Last week, in a attempt to address broadband router security, the German government published its suggestions for minimum standards – and came under immediate criticism that its proposals didn't go far enough.
Germany's federal office for Information Security, the BSI, made its recommendations in this document (PDF), saying it wanted a "manageable level of security" and defining security features it believed should be "available by design and by default".
The document seeks to protect home and SOHO routers from internet-facing attacks, by way of:
- Restricting LAN/Wi-Fi default services to DNS, HTTP/HTTPS, DHCP/DHCPv6, and ICMPv6, and a minimum set of services available on the public interface (CWMP for configuration, SIP if VoIP is supported, and ICMPv6);
- Ensuring guest Wi-Fi services should not have access to device configuration;
- Setting WPA2 encryption as a minimum default, with a strong password that excludes identifiers like manufacturer, model, or MAC address;
- Strong password protection on the configuration interface, secured by HTTPS if it's available on the WAN interface;
- Firewall features are mandatory;
- Remote configuration must be off by default, and only accessible via an encrypted, server-authenticated connection; and
- User-controlled firmware updates, with an option for push-updates.
The guidelines also note factory resets should put the router back into a secure default state, and all personal data should be deleted from the unit during a factory reset.
At the weekend, the OpenWRT team and the Chaos Computer Club teamed up to criticise the recommendations as inadequate.
The BSI said the technical guideline was the result of "two years" of consultation with vendors, network operators, and consumer advocates. OpenWRT and CCC reckon there was way too much vendor input, and too little attention paid to their concerns.
OpenWRT identified two important user protections it said were missing from the BIS's document. Vendors should have to tell users how long they intended to support products with security updates; and customers should have the right to install custom software (like OpenWRT), "even after the official vendor support ended".
The CCC said it believes a scheme designed to give users "a minimum level" of security has failed: "the actual scheme provides only as much security as the manufacturers like - provided that they decide to comply with the directive".
OpenWRT's Hauke Mehrtens was quoted as saying the failure to mandate users' freedom to install firmware like OpenWRT "raises clear doubts about the seriousness of the federal government's will to IT security".
CCC's Mirko Vogt added he believed cheap and insecure devices could ship with a BSI seal. ®
The Register has spent weary years documenting the woeful state of security in the SOHO and home gateway router market. From that point of view, initiatives like that from BSI are welcome.
However, CCC is right that users deserve to know, at purchase, the likely supported lifetime of a device – since that's almost certainly considered by vendors when they begin device development.
Support for open firmware is, arguably, a niche consideration at the moment, but you could argue that one of the reasons to block it on end-of-life devices would be to protect the vendor's chance to sell an upgrade.
We'd argue that it's past time for standards bodies to get involved, so it's not left to national organisations to try to improve user security.