An illustration depicting a digital security warning

D-Link Systems, a popular manufacturer of routers, webcams, and other connected devices, has agreed to launch a “comprehensive software security program” to settle a Federal Trade Commission complaint that it didn’t adequately protect consumers from hackers.

The complaint, originally filed in 2017, disputed repeated claims by the company that its products were secure. In reality, the FTC argued, easily preventable security flaws in D-Link’s routers and webcams had left sensitive consumer information, including live video and audio feeds, exposed and vulnerable to hackers for years. 

More on data Security & Privacy

“These security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection, via press release. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”

Though the company’s products have been targeted by hackers since the complaint became public, it’s unclear whether any customer's personal data has actually been stolen.

The FTC says D-Link used hard-coded login credentials in its camera software, which could allow an unauthorized person to access the camera’s live feed. A flaw in the company’s routers could permit an attacker to remotely take control of a user’s device and potentially gain access to the rest of the network and sensitive information stored on devices connected to it.

The FTC argued that the company mishandled a private key code used to sign into D-Link software, allowing it to be openly available on a public website for six months, and also that it left login credentials for its mobile app unsecured in clear, readable text on users' mobile devices.

In a statement, D-Link said it’s pleased to reach an “amicable resolution” with the FTC, noting that the order doesn’t find the company liable for any of the alleged violations.

“This settlement allows D-Link Systems to vigorously continue with its current comprehensive software security program and sets a new standard for secure software development practices for IoT devices,” the company stated.

But privacy advocates say the settlement would not have been needed if D-Link had taken adequate security measures in the first place.

“Although we are happy to see the FTC take action against D-Link, the company should have ensured that their systems and services were secure before they released their cameras in the marketplace,” says Katie McInnis, policy counsel at Consumer Reports. “Such security vulnerabilities put consumers at risk.”

As part of the deal with the FTC, D-Link will be required to create a security plan and test its products for security vulnerabilities before releasing them to the public. The deal also mandates ongoing monitoring for security flaws and automatic firmware updates to ensure devices receive patches for any flaws discovered after they've been sold.

The company now must submit to independent, outside assessments of its software security program every other year for the next 10 years.