Slashdot Mirror

← Back to Stories (view on slashdot.org)

Germany Proposes Router Security Guidelines (zdnet.com)

Posted by msmash on from the interesting-moves dept.

German government would like to regulate what kind of routers are sold and installed across the country. From a report: The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers. Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community. Once approved, router manufacturers don't have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance. The 22-page document, available in English here, lists tens of recommendations and rules for various router functions and features.

36 of 62 comments (clear)

  1. Rule #1 - bad translation? by b0s0z0ku · · Score: 1

    I'm confused about this rule: "Only DNS, HTTP, HTTPS, DHCP, DHCPv6, and ICMPv6 services should be available on the LAN and WiFi interface"

    What about SSH, VPN, VPN-over-SSH, etc? Are they saying that other than those few services, no other services should be passed through to the Internet? Or that the router ITSELF shouldn't provide services other than those six?

    1. Re:Rule #1 - bad translation? by BenFranske · · Score: 5, Informative

      I think it's pretty clear they mean the router itself shouldn't have other services open. This is all about reducing router attack surface as they have become a popular target for botnets.

    2. Re:Rule #1 - bad translation? by Anonymous Coward · · Score: 1

      This is the default factory shipped configuration, which is adequate for initial setup / install by 'average user'. There is nothing stopping them having additional services that can be enabled after installation.

    3. Re:Rule #1 - bad translation? by Solandri · · Score: 3, Informative

      Also note that by specifying which services are to be left open, any router manufacturer which leaves in a secret backdoor would be in violation (looking at you Cisco).

    4. Re:Rule #1 - bad translation? by MobyDisk · · Score: 1

      Or the backdoor must run over one of those protocols.

    5. Re:Rule #1 - bad translation? by pezezin · · Score: 1

      This is about home routers. Every single home router I have ever seen has a dedicated WAN port and usually four LAN ports. Try connecting the WAN to a LAN port (assuming both use Ethernet), and it probably won't work.

    6. Re:Rule #1 - bad translation? by niftymitch · · Score: 1

      From default the english version: "In factory settings the router SHOULD restrict access to a defined list of services provided to devices
      connected on the LAN and WiFi interface by the router. The services are provided on one or more dedicated
      TCP and/ or UDP ports or by the network stack itself."

      That is a sane setup to start.

      Better modern +$200 routers do this already.

      Some of the audit and management features seem difficult. It may disqualify all the existing Apple AirPort devices.

      The VOIP stuff is interesting but optional.

      --
      Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
  2. Interesting by AmiMoJo · · Score: 5, Informative

    Some interesting stuff in that document.

    - By default the router must only offer DNS, ping response and a web interface to devices on the LAN. Seems like even UPnP is disabled.
    - Default SSID must not give anything away, such as the manufacturer of the router. Not sure what exactly the point is, considering that things like the MAC address reveal that.
    - Half decent default passwords.
    - Manufacturer must state how long they supply updates for and what severity level merits a patch.
    - IPv6 is optional.

    Seems rather basic to be honest.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Interesting by rpresser · · Score: 3, Informative

      The section they are speaking of is giving recommendations for the initial state of the router. "Don't turn on a web proxy when he gets it out of the box. Let him customize that later."

    2. Re:Interesting by Solandri · · Score: 5, Informative

      If you've been to Germany before WPS, every private router had the WiFi password enabled. There were no open WiFi hotspots emanating from homes. Indicating that Germans take the time to learn how to configure their router correctly. A set of requirements like those, disabling nearly everything by default, would work well in Germany to prevent the accidental misconfiguration. If you need a feature (like uPnP), you must enable it.

      Most of the rest of the world, people are too damn lazy to learn how to configure a router. (I'd draw an analogy to the the clock on people's VCRs perpetually flashing 12:00, but I doubt half the readers would get that reference.) So router manufacturers have bent backwards to design something akin to one-touch configuration. Unfortunately that means every service you can think of has to be enabled by default, with only advanced users going in and disabling the stupid stuff.

      So yeah it's basic stuff. But it trades off usability for security. Not that I disagree with that philosophy, but the people who want to buy a router, not read the manual, push a single button to set it up, then forget about it forever are going to whine ceaselessly about this. It's just that there are very few such people in Germany.

