For HomeFor BusinessFor Partners
Smart Home
2 min read

Germany proposes security guidelines for routers, but not everybody is happy

Graham CLULEY

November 28, 2018

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Germany proposes security guidelines for routers, but not everybody is happy

Anyone who has been reading the computer security headlines in recent years knows that there is a raging battle going on for control of home and SOHO broadband routers.

Online criminals have woken up to the power they can exert through hijacking large numbers of routers into botnets, launching devastating distributed denial-of-service (DDoS) attacks, stealing WiFi credentials, or changing DNS settings to make unwanted pop-up ads continually appear.

Time and time again users have been warned that their routers are vulnerable because of a software flaw, or because they shipped with weak default passwords.

The same problems keep occurring over and over again. Something has to change.

Well, the German government has recognised that the threat is a serious one, and has published draft guidelines on how it believes broadband routers should be secured.

The document, produced by the German Federal Office for Information Security (BSI), proposes a long list of of measures and recommendations that routers should follow which include the following:

  • Wireless routers should use as a minimum WPA2 encryption.
  • Any configuration password configured in factory settings should be at least 20 characters long, and must not contain information that is derived from the router’s manufacturer, model name, or MAC address etc.
  • In addition, any pre-configured configuration password used with factory settings must not be shared by multiple devices from the same manufacturer.
  • Any pre-configured configuration password must contain at least eight characters, and contain a combination of at least two of the following types of characters (uppercase letters [A-Z], lowercase letters [a-z], special characters [e.g. ?, !, $, etc.], and numeric characters [0-9]).
  • When changing either the Wi-Fi or configuration password, users should be presented with a password strength meter based upon its number of characters and complexity.
  • Users using guest Wi-Fi services should not have any access to the router’s configuration.
  • By default it should not be possible to remotely configure a router, and remote access should only be possible via an encrypted, server-authenticated connection.
  • Routers must include functionality to update their firmware, and provide users with the option of initiating the update manually or online. In addition, automatic firmware updates should (as opposed to must) be offered and activated by default (although it must be possible for a user to deactivate this if they wish.)
  • If the router determines that its firmware is currently out-of-date, it must inform the user with a meaningful message (such as a pop-up after login). If a manufacturer decides to stop supporting the device with firmware updates then the same mechanism should be used to inform users about the end of service.
  • Factory resets should return devices to their default secure state, and all personal data should be deleted.

Not everyone is impressed with the BSI’s proposals to improve router security, however.

The Chaos Computer Club (CCC), for instance, has criticised the draft, disappointed that the guidelines will not force manufacturers to display a firmware expiration date at the point of purchase, and that vendors will not have to allow users to install custom firmware on devices which are no longer receiving vendor-supplied updates.

In the CCC’s opinion, “the actual scheme provides only as much security as the manufacturers like – provided that they decide to comply with the directive.”

I welcome the BSI’s initiative to encourage router vendors to bake better security into their devices, but it is disappointing that many consumers will continue to buy routers off shop shelves without knowing how long it is likely to receive firmware updates.

tags

Smart Home

Author

Graham CLULEY

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

Right now Top posts

Torrents with Pirated TV Shows Used to Push Lumma Stealer Malware
Threats The Safe Nomad

Torrents with Pirated TV Shows Used to Push Lumma Stealer Malware

November 14, 2024

4 min read
How Scammers Stole $20 Million by Hacking Emails of Real Estate Agents – Here’s Why Small Firms Must Take Cybersecurity Seriously
Industry News Very Small Business Scam

How Scammers Stole $20 Million by Hacking Emails of Real Estate Agents – Here’s Why Small Firms Must Take Cybersecurity Seriously

November 11, 2024

3 min read
Is Your Digital Footprint Placing You in Scammers’ Crosshairs?
Scam

Is Your Digital Footprint Placing You in Scammers’ Crosshairs?

October 17, 2024

4 min read
What Key Cyberthreats Do Small Businesses Face?
Tips and Tricks How to Very Small Business

What Key Cyberthreats Do Small Businesses Face?

September 06, 2024

4 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

Track Guide to Las Vegas: Cybersecurity Edition
Cybersecurity Grand Prix

Track Guide to Las Vegas: Cybersecurity Edition
Bitdefender

November 19, 2024

3 min read
Cybersecurity Grand Prix: Race to Secure Your Digital Footprint
Cybersecurity Grand Prix

Cybersecurity Grand Prix: Race to Secure Your Digital Footprint
Bitdefender

October 28, 2024

3 min read
Finnish Customs, Europol, Swedish Police and Bitdefender Cooperation Leads to Sipulitie Dark Web Marketplace Shut Down
Industry News

Finnish Customs, Europol, Swedish Police and Bitdefender Cooperation Leads to Sipulitie Dark Web Marketplace Shut Down
Bitdefender

October 15, 2024

3 min read

Bookmarks

loader