back to article German Govt mulls security standards for SOHOpeless routers

The German Government is mulling an assessment of the security chops of consumer routers in a bid to lift current abysmal standards and help inform buyers. Berlin's Ministry of the Interior IT security office says it wants to test routers for support of security features like WPS, encryption, and brute force protection of …

  1. Anonymous Coward
    Anonymous Coward

    Please leave WPS enabled

    It makes cracking them so much easier

    1. Charles 9

      Re: Please leave WPS enabled

      Would they take off for restrictions WPS to Push Button Control only given this usually requires physical access?

  2. Destroy All Monsters Silver badge
    Paris Hilton

    Gut, Helmut!

    But why not give it to some outfit like UL? Less than 3 stars? Don't buy!

  3. Anonymous Coward
    Anonymous Coward

    No.1 on my list would be forcing users to change default user/pass before you can use it.

    WiFinspect is lots of fun, if you ever come across a router called bigfloppydonkeydick now you know why.

    1. big_D Silver badge

      Most users don't even know you can access the router. They plug it in, it sucks down the configuration from the ISP and "just works".

  4. BinkyTheMagicPaperclip Silver badge

    So it begins..

    Countdown to enforced firmware updates for hardware lifetime - GO!

    1. Message From A Self-Destructing Turnip

      Re: So it begins..

      Countdown initiated.

      ∞ - 1

      ∞ - 2

      ∞ - 3

      ....

    2. theModge

      Re: So it begins..

      You're going to force all router manufacturers to stay in business for as long as their product exists?

      1. BinkyTheMagicPaperclip Silver badge

        Re: So it begins..

        Obviously that would be silly, but there are two ways round this :

        1) Manufacturers forced to release documentation so that new firmware can be coded

        2) Manufacturers must pay into a fund so other people can maintain their kit

        The sticky point will come with forced updates down to users (also inevitable), and even worse in extreme cases 'your hardware is too old to connect to the Internet. buy new hardware' (obviously certain people will push for that based on cost, rather than technical merit)

        1. Anonymous Coward
          Anonymous Coward

          Re: So it begins..

          Good luck with 1), I'm sure there will be morons downloading dodgy firmware from dodgy sites because they are on top of a google search, or the download was faster, just like the developers installing the dodgy XCode... really, why should you spend time p0wning some systems when you can wait for morons to p0wn themselves?

        2. richardcox13

          Re: So it begins..

          > but there are two ways round this :

          And the third, and well established in the business software world: escrow. If the vendor goes out of business customers get all the design and software information, including source code.

          I would push for more: either the manufacturer must fix security issues in a timely manner (eg. 7 calendar days for remote code execution), or make the entire device – hardware and software – open source (including any tools required to maintain and update it).

          So either update yourself or let others do it,

          1. Anonymous Coward
            Anonymous Coward

            Re: So it begins..

            But given the cutthroat nature of competition in electronics, wouldn't this get messed up by patents and trade secrets (and yes, we could be talking hardware patents here). You can't open these up early since that would be Giving Information To The Enemy, and if a company is in trouble, the patents can have value during a bankruptcy or liquidation.

            1. richardcox13

              Re: So it begins..

              > get messed up by patents and trade secrets

              Patents: no, they're published anyway.

              Trade Secrets: if the company goes bust then that's no loss; if they choose to end support then they have chosen to reveal those secrets.

              Ie. it is still their choice.

              1. Charles 9

                Re: So it begins..

                They may be published, but they're still active and enforced, meaning they have value can be SOLD. And remember, the "software patent" argument can't work here because the patents may be in the chips: in the HARDWARE.

  5. OurManInX
    Big Brother

    ISP lock

    Will they also stop ISP (Kabel-BW I'm looking at you) from disabling the update firmware options in their provided routers?

  6. BlartVersenwaldIII
    Holmes

    Are the reviewers going to have access to the source code or will they just be footling around with the default interface? Point-scoring based on features is all well and good until you get some decent pen-testing done since the vast majority of router flaws appear to be 'orrible boo-boo's in the implementation of certain features, rather than the lack of features themselves.

    IIRC the FritzBoxes are pretty popular in germany and seem to have a pretty good reputation in the UK too, are they made in germany and (more importantly) is the software written there?

    Even nicer than that of course would be an audit of the code for distros like openwrt and a push for more open hardware (and drivers) to run it on... but such stuff is the dream of pipes.

    1. ZimboKraut

      The fritzbox firmware is also coded in Germany

      Unfortunately their success is also their downfall.

      The hardware is great, and the capabilities of the fritzbox in terms of value for money is second to none.

