Germany Proposes Router Security Guidelines

German government would like to regulate what kind of routers are sold and installed across the country. From a report: The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers. Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community. Once approved, router manufacturers don't have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance. The 22-page document, available in English here, lists tens of recommendations and rules for various router functions and features.

Rule #1 - bad translation?

[b0s0z0ku]

I'm confused about this rule: "Only DNS, HTTP, HTTPS, DHCP, DHCPv6, and ICMPv6 services should be available on the LAN and WiFi interface"

What about SSH, VPN, VPN-over-SSH, etc? Are they saying that other than those few services, no other services should be passed through to the Internet? Or that the router ITSELF shouldn't provide services other than those six?

Re:Rule #1 - bad translation?

[BenFranske]

I think it's pretty clear they mean the router itself shouldn't have other services open. This is all about reducing router attack surface as they have become a popular target for botnets.

Re:Rule #1 - bad translation?

[Solandri]

Also note that by specifying which services are to be left open, any router manufacturer which leaves in a secret backdoor would be in violation (looking at you Cisco).

Re:

[MobyDisk]

Or the backdoor must run over one of those protocols.

Re:

[Anonymous Coward]

This is the default factory shipped configuration, which is adequate for initial setup / install by 'average user'. There is nothing stopping them having additional services that can be enabled after installation.

No NTP or ICMPv4?

[Joe_Dragon]

No NTP or ICMPv4?

Re:

[pezezin]

This is about home routers. Every single home router I have ever seen has a dedicated WAN port and usually four LAN ports. Try connecting the WAN to a LAN port (assuming both use Ethernet), and it probably won't work.

Re:

[niftymitch]

From default the english version: "In factory settings the router SHOULD restrict access to a defined list of services provided to devices
connected on the LAN and WiFi interface by the router. The services are provided on one or more dedicated
TCP and/ or UDP ports or by the network stack itself."

That is a sane setup to start.

Better modern +$200 routers do this already.

Some of the audit and management features seem difficult. It may disqualify all the existing Apple AirPort devices.

The VOIP stuff is interes

Interesting

[AmiMoJo]

Some interesting stuff in that document.

- By default the router must only offer DNS, ping response and a web interface to devices on the LAN. Seems like even UPnP is disabled.
- Default SSID must not give anything away, such as the manufacturer of the router. Not sure what exactly the point is, considering that things like the MAC address reveal that.
- Half decent default passwords.
- Manufacturer must state how long they supply updates for and what severity level merits a patch.
- IPv6 is optional.

Seems rather basic to be honest.

Re:Interesting

[rpresser]

The section they are speaking of is giving recommendations for the initial state of the router. "Don't turn on a web proxy when he gets it out of the box. Let him customize that later."

Re:Interesting

[Solandri]

If you've been to Germany before WPS, every private router had the WiFi password enabled. There were no open WiFi hotspots emanating from homes. Indicating that Germans take the time to learn how to configure their router correctly. A set of requirements like those, disabling nearly everything by default, would work well in Germany to prevent the accidental misconfiguration. If you need a feature (like uPnP), you must enable it.

Most of the rest of the world, people are too damn lazy to learn how to configure a router. (I'd draw an analogy to the the clock on people's VCRs perpetually flashing 12:00, but I doubt half the readers would get that reference.) So router manufacturers have bent backwards to design something akin to one-touch configuration. Unfortunately that means every service you can think of has to be enabled by default, with only advanced users going in and disabling the stupid stuff.

So yeah it's basic stuff. But it trades off usability for security. Not that I disagree with that philosophy, but the people who want to buy a router, not read the manual, push a single button to set it up, then forget about it forever are going to whine ceaselessly about this. It's just that there are very few such people in Germany.

Re:Interesting

[grumbel]

Indicating that Germans take the time to learn how to configure their router correctly.

That's however not because Germans are so tech savvy, but because they are liable for what goes over their open WiFi. So everybody closes things down to avoid lawsuits and fines.

Re:

[Cederic]

Plus of course the strange assumption that people wouldn't intentionally configure an open hotspot.

I have three SSIDs configured on my wireless router, one of which is entirely unsecured. Makes life very easy for guests.

Friends do similar things.

Re:

[Anonymous Coward]

Most of the rest of the world, people are too damn lazy to learn how to configure a router.

15 years ago I would have agreed with you. Very few wifi routers had security enabled. In 2018 in the US, I don't think I've seen a residential home without a password set. I've been all over the world, and wifi passwords are the norm, not the exception. In many places the wifi password is actually randomly set, and printed on the back of the DSL modem.

So no, it's not just Germans who've figured out how to configu

Re:

[pnutjam]

Many of them do reveal the ISP in the SSID.

Re:

[Bengie]

Many of my applications require port forwarding and quite a few use random ports between the range of 16,000 and 64,000, and no control over which port will be used. This same issue applies to IPv6, because I want incoming ports blocked by default. Please propose a better way to dynamically open/forward ports over a large range.

Re:

[pnutjam]

UPnP is fine as long as you limit which clients can actually use it.

