Germany Proposes Router Security Guidelines

German government would like to regulate what kind of routers are sold and installed across the country. From a report: The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers. Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community. Once approved, router manufacturers don't have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance. The 22-page document, available in English here, lists tens of recommendations and rules for various router functions and features.

Rule #1 - bad translation?

[b0s0z0ku]

I'm confused about this rule: "Only DNS, HTTP, HTTPS, DHCP, DHCPv6, and ICMPv6 services should be available on the LAN and WiFi interface"

What about SSH, VPN, VPN-over-SSH, etc? Are they saying that other than those few services, no other services should be passed through to the Internet? Or that the router ITSELF shouldn't provide services other than those six?

Re:Rule #1 - bad translation?

[BenFranske]

I think it's pretty clear they mean the router itself shouldn't have other services open. This is all about reducing router attack surface as they have become a popular target for botnets.

Re:Rule #1 - bad translation?

This is the default factory shipped configuration, which is adequate for initial setup / install by 'average user'. There is nothing stopping them having additional services that can be enabled after installation.

Re:Rule #1 - bad translation?

[Solandri]

Also note that by specifying which services are to be left open, any router manufacturer which leaves in a secret backdoor would be in violation (looking at you Cisco).

Re:Rule #1 - bad translation?

[MobyDisk]

Or the backdoor must run over one of those protocols.

Re:Rule #1 - bad translation?

[pezezin]

This is about home routers. Every single home router I have ever seen has a dedicated WAN port and usually four LAN ports. Try connecting the WAN to a LAN port (assuming both use Ethernet), and it probably won't work.

Re:Rule #1 - bad translation?

[niftymitch]

From default the english version: "In factory settings the router SHOULD restrict access to a defined list of services provided to devices
connected on the LAN and WiFi interface by the router. The services are provided on one or more dedicated
TCP and/ or UDP ports or by the network stack itself."

That is a sane setup to start.

Better modern +$200 routers do this already.

Some of the audit and management features seem difficult. It may disqualify all the existing Apple AirPort devices.

The VOIP stuff is interesting but optional.

Wrong

No special character requirements, just longer. https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118?mod=trending_now_2

Interesting

[AmiMoJo]

Some interesting stuff in that document.

- By default the router must only offer DNS, ping response and a web interface to devices on the LAN. Seems like even UPnP is disabled.
- Default SSID must not give anything away, such as the manufacturer of the router. Not sure what exactly the point is, considering that things like the MAC address reveal that.
- Half decent default passwords.
- Manufacturer must state how long they supply updates for and what severity level merits a patch.
- IPv6 is optional.

Seems rather basic to be honest.

Re:Interesting

It's missing a bunch of very important services that could be used, such as VPN, AV proxy, web proxy, and others.

Re:Interesting

[rpresser]

The section they are speaking of is giving recommendations for the initial state of the router. "Don't turn on a web proxy when he gets it out of the box. Let him customize that later."

Re:Interesting

[Solandri]

If you've been to Germany before WPS, every private router had the WiFi password enabled. There were no open WiFi hotspots emanating from homes. Indicating that Germans take the time to learn how to configure their router correctly. A set of requirements like those, disabling nearly everything by default, would work well in Germany to prevent the accidental misconfiguration. If you need a feature (like uPnP), you must enable it.

Most of the rest of the world, people are too damn lazy to learn how to configure a router. (I'd draw an analogy to the the clock on people's VCRs perpetually flashing 12:00, but I doubt half the readers would get that reference.) So router manufacturers have bent backwards to design something akin to one-touch configuration. Unfortunately that means every service you can think of has to be enabled by default, with only advanced users going in and disabling the stupid stuff.

So yeah it's basic stuff. But it trades off usability for security. Not that I disagree with that philosophy, but the people who want to buy a router, not read the manual, push a single button to set it up, then forget about it forever are going to whine ceaselessly about this. It's just that there are very few such people in Germany.

Re:Interesting

[grumbel]

Indicating that Germans take the time to learn how to configure their router correctly.

That's however not because Germans are so tech savvy, but because they are liable for what goes over their open WiFi. So everybody closes things down to avoid lawsuits and fines.

