back to article Germany pushes router security rules, OpenWRT and CCC push back

Last week, in a attempt to address broadband router security, the German government published its suggestions for minimum standards – and came under immediate criticism that its proposals didn't go far enough. Germany's federal office for Information Security, the BSI, made its recommendations in this document (PDF), saying it …

  1. Baldrickk Silver badge

    Both sides

    ... have a good point

    What would be the problem of accepting the current suggestions, on the proviso that they are still going to push for firmware updates and so on?

    I guess it is probably easier to expand the current guidelines that they are proposing, as if it doesn't go into this set, it's going to have to start again from scratch?

    1. defiler Silver badge

      Re: Both sides

      Because if you're going to have a seal of approval saying "this is secure", then it had better be secure and supported. If you have revisions later then you end up with secure 1.0, 1.1, 1.2 and the consumer will just be confused. Look at how confusing it is on HDMI at the moment.

      Get it as right as you reasonably can first time. Then you'll last a lot longer before having to tweak it (and cause inevitable confusion).

    2. LDS Silver badge
      Devil

      Re: Both sides

      For how long is OpenWRT committed to support a given model? Or they too can remove support because of "technical issues"?

      1. Spazturtle Silver badge

        Re: Both sides

        Once the chipset support has been added it should remain supported for many years to come.

        1. LDS Silver badge

          "Once the chipset support has been added"

          Are you sure? The available RAM, storage space, etc. could become insufficient for OpenWRT (or any other firmware) to run.

          If OEMs must to support a given device for x years (as it should be), any software allowed to run on the same device should commit to support the device for the same period.

    3. bombastic bob Silver badge
      Meh

      Re: Both sides

      I'm not a fan of heavy-handed gummint action, SPECIFICALLY when it's obvious that gummint LACKS anything resembling "a clue".

      That's ALSO because gummint mandates only apply to 'today' and 'politics of the day'. Tomorrow, something may change that completely invalidates "all of that" and we're stuck with some gummint mandate that doesn't go away as quickly as it was applied to the citizens' lives.

      A better standard would be LIABILITY. Simply pass laws (and clarify existing ones) that make manufacturers LIABLE for being sued over inadequate security, and let the lawyers and courts decide how that goes.

      And in this latter case, you'll see a SCRAMBLE by vendors to make the claim that THEIR system is the MOST secure, with frequent updates and 'disabled by default' and everything ELSE you might want to see, and THEN some, out of FEAR of getting a bunch of fat lawsuits that they're inclined to LOSE.

      1. Long John Brass Silver badge
        Childcatcher

        Re: Both sides

        Laws and regulation aren't necessarily the same thing. Most of the time the laws states that manufacturers of X must comply with regulation a, b and subsection 12 of c.

        I'm not a big fan of government and/or bureaucracy, but it does have it's place. Minimum standards of safety in the goods & services offered to the public are one where it is appropriate in my opinion. Leaving everything up the the court system just doesn't work in all these cases.

      2. RyokuMas Silver badge
        Joke

        Re: Both sides

        "... with frequent updates..."

        ... because we all love updates...

      3. Mike 137

        Re: Both sides

        @Bombastic Bob

        considering the idiotically obvious vulnerabilities on most of this kit (hard coded hidden account passwords, XSS in the web interface etc. ad nauseam) I agree entirely that liability (even on a purely civil basis) is the only way to raise standards. The UK BSI kite mark did this successfully for electric plugs despite not being mandatory - it just rapidly became impossible by popular demand to sell a plug that hadn't passed the standard.

        The fundamental problem being negligence and incompetence at the product development stage, a bunch of technical target feature specifications will achieve very little, as everything is down to the quality of their implementation. Years ago, when SIP was just a twinkle in our eyes, I co-authored a paper pointing out that the real security issue was not so much potential weaknesses in the protocol, but potentially ubiquitous poor quality implementations of it, and our view has been borne out by subsequent experience.

