German Government issues recommendations on router security

The measures were criticized by specialist organizations and software developers

Last week, in an attempt to address the security of broadband routers, the German government issued some suggestions on minimum standards, receiving immediate criticism of the scope of its proposals.

According to specialists in digital forensics from the International Institute of Cyber Security, the BSI, the Office of computer security in Germany, mentioned that they wanted a “manageable security level” and defined the security features that they believed should be “available by design and by default” on routers.

The German government seeks to protect routers from via Internet attacks by adopting measures such as:

  • Restriction of default LAN/WiFi services to DNS, HTTP/HTTPS, DHCP/DHCPv6 and ICMPV6, and a minimum set of services available in the public interface
  • Ensure that guest WiFi services do not have access to the device settings
  • Set the default WPA2 encryption to a minimum, with a secure password that excludes identifiers such as the manufacturer, model, or MAC address
  • Robust password protection in the configuration interface, secured by HTTPS if available on the WAN interface
  • Mandatory firewall features
  • Remote configuration must be disabled by default, and can only be accessed through an encrypted, server-authenticated connection
  • User-controlled firmware updates, with option for automatic updates

These recommendations also indicate that the factory reset must render the router to a secure default state, and all personal data should be removed from the unit during this process.

Over the past weekend, OpenWRT digital forensics experts and the Chaos Computer Club (CCC) went on to declare that they consider these ‘inadequate’ recommendations.

BSI said these recommendations are the result of “two years of consultations with suppliers, network operators, and consumer advocacy agencies.” OpenWRT and CCC estimate that there was too much consideration for vendor opinion and very little attention to consumer concerns.

According to OpenWRT, two user protection measures have been left out of the BSI recommendations list. Providers should inform users how long they plan to launch backup for their products with security updates; in addition, customers must have the right to install custom software (such as OpenWRT), “even after the official vendor support ends.”

On the other hand, the CCC said that the current security scheme has failed, as companies provide a minimum security standard, according to the convenience of manufacturers. CCC mentioned that “it is unclear” how these new policies would counteract computer threats such as Heartbleed, Sambacry or the botnet BCMUPnP, recently discovered earlier this month.

Hauke Mehrtens, a digital forensics expert from OpenWrt stated that disabling the user to install firmware like OpenWrt “raises doubts about the seriousness with which governments address computer security.”

Several members of the cybersecurity community consider that CCC is right to demand that manufacturers provide information to the user about the possible life of a device, since it is almost certain that providers will consider this information during the development phases of their products.