Re:Interesting

UPnP OUGHT TO BE disabled! UPnP is a fucking DISASTER. IPv6 has to be optional because about nobody really uses it yet.. I like the patch severity thing. They should have done this a decade ago.

Re:Interesting

Most of the rest of the world, people are too damn lazy to learn how to configure a router.

15 years ago I would have agreed with you. Very few wifi routers had security enabled. In 2018 in the US, I don't think I've seen a residential home without a password set. I've been all over the world, and wifi passwords are the norm, not the exception. In many places the wifi password is actually randomly set, and printed on the back of the DSL modem.

So no, it's not just Germans who've figured out how to configure wifi. Everyone else has too.

Re:Interesting

Most people ARE too damn lazy to learn how to configure their router, their ISP installer does it for them and the default PW stays in it for years.

I don't know about "the whole world" and it's not good to make generalizations but that point stands.

Re:Interesting

[Bengie]

Many of my applications require port forwarding and quite a few use random ports between the range of 16,000 and 64,000, and no control over which port will be used. This same issue applies to IPv6, because I want incoming ports blocked by default. Please propose a better way to dynamically open/forward ports over a large range.

Re:Interesting

[pezezin]

- IPv6 is optional.

Fuck this, it's about time we migrate to IPv6, they should make it mandatory.

Re:Interesting

[pnutjam]

Many of them do reveal the ISP in the SSID.

Re:Interesting

[pnutjam]

UPnP is fine as long as you limit which clients can actually use it.

Re:Interesting

How many German's does it take to screw in a lightbulb?

One.

They are very efficient, and not very funny.

Re:Interesting

[Cederic]

Plus of course the strange assumption that people wouldn't intentionally configure an open hotspot.

I have three SSIDs configured on my wireless router, one of which is entirely unsecured. Makes life very easy for guests.

Friends do similar things.

Re:Interesting

How many Germans does it take to gangbang your mom?

Nine! Nine! Nine! Nine!!!

Me too!

[Gabest]

I give you my sticker for half the price they do.

Good idea

[BringsApples]

The draft sets out to not only list what expectations/requirements routers will need, but it explains, in layman's terms, the reasoning behind it all. The best way to secure a thing is to properly educate those that are using it.

Re: Good idea

[UnknowingFool]

I'm pretty most people don't understand the dangers of open ports and will never need them. This sets the basics of what is required by default. The user is free to bypass the basics. I don't think that forcing people to learn about topics is the most productive. It would be like required everyone who buys a car to know how to change their transmission.

Re: Good idea

[BringsApples]

Not that you want to read it, but every car in the US comes with a manual, for those of us that do.

It's information, silly. Information is always a good thing to have.

Re: Good idea

[UnknowingFool]

I've read the manual to my car provided to me by the manufacturer. Please tell where it shows me how to change my transmission. I'll wait. For that level of repair you can buy a service/repair manual from the manufacturer; they do not come with most cars. There are also 3rd party manuals which also detail these kind of repairs. Again they do not come with the car.

This is a voluntary certification programme

...not a regulatory programme. Even TFA calls them guidelines. It is a sad day when the Slashdot editors are worse than the press for adding fud.

Re:This is a voluntary certification programme

Things that end up mandatory usually start optional.

Things that start optional do not always end up mandatory.

P->Q does not equal Q->P.

Re:This is a voluntary certification programme

[fustakrakich]

History takes precedence. Math has no power over the irrational human.

What is now disabled will soon be prohibited.

Re:This is a voluntary certification programme

What is now disabled will soon be prohibited.

Don't worry the retarded aren't going to be prohibited any time soon in Germany. That is one thing they learned from the times you're apparently mentally stuck in. So good news for you, you'd be safe there.

Re:This is a voluntary certification programme

[fustakrakich]

Heh, the nostalgia is on their part, not mine. Stay inside your bubble as you see fit.

The easiest way

[nehumanuscrede]

is to simply hold the manufacturers of said hardware fully liable for the half-assed products they sell.