      They are by no means cheap, but considering, that for about €230,- (7490, their flagship), you have a full blown PBX, with either one analogue line or one ISDN line, plus up to 10 VoIP lines, 2 wired phones, 6 (or was it 7?) DECT phones, 10 VoIP phones, NAS capability with Media Server, VPN client/server, call blocker, fax send/receive, multiple answering machines (up to five which can activate depending on rules) AC accesspoint, with the latest firmware you can just plug in a 3G stick and run your internet connection over that, and lots more.

      No, I don't work for AVM, although I ran the field testing for them years ago in order to make sure ANNEX A (DSL over POTS) was working on their DSL modems, as they initially only built it for the German market, which uses ANNEX B (DSL over ISDN).

      I think they have a market share of over 50% (more guessed, than facts, but you will find that even the non techy knows the Fritz!Box in Germany).

      Personally, I don't know ANY router, that you get some much value for your money.

      Granted, 180 quid is not money, that you just splash out without blinkin an eyelid, but they are also one of the securest routers and firmware is also reasonably frequent.

      yes, they also had theyr security desasters, but they at least fixed it with a reasonable (consumer) time frame. The first fixes where available within about a week of known issue.

      PS. while I did do some work for hem many years ago, I haven't had any relationship with them for the last few years apart from owning several.

  7. Anonymous Coward
    Anonymous Coward

    Re: footling around with the default interface?

    Point-scoring based on features is all well and good until you actually try to use them, and discover they simply cannot be made to work.

    TP-LINK is the worst offender

    1. Vic

      Re: footling around with the default interface?

      TP-LINK is the worst offender

      I disagree. I reckon Belkin is probably the worst.

      I once got called out to fix a customer's connection, which could only be fixed by power-cycling the router. It turned out that an attempt to FTP to an external site killed it stone dead - and they had a box periodically trying to FTP.

      We changed the router. It was the only was to fix the problem. The Belkin was useless.

      Vic.

      1. Sandtitz Silver badge
        Go

        Re: footling around with the default interface?

        "I reckon Belkin is probably the worst."

        It is. The only Belkin products I could approve would neither require any device drivers and couldn't be managed in any way. That leaves only unmanaged L2 switches, cables, antennas, USB chargers, and things like that.

  8. Phil O'Sophical Silver badge

    And?

    A scoreboard will be created based on how each performs with a total score of 770 points, according to the document. Some security facets will be considered essential, attracting more points than those marked recommended, and optional.

    but users will still continue to buy the one that's cheapest on amazon.de

    1. Anonymous Coward
      Flame

      Re: And?

      Some security facets will be considered essential, attracting more points than those marked recommended, and optional.

      Why does having essential features attract *more* points instead of being a prerequisite to getting *any* points?

      Essential = absolutely necessary. If essential features are missing the device should score nothing, zip, null punkte whatever pretty colour it is painted.

      1. Chris Hance

        Re: And? @Smooth Newt

        But if all consumer routers have the same score, we're back to picking based on color. "Per government regulation, we are permitted to assert that our routers' color scheme reflects light at a higher frequency than the competition." "We use multiple colors to achieve spread spectrum light reflection."

  9. Anonymous C0ward
    WTF?

    Brand-name SSIDs bad?

    Even though you can tell the manufacturer from the MAC address?

    1. Anonymous Coward
      Anonymous Coward

      Re: Brand-name SSIDs bad?

      WPA raw passkeys are generated from the passphrase and the SSID. If you precompute a table of a few billion or so passphrases combined with the SSID "linksys" then you can use that table to greatly speed up breaking into any of the millions of routers with this SSID if they one of these passphrases. These precomputed tables are readily available for the most common SSIDs.

      If you have a unique SSID then no-one will have generated a table for it, and so it will take much longer to work through the list of passphrases. It is a relatively minor thing, but why make something easy for an attacker for no good reason.

  10. Sandtitz Silver badge

    What the hell?

    From the article: "...WPA2 with a key spinning out to at least 20 characters."

    The WPA is spec'd to handle 63 ASCII characters so why would there even be a lower limits in the user interface, and furthermore, why would the German govt be happy with a shorter key?

    I'd also like to see WPA-Enterprise option in each wireless AP since Windows 10 (and others) can easily share standard WPA passwords with the rest of the world unless your SSID contains "_optout" or "_nomap". You'll never know if the person you gave the password has a device that shares the password with Google or MS.

    An internal RADIUS service should also be a huge plus for easier home deployment.

    1. This post has been deleted by its author

  11. Anonymous Coward
    Anonymous Coward

    router security checklist

    There is a checklist of features for securing a router here

    http://routersecurity.org/checklist.php

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like