  2. jonha

    "Support for open firmware is, arguably, a niche consideration at the moment"

    It is at the moment, that's true. However, I am only buying "smart" stuff if and when I know beforehand that I can install some sort of supported open OS/firmware on it. I am also preaching this to everyone I know who is not out of earshot within three seconds. And indeed, there is (growing) interest for this idea even in circles that I can only describe as technically challenged. What's needed beyond that interest is a way to install/update these things in a manner that is so easy that those people are willing to do it.

    1. Paul Crawford Silver badge

      Re: "Support for open firmware is, arguably, a niche consideration at the moment"

      Maybe if the gov mandated at least 5 years of security fixes after end-of-sale they might change their tunes on supported open software. Oh, and big GDPR-like fines if they don’t deliver just to encourage a bit of proper compliance.

      1. LeoP

        Giving the vendors a choice will give the users a choice

        Let's assume the average lifetime of a SOHO router is N years (I'd suspect N to be around 5, but I may be quite wrong - it's important to make it a fixed number mandated in the standard).

        Now give the vendors a choice:

        EITHER: Guarantee FW security updates (within 72 hours after being notified of a vulnerability) for 2*N years after the last sale.

        OR: Guarantee the user the ability to run firmware of his choice based on either the Linux or the BSD kernel with all drivers provided as open source.

        Vendors, that do not comply are liable for a fine of 200% of their yearly sales plus all damages, that any user suffered because of such an omission.

        1. Wayland Bronze badge

          Re: Giving the vendors a choice will give the users a choice

          Most routers do state they are GPL so it should be possible to change the firmware on them. What the makers don't do is keep the hardware of a model consistent meaning you could buy two routers of the same model in the same week with radically different hardware. Not much help if you're trying to build something.

          If you really want control of your router then buy a Mikrotik and learn how to configure it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Giving the vendors a choice will give the users a choice

            Friends don't let friends buy Mikrotik

            1. defiler Silver badge

              Re: Giving the vendors a choice will give the users a choice

              Friends don't let friends buy Mikrotik

              Any good reason? I set up a Mikrotik and I'm really pleased with it. If I shouldn't be, I'd like to know...

              1. big_D Silver badge

                Re: Giving the vendors a choice will give the users a choice

                The problem with Mikrotik is that the default configuration is very insecure and you really have to know what you are doing to get the security tight.

                If you have enough knowledge about firewalls and how the Mikrotik works, it is a great bit of kit, but for the average user the default configuation leaves a lot to be desired.

                1. djack

                  Re: Giving the vendors a choice will give the users a choice

                  If you have enough knowledge about firewalls and how the Mikrotik works, it is a great bit of kit, but for the average user the default configuation leaves a lot to be desired.

                  It is quite obvious that Mikrotik devices are not aimed or marketed at the average home user. It's quite obvious from the feature-set, UI and documentation that these devices are aimed at networking professionals who should be expected to be able to secure their own stuff. I wouldn't recommend Mikrotik kit to Joe Average for the same reason I wouldn't recommend Cisco, Checkpoint, Juniper etc. etc.

                  However, for those that can handle them, they provide huge capability for the price.

                  That said, there's no need for insecure by default.

                  1. DJV Silver badge

                    "I wouldn't recommend Mikrotik kit to Joe Average"

                    Agree, especially considering this:

                    https://www.zdnet.com/article/thousands-of-mikrotik-routers-are-snooping-on-user-traffic/

                    1. defiler Silver badge

                      Re: "I wouldn't recommend Mikrotik kit to Joe Average"

                      @DJV - To be fair to Mikrotik, that vulnerability was patched months ago. I updated my router no problem, and I can't really feel that we can lay blame at Mikrotik's feet if their customers don't click the Update button.

                      To others, yes it's a complex router and you have to put the effort in to secure it. It's only a couple of rules, but it would be nice if there were security levels on the ports so that traffic would automatically flow "down" or "across", but not "up". So long as there's no fundamental flaw, like they'll show my browsing history to my mum or something...

                  2. big_D Silver badge

                    Re: Giving the vendors a choice will give the users a choice

                    @djack that is the point. But the other side is, they are so cheap that uninformed people buy them, because cheap.