    3. Re:Interesting by grumbel · · Score: 4, Informative

      Indicating that Germans take the time to learn how to configure their router correctly.

      That's however not because Germans are so tech savvy, but because they are liable for what goes over their open WiFi. So everybody closes things down to avoid lawsuits and fines.

    4. Re:Interesting by Anonymous Coward · · Score: 1


      Most of the rest of the world, people are too damn lazy to learn how to configure a router.

      15 years ago I would have agreed with you. Very few wifi routers had security enabled. In 2018 in the US, I don't think I've seen a residential home without a password set. I've been all over the world, and wifi passwords are the norm, not the exception. In many places the wifi password is actually randomly set, and printed on the back of the DSL modem.

      So no, it's not just Germans who've figured out how to configure wifi. Everyone else has too.

    5. Re:Interesting by Bengie · · Score: 1

      Many of my applications require port forwarding and quite a few use random ports between the range of 16,000 and 64,000, and no control over which port will be used. This same issue applies to IPv6, because I want incoming ports blocked by default. Please propose a better way to dynamically open/forward ports over a large range.

    6. Re:Interesting by pezezin · · Score: 1

      - IPv6 is optional.

      Fuck this, it's about time we migrate to IPv6, they should make it mandatory.

    7. Re:Interesting by pnutjam · · Score: 1

      Many of them do reveal the ISP in the SSID.

      --
      Cheap storage VM.
    8. Re:Interesting by pnutjam · · Score: 1

      UPnP is fine as long as you limit which clients can actually use it.

      --
      Cheap storage VM.
    9. Re:Interesting by Cederic · · Score: 1

      Plus of course the strange assumption that people wouldn't intentionally configure an open hotspot.

      I have three SSIDs configured on my wireless router, one of which is entirely unsecured. Makes life very easy for guests.

      Friends do similar things.

  3. Me too! by Gabest · · Score: 1

    I give you my sticker for half the price they do.

  4. Good idea by BringsApples · · Score: 5, Insightful

    The draft sets out to not only list what expectations/requirements routers will need, but it explains, in layman's terms, the reasoning behind it all. The best way to secure a thing is to properly educate those that are using it.

    --
    Politics; n. : A religion whereby man is god.
    1. Re: Good idea by UnknowingFool · · Score: 1

      I'm pretty most people don't understand the dangers of open ports and will never need them. This sets the basics of what is required by default. The user is free to bypass the basics. I don't think that forcing people to learn about topics is the most productive. It would be like required everyone who buys a car to know how to change their transmission.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    2. Re: Good idea by BringsApples · · Score: 1

      Not that you want to read it, but every car in the US comes with a manual, for those of us that do.

      It's information, silly. Information is always a good thing to have.

      --
      Politics; n. : A religion whereby man is god.
    3. Re: Good idea by UnknowingFool · · Score: 1

      I've read the manual to my car provided to me by the manufacturer. Please tell where it shows me how to change my transmission. I'll wait. For that level of repair you can buy a service/repair manual from the manufacturer; they do not come with most cars. There are also 3rd party manuals which also detail these kind of repairs. Again they do not come with the car.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  5. This is a voluntary certification programme by Anonymous Coward · · Score: 1

    ...not a regulatory programme. Even TFA calls them guidelines. It is a sad day when the Slashdot editors are worse than the press for adding fud.

    1. Re:This is a voluntary certification programme by fustakrakich · · Score: 1

      Heh, the nostalgia is on their part, not mine. Stay inside your bubble as you see fit.

      --
      “He’s not deformed, he’s just drunk!”
  6. The easiest way by nehumanuscrede · · Score: 1

    is to simply hold the manufacturers of said hardware fully liable for the half-assed products they sell.

    Great big eye-opening-with-cries-of-thats-not-fair-from-the-companies-who-peddle-this-shit fines with the option to forgo said fines if the CEO goes to jail for a decade instead.

    Industry only takes security seriously when it impacts their profits.

  7. No NTP or ICMPv4? by Joe_Dragon · · Score: 1

    No NTP or ICMPv4?

