Anyone who has been reading the computer security headlines in recent years knows that there is a raging battle going on for control of home and SOHO broadband routers.
Online criminals have woken up to the power they can exert through hijacking large numbers of routers into botnets, launching devastating distributed denial-of-service (DDoS) attacks, stealing WiFi credentials, or changing DNS settings to make unwanted pop-up ads continually appear.
Time and time again users have been warned that their routers are vulnerable because of a software flaw, or because they shipped with weak default passwords.
The same problems keep occurring over and over again. Something has to change.
Well, the German government has recognised that the threat is a serious one, and has published draft guidelines on how it believes broadband routers should be secured.
The document, produced by the German Federal Office for Information Security (BSI), proposes a long list of of measures and recommendations that routers should follow which include the following:
- Wireless routers should use as a minimum WPA2 encryption.
- Any configuration password configured in factory settings should be at least 20 characters long, and must not contain information that is derived from the router’s manufacturer, model name, or MAC address etc.
- In addition, any pre-configured configuration password used with factory settings must not be shared by multiple devices from the same manufacturer.
- Any pre-configured configuration password must contain at least eight characters, and contain a combination of at least two of the following types of characters (uppercase letters [A-Z], lowercase letters [a-z], special characters [e.g. ?, !, $, etc.], and numeric characters [0-9]).
- When changing either the Wi-Fi or configuration password, users should be presented with a password strength meter based upon its number of characters and complexity.
- Users using guest Wi-Fi services should not have any access to the router’s configuration.
- By default it should not be possible to remotely configure a router, and remote access should only be possible via an encrypted, server-authenticated connection.
- Routers must include functionality to update their firmware, and provide users with the option of initiating the update manually or online. In addition, automatic firmware updates should (as opposed to must) be offered and activated by default (although it must be possible for a user to deactivate this if they wish.)
- If the router determines that its firmware is currently out-of-date, it must inform the user with a meaningful message (such as a pop-up after login). If a manufacturer decides to stop supporting the device with firmware updates then the same mechanism should be used to inform users about the end of service.
- Factory resets should return devices to their default secure state, and all personal data should be deleted.
Not everyone is impressed with the BSI’s proposals to improve router security, however.
The Chaos Computer Club (CCC), for instance, has criticised the draft, disappointed that the guidelines will not force manufacturers to display a firmware expiration date at the point of purchase, and that vendors will not have to allow users to install custom firmware on devices which are no longer receiving vendor-supplied updates.
In the CCC’s opinion, “the actual scheme provides only as much security as the manufacturers like – provided that they decide to comply with the directive.”
I welcome the BSI’s initiative to encourage router vendors to bake better security into their devices, but it is disappointing that many consumers will continue to buy routers off shop shelves without knowing how long it is likely to receive firmware updates.