                    Given the choice of a Cisco ASA or a DLink WLAN Router, 99.9999% of home users will buy the DLink.

                    Given the choice between a $50 Mikrotik and and a $150 DLink, many will take the Mikrotik, because $50... And that makes it "dangerous", as recent press coverage has shown, because people are buying them, not configuring them and slapping them on their network and thinking that they will protect them.

                    A network pro will configure it, your average Joe sees a $50 router that has a good reputation and has no knowledge.

                    1. pavel.petrman

                      Re: Giving the vendors a choice will give the users a choice

                      Re: Given the choice between a $50 Mikrotik and and a $150 DLink, many will take the Mikrotik

                      One can argue that even full open defcon Mikrotik is less of a security problem than a D-Link regardless of its configuration. Press references about Mikrotik have been referred to, so everyone reading anything about D-Link being better should google at least the first half a million articles about same number of D-Link built in vulnerabilities and how D-Link flatly and consistently refuse to address them.

          2. Mike Pellatt

            Re: Giving the vendors a choice will give the users a choice

            If you really want control of your router then buy a Mikrotik and learn how to configure it.

            Because RouterOS is open source and gives you full control and ownership of your device.

            Oh, hang on.

          3. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

            Re: Giving the vendors a choice will give the users a choice

            >If you really want control of your router then buy a Mikrotik and learn how to configure it.

            Reely? Mikrotik?

            https://www.zdnet.com/article/thousands-of-mikrotik-routers-are-snooping-on-user-traffic

            1. pavel.petrman

              Re: Giving the vendors a choice will give the users a choice

              Re: Reely? Mikrotik?

              The "learn how to configure it" part follows directly, after an "and". Obviously, one doesn't recommend Mikrotik or anything else to anyone who hasn't yet learned to read, since that impedes the said learning. And every single popular vote and referendum since the Internet has been available to public shows how well jumping to conclusions after reading the first two words works out.

              Off course Mikrotik comes with vulnerabilities, just like Cisco, Juniper, and everything else does. The thing is you can configure them away pending a patch. And there has always been a patch, unlike from D-Link and other SOHO-priced vendors.

        2. LDS Silver badge

          "Guarantee the user the ability to run firmware of his choice"

          It's not a solution - because you imply that that firmware would exist, and it may not. OpenWRT or whatever may not support that model because the cpu, the chipset, the RAM, the storage, whatever.

          You also imply that an end user is enough technically savvy to be able to install and configure an alternative firmware. You would give just a good excuse to not support devices as soon as they are out the factory.

          Why I agree that devices should be unlocked for those liking to try to brick them (kidding!), the only real solution for must customers is the OEMs must guarantee security updates for a reasonable period.

          1. John Brown (no body) Silver badge

            Re: "Guarantee the user the ability to run firmware of his choice"

            "You also imply that an end user is enough technically savvy to be able to install and configure an alternative firmware. "

            Last one I did, for my own use, was an ex-SamKnows router/monitor, so it already had custom firmware. Their implementation was not designed for the user to be able to change the firmware and I had to buy a USB to serial dongle, open the router and attach it to a header on the board. Definitely not a job for an average home user!

      2. Roland6 Silver badge

        Re: "Support for open firmware is, arguably, a niche consideration at the moment"

        >Maybe if the gov mandated at least 5 years of security fixes after end-of-sale they might change their tunes on supported open software.

        Probably easier (and more consistent) to treat consumer-grade equipment like white goods and set the maintenance and "parts availability" hurdle at 10 years. By way of example, I know a VDSLn router today might be more performant than one purchased in 2008 due to it having to support the higher data rates now available, however, the 2008 router will still support connections up to 100Mbps, which means it is perfectly adequate for many domestic installations, connected to BT's FTTC services.

        The catch I suggest won't be the use of open software but getting product vendors to (voluntarily) contribute £££ to maintaining the relevant open source projects.

    2. Wayland Bronze badge

      Re: "Support for open firmware is, arguably, a niche consideration at the moment"

      I was a big user and supporter of DD-WRT which is a user friendly take on OpenWRT. However TP-Link routers now contain most of the bits I was using in DD-WRT.

