2 min read

Germany proposes security guidelines for routers, but not everybody is happy

Graham CLULEY

November 28, 2018

Germany proposes security guidelines for routers, but not everybody is happy

Anyone who has been reading the computer security headlines in recent years knows that there is a raging battle going on for control of home and SOHO broadband routers.

Online criminals have woken up to the power they can exert through hijacking large numbers of routers into botnets, launching devastating distributed denial-of-service (DDoS) attacks, stealing WiFi credentials, or changing DNS settings to make unwanted pop-up ads continually appear.

Time and time again users have been warned that their routers are vulnerable because of a software flaw, or because they shipped with weak default passwords.

The same problems keep occurring over and over again. Something has to change.

Well, the German government has recognised that the threat is a serious one, and has published draft guidelines on how it believes broadband routers should be secured.

The document, produced by the German Federal Office for Information Security (BSI), proposes a long list of of measures and recommendations that routers should follow which include the following:

  • Wireless routers should use as a minimum WPA2 encryption.
  • Any configuration password configured in factory settings should be at least 20 characters long, and must not contain information that is derived from the router’s manufacturer, model name, or MAC address etc.
  • In addition, any pre-configured configuration password used with factory settings must not be shared by multiple devices from the same manufacturer.
  • Any pre-configured configuration password must contain at least eight characters, and contain a combination of at least two of the following types of characters (uppercase letters [A-Z], lowercase letters [a-z], special characters [e.g. ?, !, $, etc.], and numeric characters [0-9]).
  • When changing either the Wi-Fi or configuration password, users should be presented with a password strength meter based upon its number of characters and complexity.
  • Users using guest Wi-Fi services should not have any access to the router’s configuration.
  • By default it should not be possible to remotely configure a router, and remote access should only be possible via an encrypted, server-authenticated connection.
  • Routers must include functionality to update their firmware, and provide users with the option of initiating the update manually or online. In addition, automatic firmware updates should (as opposed to must) be offered and activated by default (although it must be possible for a user to deactivate this if they wish.)
  • If the router determines that its firmware is currently out-of-date, it must inform the user with a meaningful message (such as a pop-up after login). If a manufacturer decides to stop supporting the device with firmware updates then the same mechanism should be used to inform users about the end of service.
  • Factory resets should return devices to their default secure state, and all personal data should be deleted.

Not everyone is impressed with the BSI’s proposals to improve router security, however.

The Chaos Computer Club (CCC), for instance, has criticised the draft, disappointed that the guidelines will not force manufacturers to display a firmware expiration date at the point of purchase, and that vendors will not have to allow users to install custom firmware on devices which are no longer receiving vendor-supplied updates.

In the CCC’s opinion, “the actual scheme provides only as much security as the manufacturers like – provided that they decide to comply with the directive.”

I welcome the BSI’s initiative to encourage router vendors to bake better security into their devices, but it is disappointing that many consumers will continue to buy routers off shop shelves without knowing how long it is likely to receive firmware updates.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

New Malware Campaign Targets Linux and Web Apps to Install Crypto-Mining Software New Malware Campaign Targets Linux and Web Apps to Install Crypto-Mining Software
Silviu STAHIE

September 23, 2021

1 min read
What Is a VPN, How Does It Protect Me, and What Cool Perks Does it Offer? What Is a VPN, How Does It Protect Me, and What Cool Perks Does it Offer?
Filip TRUȚĂ

September 23, 2021

2 min read
Security Researcher Publishes Lock Screen Bypass for iOS 15 on Launch Day Security Researcher Publishes Lock Screen Bypass for iOS 15 on Launch Day
Silviu STAHIE

September 22, 2021

1 min read