Great big eye-opening-with-cries-of-thats-not-fair-from-the-companies-who-peddle-this-shit fines with the option to forgo said fines if the CEO goes to jail for a decade instead.

Industry only takes security seriously when it impacts their profits.

Re:The easiest way

If they can't sell it somewhere, it'll impact their profits. Especially if the guidelines become some measure of quality, so that others also won't buy what can't be sold there. No need to have the first measures be so drastic.

No NTP or ICMPv4?

[Joe_Dragon]

No NTP or ICMPv4?

Why not expand UL testing?

[Rick+Schumann]

Just a thought: At least here in the U.S., Underwriters Laboratory does electrical testing on products to ensure they're safe. Why not expand their role in the case of computing equipment like this (and perhaps also so-called 'IoT' devices) to test for vulnerabilities? Basically, throw a bunch of attacks at Internet-facing devices and see if you can crack them. As new exploits are discovered, expand the suite of testing to include those attacks. Would never be 100% because exploits and attack methods seem to evolve faster than they can code around them, but it would likely be better than these manufacturers have been doing on their own.

Re:Why not expand UL testing?

[HornWumpus]

Because 90% of Chinese hardware is tested to the 'Chine Export' standard, not UL. They are labelled CE rather than UL. Neither really means much, UL takes longer and costs more.

Re:Why not expand UL testing?

[MobyDisk]

100% agreed! These standards agencies are behind the times and I would rather they determine the standards than a government body.

Re:Why not expand UL testing?

[Rick+Schumann]

..no, that's not what I'm asking for, and so far as I knew, there was some coordination between the UL and the government. Guess I was wrong? No matter. Maybe there should be, so far as 'cybersecurity' is concerned. They are behind the times, and maybe we need to fix that.

Re: Why not expand UL testing?

CE is an EU certification, not chinese.

The missing link ...

[CaptainDork]

... the rules have been put together with input from router vendors, German telecoms, and the German hardware community.

No input from the IT people wearing boots? Expectations of fixing problems by those who are the problem ...

Reasonable laws? From MY government??

I have to make the day in the calendar! Hadn't it been for the DSGVO (data protection laws), I couldn’t remember the last time this happened!

Maybe this is the one thing, where the batshit insane comic villain level evil psychopathic fatcat fascists' interests line up with that of actual humans.

very weak.

It's a very weak set of requirements, and reads like all Germany did was consult Router makers and gave them a list of the things they already do. It just sounds like a router makers marketing department made this up so they could sell more routers that were now "government certified".

    Here's what I see as missing and severely lacking.

Once sold, a router MUST support security updates to firmware for a minimum of 5 years, and SHOULD support security updates for 10 years.
A router MUST NOT have any manufacturer back doors.
A router MUST be configured by default to automatically patch severe security issues during the supported lifetime, but also MUST allow the end user to turn this off.

IMPERSONATING ME AGAIN? apk

gweihir KNEW u IMPERSONATE me https://it.slashdot.org/commen... c6gunner proves it https://linux.slashdot.org/com... & forgot to SUBMIT AC & used his registered 'lusrname' (he tried to mock me both BEFORE & after I FAIRLY challenged him to show he's done better work - he had ZERO).

I'd never "cry victim" to ne'er-do-wells (TROLLS, not all /.ers) either.

U EVEN HELPED ME https://science.slashdot.org/c... (& then realizing it you quit trying to make me look bad via what you thought were lies on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... on speculative execution attack: Hosts PREVENT 'EM, joke's on you)

APK

P.S.=> 2nd to last link's KILLING U THAT U HELPED ME & got me to see if hosts stop portsmash/meltdown/spectre & yes - hosts WORK on 'em - U LOSE + FAIL a PORTFILTER TEST https://yro.slashdot.org/comme...

Actually, no. Obligatory XKCD.

xkcd: Free

AVM, the maker of the most popular router "Fritz!Box" (and for good reasons), will have this on their boxes. Big and fat. They're the type or manufacturer who offers free updates to entirely new versions of their FritzOS, with all new features that the hardware can manage, even years later. Security patches often even are in the local tech news.
Which means, everyone who doesn't have this certification, has even less of a chance of competing against them.