      DD-WRT was a replacement for Linksys WRT54GS firmware but an arms race ensued where each hardware release from Linksys would seek to stop people installing DD-WRT.

      There are loads of cheap routers that will accept DD-WRT but the last two versions on the TP-Link I use does not accept it. I don't think TP-Link have anything against DD-WRT just that they changed to a cheaper chipset. DD-WRT does support this chipset but someone has to create the version for this router.

      Not such a big demand from me for this as the TP-Link does all I want like;

      AP Router Mode

      AP Mode

      WISP Mode

      Range Extender Mode

      which was my initial reason for using DD-WRT in the first place.

      As for VPN you really need a more powerful router since these little ones can't do VPN at current high bandwidths.

      1. JohnFen Silver badge

        Re: "Support for open firmware is, arguably, a niche consideration at the moment"

        "However TP-Link routers now contain most of the bits I was using in DD-WRT."

        Do you actually trust the firmware that comes with a consumer level router? I 100% don't. Even if the factory firmware did everything I needed, the first thing I'd do is still replace it with something that I can have a bit more faith in. If I couldn't replace it, then I wouldn't use that router.

    3. big_D Silver badge

      Re: "Support for open firmware is, arguably, a niche consideration at the moment"

      At the moment, I just don't bother buying a smart anything. They are all dumb and insecure and most will never get updates in the first year, let alone after 10 years.

      What is the point of buying a smart fridge, if you have to disconnect it from all-things-smart after a couple of years (Samsugn EOLed their first smart fridge a couple of years back, but they were only about 4 years old at the time).

      1. Anonymous Coward
        Anonymous Coward

        At the moment, I just don't bother buying a smart anything.

        That's very much my view, but trying to find a good non-smart TV these days is not an easy task...

        1. Anonymous Coward
          Anonymous Coward

          Re: to find a good non-smart TV

          presumably you might buy a large monitor/display instead. Obviously then you don't get a tuner but that doesn't matter if you have some other kind of satellite box or whatever, but I'm not sure what the picture-quality tradeoff's might be...

          1. Anonymous Coward
            Anonymous Coward

            @AC - Re: to find a good non-smart TV

            No problemo! Even the smartest TV can't bypass my Internet router so, unless TV manufacturer pays for the cellular connection so their TV can access Internet, I'm safe.

            1. DropBear Silver badge

              Re: @AC - to find a good non-smart TV

              "unless TV manufacturer pays for the cellular connection so their TV can access Internet, I'm safe."

              Until the first manufacturer who decides that after using the TV unconnected for $time, it just connects to the first open WiFi it can see* without asking you.

              * It might be the case that you're living deep in the mines of Moria safe from other neighbouring APs, but most people can at least intermittently pick up at least one open AP wherever they live, and as we well know if something is possible** it's just a matter of time until some bright spark goes and does it.

              ** Impossible will still happen, it will just take a bit longer...

  3. Anonymous Coward
    Anonymous Coward

    Anybody who has worked in the real world will encounter legacy devices that can only use WEP, these are a mixture of industrial control kit, bar code readers and headsets (used in warehouses.)

    Ever wonder why some Wi-Fi specialists STILL eye card payment kit very suspiciously.

    There are may well known chains who are happy to spend money on everything except replacing such devices.

    1. Andraž 'ruskie' Levstik

      I mean I'd say anyone in IT would be eyeing PoS devices suspiciously anyway. And RFID enabled cards etc....

    2. usbac

      We just got rid of all of our handheld bar code scanners that were WEP only. The problem is that they are pricey (about $2600 each), so replacing over a dozen, and having to re-write all of the custom software that they run, was a big expense. We just had a separate wireless network firewalled off from our other segments, just for the scanners. It worked but was a pain to manage.

  4. ReadyKilowatt

    ISP?

    Comcast has been encouraging customers to rent/buy their Xi6 modems and one of the big selling points is that it is easy to manage clients. That seems like a fairly good solution for the majority of users, the ISP manages the security and other updates, the customer gets an app to manage their kid's use and who gets access, etc. Of course power users won't like that, but they probably don't need help anyway.