Re:

[pezezin]

- IPv6 is optional.

Fuck this, it's about time we migrate to IPv6, they should make it mandatory.

Me too!

[Gabest]

I give you my sticker for half the price they do.

Good idea

[BringsApples]

The draft sets out to not only list what expectations/requirements routers will need, but it explains, in layman's terms, the reasoning behind it all. The best way to secure a thing is to properly educate those that are using it.

Re: Good idea

[UnknowingFool]

I'm pretty most people don't understand the dangers of open ports and will never need them. This sets the basics of what is required by default. The user is free to bypass the basics. I don't think that forcing people to learn about topics is the most productive. It would be like required everyone who buys a car to know how to change their transmission.

Re:

[BringsApples]

Not that you want to read it, but every car in the US comes with a manual, for those of us that do.

It's information, silly. Information is always a good thing to have.

Re: Good idea

[UnknowingFool]

I've read the manual to my car provided to me by the manufacturer. Please tell where it shows me how to change my transmission. I'll wait. For that level of repair you can buy a service/repair manual from the manufacturer; they do not come with most cars. There are also 3rd party manuals which also detail these kind of repairs. Again they do not come with the car.

This is a voluntary certification programme

[Anonymous Coward]

...not a regulatory programme. Even TFA calls them guidelines. It is a sad day when the Slashdot editors are worse than the press for adding fud.

Re:

[fustakrakich]

Heh, the nostalgia is on their part, not mine. Stay inside your bubble as you see fit.

Actually, no. Obligatory XKCD.

[Anonymous Coward]

xkcd: Free [xkcd.com]

AVM, the maker of the most popular router "Fritz!Box" (and for good reasons), will have this on their boxes. Big and fat. They're the type or manufacturer who offers free updates to entirely new versions of their FritzOS, with all new features that the hardware can manage, even years later. Security patches often even are in the local tech news.
Which means, everyone who doesn't have this certification, has even less of a chance of competing against them.

There are people here, who pick their ISP ba

The easiest way

[nehumanuscrede]

is to simply hold the manufacturers of said hardware fully liable for the half-assed products they sell.

Great big eye-opening-with-cries-of-thats-not-fair-from-the-companies-who-peddle-this-shit fines with the option to forgo said fines if the CEO goes to jail for a decade instead.

Industry only takes security seriously when it impacts their profits.

Why not expand UL testing?

[Rick Schumann]

Just a thought: At least here in the U.S., Underwriters Laboratory does electrical testing on products to ensure they're safe. Why not expand their role in the case of computing equipment like this (and perhaps also so-called 'IoT' devices) to test for vulnerabilities? Basically, throw a bunch of attacks at Internet-facing devices and see if you can crack them. As new exploits are discovered, expand the suite of testing to include those attacks. Would never be 100% because exploits and attack methods seem t

Re:

[HornWumpus]

Because 90% of Chinese hardware is tested to the 'Chine Export' standard, not UL. They are labelled CE rather than UL. Neither really means much, UL takes longer and costs more.

Re:

[MobyDisk]

100% agreed! These standards agencies are behind the times and I would rather they determine the standards than a government body.

Re:

[Rick Schumann]

..no, that's not what I'm asking for, and so far as I knew, there was some coordination between the UL and the government. Guess I was wrong? No matter. Maybe there should be, so far as 'cybersecurity' is concerned. They are behind the times, and maybe we need to fix that.

The missing link ...

[CaptainDork]

... the rules have been put together with input from router vendors, German telecoms, and the German hardware community.

No input from the IT people wearing boots? Expectations of fixing problems by those who are the problem ...

In Germany...

[Anonymous Coward]

In Germany you buy a reasonably recent Fritz!Box and get security updates for several years. For the internationals.. this is the most popular Cable/DSL WiFi router in Germany and to be honest, for a very good reason. Really really good stuff.

Are you joking?

[aglider]

> The router must allow any authenticated user to change [the wifi] password.

> The procedure of changing the WiFi password should not show a password strength meter or force users to use special characters.

Wtf?

Come on

[Anonymous Coward]

Not the faintest sign of skepticism in the summary? This "certification", which is voluntary by the way, has been heavily criticized by CCC and the OpenWRT project, cf. https://translate.googleusercontent.com/translate_c?depth=1&hl=de&nv=1&rurl=translate.google.com&sl=de&sp=nmt4&tl=en&u=https://www.heise.de/newsticker/meldung/IT-Sicherheit-CCC-kritisiert-BSI-Routerrichtlinie-scharf-4226397.html

Guidelines mean WHAT?

[RubberDogBone]

Guidelines are not rules or laws or even Best Practices. They're just suggestions. And vague ones at that, which allow the person using them to figure out all the details of how and when and what.

Guidelines are like saying "you ought to have painted walls" but leaving the paint color and even the wall material (brick, plaster, drywall, stucco, recycled political signs) up to the occupant.

We've HAD this sort of thing in routers for years. Everybody had some base standards to follow and went off on their