There are people here, who pick their ISP based on who gives them the best FritzBox. Not even having a (maybe branded) FritzBox included, is often grounds for exclusion.

Trust me, this will have an effect on the majority of people in Germany.
(Provided AVM doesn’t already do all that’s demanded.)

Re:Actually, no. Obligatory XKCD.

Wonderful XKCD. I will definitely buy the router without swine flu while chewing on my fat free gummy bears.

In Germany...

In Germany you buy a reasonably recent Fritz!Box and get security updates for several years. For the internationals.. this is the most popular Cable/DSL WiFi router in Germany and to be honest, for a very good reason. Really really good stuff.

Are you joking?

[aglider]

> The router must allow any authenticated user to change [the wifi] password.

> The procedure of changing the WiFi password should not show a password strength meter or force users to use special characters.

Wtf?

Re:Are you joking?

I think because router manufactures default the username/password to something guessable. In fact, until I hacked Busybox on my router (it runs a stripped down Linux) it ignored the username and used admin no matter what you set it to. The password defaults to the 9 digit PIN printed on the box (not difficult to hack since it is always digits). So yeah, admin/9 digits, probably takes 2 hours to brute force. That should automatically force you to change the password (and hopefully username) when you set up the machine, There's a reason I use between 48 and 64 characters, numbers, and symbols for the password on that box, too (been hacked by the Chinese, kind of paranoid now).

Re:Are you joking?

Yes, the 2nd paragraph seems quite stupid in the context with the first.

I am not sure why they felt to include that. Do password strength meters give false positives for weak passwords from time to time?

I tried http://www.passwordmeter.com/ with "DiesIstMeinPasswort1234" which translates to ThisIsMyPassword1234 (just showing that it is something you'll find in a dictionary) and the site scored my password 100% with a very strong complexity.

Personally I find their columns with "Additions" and "Deductions" very useful to improve the strength of a password. But I'd say for the laymen a password meter that uses algorithms like that (without displaying and explaining that additional information) is pretty much worthless and may lull them into a false sense of security. But discouraging the use of such algorithms instead of encouraging to improve those methods is beyond me.

Furthermore German IT specialist like from the CCC have already criticized these guidelines as being too weak. They allege that these were made so crappy router manufacturers can label their devices as 'government approved'. You'll find an appropriate link in #57703856.

For manufacturers that supply premium price routers in Germany, like AVM with their FRITZ!Box (also mentioned in various comments), this certificate is pointless. They already do most these things and probably more importantly a bit more.

The Red Army is coming for you

Can you hear the Stalin-organ already?

â

Come on

Not the faintest sign of skepticism in the summary? This "certification", which is voluntary by the way, has been heavily criticized by CCC and the OpenWRT project, cf. https://translate.googleusercontent.com/translate_c?depth=1&hl=de&nv=1&rurl=translate.google.com&sl=de&sp=nmt4&tl=en&u=https://www.heise.de/newsticker/meldung/IT-Sicherheit-CCC-kritisiert-BSI-Routerrichtlinie-scharf-4226397.html

Guidelines mean WHAT?

[RubberDogBone]

Guidelines are not rules or laws or even Best Practices. They're just suggestions. And vague ones at that, which allow the person using them to figure out all the details of how and when and what.

Guidelines are like saying "you ought to have painted walls" but leaving the paint color and even the wall material (brick, plaster, drywall, stucco, recycled political signs) up to the occupant.

We've HAD this sort of thing in routers for years. Everybody had some base standards to follow and went off on their own to implement it. It didn't exactly work well, and hell, that's part of why it's a mess now. Although another huge part is the industry settling on single suppliers like Broadcom and then implementing the same hardware and software across hundreds of models. So everybody look under your chairs. Yes YOU get a vulnerability and YOU get a vulnerability and YOU get a vulnerability.

We've seen this

... use a special sticker on their products ...

We've seen this with "heart-safe" and "halal-safe" foodstuffs: Vendors perform certification for 2 or 3 years, then decide it isn't going to attract more customers so they stop buying the sticker.