    I'd like to see a test/certification offered for users who don't want the basics. If you know how to RTFM and update your boxes from time to time you get to have more access. But then someone would have to manage the certifications and of course then there's still policing to make sure you really are managing your network. Of course my Ubiquti network upgrades this year make management fairly easy, and remote management should be possible. But that would require someone paying for a network mechanic instead of depending on the manufacturers or themselves.

    1. GnuTzu Bronze badge
      Stop

      Re: ISP? -- "...easy to manage clients."

      "...easy to manage clients" seems to be something that could be interpreted in dystopian terms. I'm pretty sure I don't want Comcast to manage me, either directly or through my devices--power user or not. And, what they do manage, I want to know about so that I can deal with it accordingly.

    2. JohnFen Silver badge

      Re: ISP?

      "I'd like to see a test/certification offered for users who don't want the basics"

      Ummm, but savvy users are probably not using the equipment Comcast is supplying anyway. Why pay Comcast rental fees on that stuff when it's easy (and not terribly expensive) to buy and use your own kit instead?

      I have to use Comcast as my ISP, but there isn't a single piece of Comcast-supplied gear in my house.

  5. I Am Spartacus
    Childcatcher

    Routers are not firewalls

    Home users and SOHO deployments use router / modem devices to interface easily with their broadband supplier. It's simple: you buy your broadband from your favourite network supplier and they send you a modem that you plug in to their socket and it's up and running: Robert is you mothers brother.

    To try and then say that this is also a firewall is nonsense. The vast majority have extremely limited firewall capabilities. Many only support limited port forwarding.

    And in the main, this should be fine. Little Johnny, playing call of duty, only needs a port open to the game server, which he opens. Little chance of hacking this line, and provided the network initialisation is such that the game can authenticate the game server, and the game server can check that the game is not a hacked version, all should be well.

    Two problems remain:

    The first is that the router people throw in a wifi hub for free. Oh, look, it's easy, I can use my [insert name of PC, tablet, smart phone, IoT device here]. And this is whats wrong. The user has sacrificed all security because they want easy access. Get the phone to open up some of its security (Yes, Android at the back, I'm talking to you here, and Windows, you can stop sneering as well) and then you have a real problem. It's not the router per se that is at fault, it's the users. Most will never even know that their internal network is now part of a botnet.

    The second problem only comes when someone wants to open up the ports (email server, web server, etc) and run these at home. Then you need some sort of firewall capabilities. And some really hardened, trusted software for your server.

    The final problem is the remote administration. WHY did anyone think that this was a smart thing to do on a cheap router? Unless it is protected by some form of 2FA, any supplier who sells their products with remote management even available, let alone enabled, should really be taken out and beaten with a club until they can understand the risks involved.

    1. GnuTzu Bronze badge
      Headmaster

      Re: Routers are not firewalls -- Well...

      First, I'm definitely on board with the points about WiFi, and I definitely go in and disable that nonsense right away.

      But, however minimal, most of these things do include some means of limiting incoming connections, at least as far as what ports are open (I did say minimal), and some allow filtering for outgoing connections--not that the average home user would ever bother with managing outgoing filtering. Still, I wouldn't regard one of these little boxes as being on par with an enterprise-grade firewall--along with what can be done with filtering rules that are properly managed.

      O.K. so I'm being a bit pedantic. But, just like there are different grades of locks, some of which can be picked with a bump key and some can't, there are different grades of firewalls. I think maybe we need some new terminology--as if we don't already have enough of that.

    2. FlamingDeath Bronze badge

      Re: Routers are not firewalls

      You'll understand then how surprised I was when a friend showed me his new Virgin Media Super Duper Hub 3000™ or maybe it was some other stupid name

      1. No HTTPS login for web interface

      2. Password not masked, totally visible on the page when logging in (IKR? WT actual F)

      3. Port forwarding rules config page didnt work, just fake buttons that did absolutley nothing

      4. Fuck knows what other issues this internet facing POS had, I suspect lots

      1. bish

        Re: Routers are not firewalls

        Yeah, I've got one of those too. I forget who it's made by but it gets rebadged and included as a free* 'perk' in fibre packages all over the EU - mine's from UPC in Slovakia, but while investigating how hopeless it is, I found it's also used in many other West and Central European countries - presumably because it's cheap as shit.

