The German government published at the start of the month an initial draft for rules on securing Small Office and Home Office (SOHO) routers.
Published by the German Federal Office for Information Security (BSI), the rules have been put together with input from router vendors, German telecoms, and the German hardware community.
Once approved, router manufacturers don’t have to abide by these requirements, but if they do, they can use a special sticker on their products showing their compliance.
Also: Cheat sheet: How to become a cybersecurity pro TechRepublic
The 22-page document, available in English here, lists tens of recommendations and rules for various router functions and features. We possibly couldn’t list all rules for this article, since some are really technical, but we selected a few of a greater importance:
- Only DNS, HTTP, HTTPS, DHCP, DHCPv6, and ICMPv6 services should be available on the LAN and WiFi interface.
- If the router has a guest WiFi mode, this mode must not allow access to the router’s configuration panel.
- The Extended Service Set Identifier (ESSID) should not contain information that is derived from the router itself (such as the vendor name or router model).
- The router must support the WPA2 protocol, and use it by default.
- WiFi passwords should have a length of 20 digits or more.
- WiFi passwords must not contain information derived from the router itself (vendor, model, MAC, etc.).
- The router must allow any authenticated user to change this password.
- The procedure of changing the WiFi password should not show a password strength meter or force users to use special characters.
- After setup, the router must restrict access to the WAN interface, with the exception of a few services, such as (CWMP) TR-069, SIP, SIPS, and ICMPv6.
- Routers must make CWMP available only if the ISP controls the router’s configuration from a remote, central location.
- Password for the router’s configuration/admin panel must have at least 8 characters and must have a complex setup involving two of the following: uppercase letters, lowercase letters, special characters, numbers.
- Just like WiFi passwords, admin panel passwords must not contain router-related information (vendor, model, MAC, etc.).
- The router must allow the user to change this default admin panel password.
- Password-based authentication MUST be protected against brute force attacks.
- Routers must not ship with undocumented (backdoor) accounts.
- In its default state, access to the admin panel must only be allowed via the LAN or WiFi interfaces.
- If the router vendor wants to expose the admin panel via WAN, it must use TLS.
- The end-user should be able to configure the port to be used for access to the configuration via the WAN interface.
- The router admin panel must show the firmware version.
- The router must users about an out-of-date or end-of-life firmware.
- The router must keep and display a last login log.
- The router must show the status and rules of any local firewall service.
- The router must list all active services per each interface (LAN/WAN/WiFi).
- Routers must include a way to perform factory resets.
- The routers must support DHCP over LAN and WiFi.
These are just some of the BSI recommendations, and you’ll find more in the above-linked document.
The reason why Germany is taking steps to standardize router security has something to do with an incident that took place at the end of 2016 when a British hacker known as “BestBuy” attempted to hijack Deutsche Telekom routers, but bungled a firmware update and crashed nearly a million routers across Germany.
The BSI’s efforts to regulate SOHO routers haven’t pleased all parties involved. In a blog post last week, the Chaos Computer Club (CCC), a well-known community of German hackers, has criticized the first draft of these recommendations, calling them “a farce.”
CCC said it attended the BSI meetings on this topic together with members of OpenWrt, a software project that provides open-source firmware for SOHO routers, and they say telecom lobby groups have put considerable effort into sabotaging the rules as a whole.
The two groups raised two issues that they say were not included in the BSI recommendations, rules that were of crucial importance.
Also: The best facial recognition cameras you can buy today CNET
One was that all routers should come with an expiration date for the firmware that must be visible to users before they purchase the device. Second, after the vendor stops supporting a model’s firmware, vendors should allow users to install custom firmware on abandoned and EOL devices.
Talks on the BSI rules are expected to continue. In October, the state of California passed state legislation that established a strict set of rules for passwords used by Internet-connected (IoT) devices, marking this the first IoT-specific regulation in the world. While Germany isn’t passing official laws, it will become the first country that tries to pass any kind of router-specific guidelines.
Related security coverage:
The Best Features Of The Aston Martin Vulcan
Although the Vulcan was specifically designed not to be road legal, one owner decided that they wanted to stick on some license plates and take it on the highway anyway. Except, it was far from that simple, as the conversion process required making some major changes to the car, and cost several hundred thousand dollars on top of the original purchase price (via Motor1). The street conversion was handled by RML Group but had full support from the Aston Martin factory, and after completion, it became the only road-legal Vulcan in existence.
