US Is Finally Getting Serious About Security on the Internet of Things With This Lawsuit

The internet of things ran amok last year, as security holes in “smart” devices exposed glaring problems with connected objects, like that time in October when hijacked security cameras and other electronics were used to take down parts of the internet. Now, the U.S. government is putting the IoT world on notice with a lawsuit against Taiwanese router manufacturer D-Link alleging shoddy security practices.

The lawsuit, filed by the Federal Trade Commission, accuses D-Link of a litany of security sins, including making default log-in credentials unchangeable, leaving user passwords in plain view on its smartphone apps, and making cameras and routers vulnerable to being remotely controlled.

FTC’s action is a “loud warning shot” for IoT companies, said Jeremy Goldman, a partner at law firm Frankfurt Kurnit Klein and Selz, who specializes in data security matters.

In a press release, D-Link said it will defend itself and called the allegations “unwarranted and baseless.”

The suit also throws the spotlight back on the question of regulation of the internet of things. While FTC is taking action in this case, it’s not necessarily the U.S. government agency responsible for overseeing the IoT sector.

In fact, it remains unclear who, exactly, should have purview over these devices. A case can be made for a plethora of three-letter agencies, including the Federal Communications Commission, the food and drug regulator, and the road transport regulator, as Nextgov points out. FTC itself has been at pains not to become the IoT’s top cop, preferring instead that the nascent industry self-regulate for now, so as not to strangle innovation in the cradle.

FTC’s suit asks for the court to order D-Link to improve its security practices and to pay FTC’s legal costs.