        At least the Virgin one (which I had before I moved) makes it easy to enable 'modem mode' and then just connect some functional hardware between the Internet and your own kit - my Slovak variant defaults to IPv6 which hilariously breaks 'modem mode' so, each time they push an update that restores it to v6 (3 times so far this calendar year), I have to call the ISP and ask them to switch us back to IPv4, which inevitably involves lots of patiently explaining that actually their Super Hub is not remotely super and I don't mind whether I'm on v4 or v6, I'd just much rather be able to use use my own router and AP - with which I can actually secure my network - thank you very much, so either switch me to v4, supply a gateway that actually works, or cancel my contract, please. Unsurprisingly, they've always opted for the easiest and cheapest way - click, click, done - of shutting me up.

        *actually, now I think about it, the most galling thing about this is that it isn't actually free at all, but rather leased from the ISP. As I recall, you simply had to return the device at end of contract with Virgin, but with my current suppliers I pay some nominal fee like a Euro a month for the privilege of having the piece of crap in my home.

    3. Mike Pellatt

      Re: Routers are not firewalls

      Nope, routers are indeed not firewalls.

      But NAT has persuaded far too many people that they are.

      (I remember NAT capability being introduced into the Linux IPv4 code. Just as I needed it to solve an issue a customer at the time had)

  6. JohnG Silver badge

    I understand where OpenWRT are coming from but realistically, most broadband users have not even heard of OpenWRT and fewer still would contemplate flashing their router with open source firmware. Most people have whatever router their broadband provided supplied and many of them won't have even changed the WiFi key.

    1. John Brown (no body) Silver badge

      "and fewer still would contemplate flashing their router with open source firmware. "

      Most people will go for a brand name they've heard of. Open source, for those few average joes who've heard of it connects in the mind with hackers and hackers means "bad". Brand awareness means everything to most people. Note I said "awareness", and good or bad. After all, people are still moving to TalkTalk because they are cheap and a brand they have heard of. They don't remember that they heard of them on the mainstream news due to a huge hack. That bit is too technical to sink in, but the name sticks.

  7. Woodnag

    The updates section is not very good

    1. Mandates firmware updates from WAN, so flash will need to be double size to hold old image and new image

    2. Allows push updates, which is a massive attack vector, not least because each router must phone home to tell mummy who and where it is, so every nation state monitoring all traffic will know who's got what.

    1. Norman Nescio Silver badge

      Re: The updates section is not very good

      1. Mandates firmware updates from WAN, so flash will need to be double size to hold old image and new image

      Operationally, having ample flash is by no means a bad idea, even when you are connected locally by a LAN. It can be a godsend to be able to roll back to a known good firmware, without having to get into arcane recovery techniques, up to and including needing to solder JTAG connectors.

      Of course, if you are in the arena of extremely low-cost embedded devices, where the cost saving of not including the extra flash is material, then limiting the amount of flash may well be the 'right' decision.

      If you are expecting the device to have a long usable lifetime, where multiple firmware updates are expected, then I suspect the probability of an update going wrong increases, and the cost-benefit of having enough flash to hold two images looks better and better.

      So, while I can see that there are cost-based arguments against having the extra flash*, my gut feeling that it's better to have than not, as it allows rescue from what would otherwise be situations that would be difficult to recover from.

      *There are complexity arguments too. Having two flash images implies you have some mechanism to choose between them, which is an added complication which can go wrong. Murphy is patient.

  8. Wolfclaw Silver badge

    Any product be it routers to mobile phones, once they are no longer supported by the manufacurer with updates, should be made unlocked to open sourec alternatives. For too long manufacturers have gotten away with inbuilt obsolescence for perfectly good equipment to make profits and the politicians and watchdogs have turned a blind eye, especially in these days when everybody is banging a drum about not creating more waste !

