The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers.
Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community.
Once approved, router manufacturers will have to abide by these new rules if they want to sell routers inside Germany’s borders.
The 22-page document, available in English here, lists tens of recommendations and rules for various router functions and features. We possibly couldn’t list all rules for this article, since some are really technical, but we selected a few of a greater importance:
- Only DNS, HTTP, HTTPS, DHCP, DHCPv6, and ICMPv6 services should be available on the LAN and WiFi interface.
- If the router has a guest WiFi mode, this mode must not allow access to the router’s configuration panel.
- The Extended Service Set Identifier (ESSID) should not contain information that is derived from the router itself (such as the vendor name or router model).
- The router must support the WPA2 protocol, and use it by default.
- WiFi passwords should have a length of 20 digits or more.
- WiFi passwords must not contain information derived from the router itself (vendor, model, MAC, etc.).
- The router must allow any authenticated user to change this password.
- The procedure of changing the WiFi password should not show a password strength meter or force users to use special characters.
- After setup, the router must restrict access to the WAN interface, with the exception of a few services, such as (CWMP) TR-069, SIP, SIPS, and ICMPv6.
- Routers must make CWMP available only if the ISP controls the router’s configuration from a remote, central location.
- Password for the router’s configuration/admin panel must have at least 8 characters and must have a complex setup involving two of the following: uppercase letters, lowercase letters, special characters, numbers.
- Just like WiFi passwords, admin panel passwords must not contain router-related information (vendor, model, MAC, etc.).
- The router must allow the user to change this default admin panel password.
- Password-based authentication MUST be protected against brute force attacks.
- Routers must not ship with undocumented (backdoor) accounts.
- In its default state, access to the admin panel must only be allowed via the LAN or WiFi interfaces.
- If the router vendor wants to expose the admin panel via WAN, it must use TLS.
- The end-user should be able to configure the port to be used for access to the configuration via the WAN interface.
- The router admin panel must show the firmware version.
- The router must users about an out-of-date or end-of-life firmware.
- The router must keep and display a last login log.
- The router must show the status and rules of any local firewall service.
- The router must list all active services per each interface (LAN/WAN/WiFi).
- Routers must include a way to perform factory resets.
- The routers must support DHCP over LAN and WiFi.
These are just some of the BSI recommendations, and you’ll find more in the above-linked document.
The reason why Germany is taking steps to standardize router security has something to do with an incident that took place at the end of 2016 when a British hacker known as “BestBuy” attempted to hijack Deutsche Telekom routers, but bungled a firmware update and crashed nearly a million routers across Germany.
The BSI’s efforts to regulate SOHO routers haven’t pleased all parties involved. In a blog post last week, the Chaos Computer Club (CCC), a well-known community of German hackers, has criticized the first draft of these recommendations, calling them “a farce.”
CCC said it attended the BSI meetings on this topic together with members of OpenWrt, a software project that provides open-source firmware for SOHO routers, and they say telecom lobby groups have put considerable effort into sabotaging the rules as a whole.
The two groups raised two issues that they say were not included in the BSI recommendations, rules that were of crucial importance.
One was that all routers should come with an expiration date for the firmware that must be visible to users before they purchase the device. Second, after the vendor stops supporting a model’s firmware, vendors should allow users to install custom firmware on abandoned and EOL devices.
Talks on the BSI rules are expected to continue. In October, the state of California passed state legislation that established a strict set of rules for passwords used by Internet-connected (IoT) devices, marking this the first IoT-specific regulation in the world. While Germany isn’t passing official laws, it will become the first country that tries to pass any kind of router-specific guidelines.
Related security coverage: