The German Federal Office for Information Security recently published an initial draft of rules for securing SOHO routers, and are now taking comments. These rules aren’t required to sell routers in the country, but manufacturers who abide by them will be able to feature a compliance notice on the packaging (aka they get a sticker).
There are a lot of recommendations to unpack. Many I would hope are table stakes, but maybe it says something that they need to be spelled out.
One interesting rule would require support of WPA2 and to use it by default. This is kind of interesting for new routers, since WPA3, you know, exists and maybe will be more relevant in the years to come. In fact, the draft rules don’t even mention it.
I also love that there needs to be a rule that passwords for users and admins to not include any information about the router model. Or that user passwords have to be changeable. Then again, this may be a hedge against low cost IoT-type routers coming from no-name manufacturers with unalterable firmware. Then again, those kind of devices aren’t going to care about security certification.
There’s an interesting report from ZDNet regarding pushback from the security community against the rules. Two rules were allegedly killed by manufacturers. One was to require an expiration date on firmware that’s visibile to users before purchasing. The second would be requiring manufacturers to allow for third-party firmware installs after their support has reached EOL. It’s not surprising that these were raised by the OpenWrt project.
We’ll see if and how these rules changes once the comment period is up.
- Of Chips and Acquisitions | Gestalt IT Rundown: August 21, 2019 - August 21, 2019
- Kubernetes Is Evolving Into an Enterprise-Friendly Platform, but Challenges Remain - August 16, 2019
- Going Independent - August 15, 2019
- AMD Wasn’t Built In A Day | Gestalt IT Rundown: August 14, 2019 - August 14, 2019
- SaaS Backup Isn’t My Problem – The On-Premise IT Roundtable - August 13, 2019
- Jira and the Definition of All | Gestalt IT Rundown: August 7, 2019 - August 7, 2019
- What’s In Your Bucket | Gestalt IT Rundown: July 31, 2019 - July 31, 2019
- VPNemy at the Gates | Gestalt IT Rundown: July 24, 2019 - July 24, 2019
- Germany Drops the Hesse on Microsoft | Gestalt IT Rundown: July 17, 2019 - July 17, 2019
- FUD: Fear, UK, and DNS | Gestalt IT Rundown: July 10, 2019 - July 10, 2019