  8. Why not expand UL testing? by Rick+Schumann · · Score: 1

    Just a thought: At least here in the U.S., Underwriters Laboratory does electrical testing on products to ensure they're safe. Why not expand their role in the case of computing equipment like this (and perhaps also so-called 'IoT' devices) to test for vulnerabilities? Basically, throw a bunch of attacks at Internet-facing devices and see if you can crack them. As new exploits are discovered, expand the suite of testing to include those attacks. Would never be 100% because exploits and attack methods seem to evolve faster than they can code around them, but it would likely be better than these manufacturers have been doing on their own.

    1. Re:Why not expand UL testing? by HornWumpus · · Score: 1

      Because 90% of Chinese hardware is tested to the 'Chine Export' standard, not UL. They are labelled CE rather than UL. Neither really means much, UL takes longer and costs more.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    2. Re:Why not expand UL testing? by MobyDisk · · Score: 1

      100% agreed! These standards agencies are behind the times and I would rather they determine the standards than a government body.

    3. Re:Why not expand UL testing? by Rick+Schumann · · Score: 1

      ..no, that's not what I'm asking for, and so far as I knew, there was some coordination between the UL and the government. Guess I was wrong? No matter. Maybe there should be, so far as 'cybersecurity' is concerned. They are behind the times, and maybe we need to fix that.

  9. The missing link ... by CaptainDork · · Score: 1

    ... the rules have been put together with input from router vendors, German telecoms, and the German hardware community.

    No input from the IT people wearing boots? Expectations of fixing problems by those who are the problem ...

    --
    It little behooves the best of us to comment on the rest of us.
  10. Actually, no. Obligatory XKCD. by Anonymous Coward · · Score: 3, Interesting

    xkcd: Free

    AVM, the maker of the most popular router "Fritz!Box" (and for good reasons), will have this on their boxes. Big and fat. They're the type or manufacturer who offers free updates to entirely new versions of their FritzOS, with all new features that the hardware can manage, even years later. Security patches often even are in the local tech news.
    Which means, everyone who doesn't have this certification, has even less of a chance of competing against them.

    There are people here, who pick their ISP based on who gives them the best FritzBox. Not even having a (maybe branded) FritzBox included, is often grounds for exclusion.

    Trust me, this will have an effect on the majority of people in Germany.
    (Provided AVM doesn’t already do all that’s demanded.)

  11. In Germany... by Anonymous Coward · · Score: 1

    In Germany you buy a reasonably recent Fritz!Box and get security updates for several years. For the internationals.. this is the most popular Cable/DSL WiFi router in Germany and to be honest, for a very good reason. Really really good stuff.

  12. Are you joking? by aglider · · Score: 1

    > The router must allow any authenticated user to change [the wifi] password.

    > The procedure of changing the WiFi password should not show a password strength meter or force users to use special characters.

    Wtf?

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  13. Come on by Anonymous Coward · · Score: 1

    Not the faintest sign of skepticism in the summary? This "certification", which is voluntary by the way, has been heavily criticized by CCC and the OpenWRT project, cf. https://translate.googleusercontent.com/translate_c?depth=1&hl=de&nv=1&rurl=translate.google.com&sl=de&sp=nmt4&tl=en&u=https://www.heise.de/newsticker/meldung/IT-Sicherheit-CCC-kritisiert-BSI-Routerrichtlinie-scharf-4226397.html

  14. Guidelines mean WHAT? by RubberDogBone · · Score: 1

    Guidelines are not rules or laws or even Best Practices. They're just suggestions. And vague ones at that, which allow the person using them to figure out all the details of how and when and what.

    Guidelines are like saying "you ought to have painted walls" but leaving the paint color and even the wall material (brick, plaster, drywall, stucco, recycled political signs) up to the occupant.

    We've HAD this sort of thing in routers for years. Everybody had some base standards to follow and went off on their own to implement it. It didn't exactly work well, and hell, that's part of why it's a mess now. Although another huge part is the industry settling on single suppliers like Broadcom and then implementing the same hardware and software across hundreds of models. So everybody look under your chairs. Yes YOU get a vulnerability and YOU get a vulnerability and YOU get a vulnerability.

    --
    Sig for hire.