Singapore Authority Proposes New Guidelines to Secure Home Routers

The Infocomm Media Development Authority (IMDA), which regulates the infocomm and media sectors in Singapore, has launched a public consultation to establish security requirements for home routers sold in Singapore. Similar guidelines are being drafted by Japan and the United Kingdom.

The IMDA acknowledges that the accelerating proliferation of smart, networked devices in homes, such as security cams and baby monitors, has raised risks of cyberattacks that leverage such devices.

“Some of these devices have little or weak protection against cyber-attacks and are vulnerable to unauthorised access by malicious actors,” the IMDA warns.

The regulatory authority names home routers as the main entry point for hackers, “as they form the key bridge between the Internet and residents’ home networks.” The IMDA is seeking views from the industry, as well as the general population, on a new technical specification that will set out the minimum requirements for home routers.

The aim is “to provide a safer and more secure Internet experience for users, and to strengthen the resilience of Singapore’s telecommunications networks,” the group said.

To improve baseline standards for such devices, the IMDA has engaged router manufacturers and telecommunication service providers with the following key requirements:

• Tightening password administration by mandating no default login passwords, and requiring minimum password strength for RG;
• Securing default settings to better manage and control access to the RG, such as switching off unsecured Wi-Fi Protected Setup (“WPS”), and switching on the firewall by default;
• Strengthening RG administration, in particular the applicability of maintaining secure communication protocols such as SSH or HTTPS for device management interfaces to the RG; and
• Updating RGs automatically with the latest firmware

The IMDA hopes these base rules will become a pre-requisite for manufacturers, who will then see a cybersecurity label stamped on compliant home routers.

The proposed changes will take effect six months later than the finalised standards, allowing time for the industry to comply with the new technical requirements, the authority said.

Similar rules are being drafted by Japan and the UK. The UK proposed tight regulation not just of home routers, but of all Internet of Things (IoT) devices as early as 2018, urging vendors to secure their smart gizmos by design.

And last year, the European Telecommunications Standards Institute (ETSI) released the first globally applicable standard for consumer IoT security, “to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.”