Germany Proposes Router Security Guidelines

German government would like to regulate what kind of routers are sold and installed across the country. From a report: The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers. Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community. Once approved, router manufacturers don't have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance. The 22-page document, available in English here, lists tens of recommendations and rules for various router functions and features.

Re:Rule #1 - bad translation?

[BenFranske]

I think it's pretty clear they mean the router itself shouldn't have other services open. This is all about reducing router attack surface as they have become a popular target for botnets.

Interesting

[AmiMoJo]

Some interesting stuff in that document.

- By default the router must only offer DNS, ping response and a web interface to devices on the LAN. Seems like even UPnP is disabled.
- Default SSID must not give anything away, such as the manufacturer of the router. Not sure what exactly the point is, considering that things like the MAC address reveal that.
- Half decent default passwords.
- Manufacturer must state how long they supply updates for and what severity level merits a patch.
- IPv6 is optional.

Seems rather basic to be honest.

Re:Interesting

[rpresser]

The section they are speaking of is giving recommendations for the initial state of the router. "Don't turn on a web proxy when he gets it out of the box. Let him customize that later."

Re:Interesting

[Solandri]

If you've been to Germany before WPS, every private router had the WiFi password enabled. There were no open WiFi hotspots emanating from homes. Indicating that Germans take the time to learn how to configure their router correctly. A set of requirements like those, disabling nearly everything by default, would work well in Germany to prevent the accidental misconfiguration. If you need a feature (like uPnP), you must enable it.

Most of the rest of the world, people are too damn lazy to learn how to configure a router. (I'd draw an analogy to the the clock on people's VCRs perpetually flashing 12:00, but I doubt half the readers would get that reference.) So router manufacturers have bent backwards to design something akin to one-touch configuration. Unfortunately that means every service you can think of has to be enabled by default, with only advanced users going in and disabling the stupid stuff.

So yeah it's basic stuff. But it trades off usability for security. Not that I disagree with that philosophy, but the people who want to buy a router, not read the manual, push a single button to set it up, then forget about it forever are going to whine ceaselessly about this. It's just that there are very few such people in Germany.

Re:Interesting

[grumbel]

Indicating that Germans take the time to learn how to configure their router correctly.

That's however not because Germans are so tech savvy, but because they are liable for what goes over their open WiFi. So everybody closes things down to avoid lawsuits and fines.

Re:Rule #1 - bad translation?

[Solandri]

Also note that by specifying which services are to be left open, any router manufacturer which leaves in a secret backdoor would be in violation (looking at you Cisco).