders’ backgrounds include an endpoint cybersecurity startup acquired by Palo Alto Networks as well as notable experience serving in the Israeli Intelligence Elite Unit.

Visit our website to learn more about how vendors can secure their devices and protect their users from cybersecurity threats: www.vdoo.com

Credits

Jonathan Sar Shalom, Security Researcher at VDOO, is a key contributor to this article

Share this post

You may also like