Among the litany of changes required were the addition of windshield wipers, side mirrors, and a central locking system. Michelin road tires were also fitted, and a new set of headlights had to be installed to meet height requirements for British roads. The bladed tail lights were also covered over for safety, and a few of the sharper surface edges around the cabin were smoothed out. Then, the engine was remapped to meet emissions requirements, the suspension was softened, and a lift system was installed to give the car extra clearance for speed bumps. After all that, plus a few final touches, a license plate was fitted and the car was ready to go. Unfortunately, it seems like the owner’s enthusiasm for taking it on the road quickly evaporated, as checking the car’s plates against the British government database shows that its MOT (the annual national roadworthiness test) certificate expired back in January 2022.
5 Cars Owned By Bob Seger That Prove He Has Great Taste
Pulling into the final spot on the list is a 1969 Shelby Cobra GT350 Fastback. This particular car is unique for a few reasons. First, it was the last “new original” Shelby that Ford would produce. The GT350 and GT500 released in 1970 weren’t actually new or original but re-VIN’d production cars from the previous year. Also, during the summer of ’69, Carrol Shelby ended his association with Ford (via MustangSpecs).
It had one of Ford’s new 351 Windsor V8 engines with a 470 CFM four-barrel Autolite carburetor under the hood that pounded out 290hp and 385 lb-ft of torque. Its 0 – 60 time was a modest 6.5 seconds, and it did the quarter mile in 14.9 seconds (via MustangSpecs).
According to MustangSpecs, it was typically mated to a 4-speed manual transmission, but Seger’s had a Tremec 6-speed stick instead (via Mecum Auctions). Seger’s Candy Apple Red GT350 had Ford’s upgraded interior package, flaunting a landscape of imitation teak wood covering the dash, steering wheel, door accents, and center console trim (via MustangSpecs).
According to Mecum Auctions, Seger’s was number 42 of 935. When it sold at auction in 2013 for $65,000, it noted that it had been displayed at the Henry Ford Museum at the Rock Stars, Cars & Guitars Exhibit.
Here’s What Made Volkswagen’s Air-Cooled Engine So Special
Engines like the Chevy Small Block, Ford 5.0, Chrysler HEMI, and Toyota 2JZ are known for power, torque, and how quickly they can propel a hunk of steel down the drag strip or around the corners of a track. The Volkswagen air-cooled engine is remembered amongst people who have owned one as reliable, easy to maintain, and as numerous as grains of sand on the beach. VW made literally tens of millions of the engine, including over 21 million in just the Beetle (via Autoweek).
It’s difficult to nail down specific aspects of the engine’s early history as sources tend to disagree on years. But the engine can be traced back to very early Volkswagen models designed with help from Ferdinand Porsche and built in the late-1930s to early 1940s in Nazi Germany. Official sources from Volkswagen are reluctant to acknowledge use of the engine or even the existence of the Beetle prior to the end of World War II.
The 12 Fastest Ways To Travel On Land
The L0 Series Maglev train is a high-speed magnetic levitation (maglev) train developed by Central Japan Railway Company (JR Central)...
Cars That Celebrities Love But Aren't So Great
Having a lot of money doesn’t necessarily mean you have flashy taste. These are some cars that celebrities love, but...
The Best Features Of The Aston Martin Vulcan
Although the Vulcan was specifically designed not to be road legal, one owner decided that they wanted to stick on...
The Dodge M80 Was A Throwback Truck Concept Ahead Of Its Time
If Fisher-Price made combat vehicles in World War II, it might look like the Dodge M80 concept. The M80 was...
US military shoots down Chinese balloon over coastal waters
On Saturday afternoon, US jets intercepted the Chinese surveillance balloon as it was leaving the continental US. Live footage of...
Social10 months ago
Web.com website builder review
Social3 years ago
CrashPlan for Small Business Review
Gadgets4 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Cars4 years ago
What’s the best cloud storage for you?
Social4 years ago
iPhone XS priciest yet in South Korea
Mobile4 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Security4 years ago
Google latest cloud to be Australian government certified
Social4 years ago
Apple’s new iPad Pro aims to keep enterprise momentum