  9. CAPS LOCK Silver badge

    I've been down the route of converting routers to paperweights with OpenWRT...

    ... so now I use OpnSense and an ADSL modem. The Draytek Vigor seems the best for UK DSL. As usual YMMV...

    1. Mike Pellatt

      Re: I've been down the route of converting routers to paperweights with OpenWRT...

      I see why you got downvoted - I've never bricked a router with OpenWRT (tho I have with DDwrt...). But otherwise, you've got The Right Setup, as it's what I use too.

      Firstly, because I used to be on VM and, as another commentard said, the SuperDuperShittyPumaPoweredHub 3000 is, well, a PoS, so it went straight into modem mode with (then) PFSense behind it.

      Fast forward a couple of years and I found myself at the end of a 3.5-4Km run of copper. Dug out a Vigor 120 left over from a previous customer. Not bad. Then it got fried by lightning a hundred metres or so away. Dug out a 110 I also seemed to have. Then discovered I could easily tweak the SNR margin with a 130, so that's what I have now. It's sweet. What would Sir prefer ?? Fast connection that drops when there's ring current or a slower connection (still around 2Mbps) that hangs on for grim death through whatever ringing, rain in the DPs, picking up all sorts of RF at night, etc., can throw at it. Oh, and updated to OPNSense a few months ago when I finally decided PFSense was getting far, far too proprietary.

      Unless the downvoters are Linux-loving BSD haters.

    2. Anonymous Coward
      Anonymous Coward

      Re: I've been down the route of converting routers to paperweights with OpenWRT...

      While I went the same route, it's a far more complex and expensive setup. You can save on the router (you'll just need a modem or bridge), but the router/firewall could be more expensive (especially if you have a fast broadband), more difficult to setup, and could also use more power.

      I just got an Atom C3000 system to run pfSense for the FTTH at home, but it wasn't exactly cheap at 600 euros (still not more expensive than an actual mid-range phone...). I also have separate switches and APs, so I don't really need a single system doing all, but once again, not the average home setup.

      While many users of OpenWRT looks to be people wishing to add more features to cheaper devices - preferably those got for free or almost from ISPs...

    3. CAPS LOCK Silver badge

      Five people haven't bricked a router with OpenWRT....

      ... I'm guessing.

  10. Voland's right hand Silver badge

    Even that will be a good start if enforced

    It is a start. Nowhere as good as things should be, but a good start.

    It misses and omits a number of things though - the whole "authenticated server" connection any cloud interfaces to in-home tat need a much stricter definition. It must prohibit all and every Chinese servers (as well as servers in other countries without Eu data equivalence agreement). This includes update servers. If, for example, DLINK wants to sell in Europe it must have its update servers in Europe and any data logged on them not available outside Europe courtesy of GDPR.

  11. JohnFen Silver badge

    Meh

    I've learned through hard experience not to trust any appliance routers, particularly those aimed at the consumer or SOHO markets. Nothing in the proposed security rules makes me trust them any more than I current do.

  12. Anonymous Coward
    Anonymous Coward

    ...and no mention of ugly "cloud" management features...

    Last year I bought a Linksys EA7500 WiFi router.

    1. The simplest way to install this was to set up a "cloud" account on a Linksys server, and then do all the set up through the Linksys server environment. The USP (?) for this arrangement was that the user could use the Linksys "app" to manage their router from the beach in Australia.

    2. It was almost impossible to configure the router without an internet connection (see item #1). Eventually I configured the router with a laptop, a cross-over CAT-5 cable, and NO INTERNET.

    *

    This device may be insecure because the router software is poor -- I don't know about that. But for most users it is very likely MUCH MORE INSECURE because of the "cloud" and Linksys server environment -- which is by far the EASIEST way to configure this ugly piece of ****.

    *

    My solution to this problem was simple -- reset the router and take it to the local charity shop. SEP.

    1. Gene Cash Silver badge

      Re: ...and no mention of ugly "cloud" management features...

      > reset the router and take it to the local charity shop

      Why? Then you create another problem when someone clueless buys it and it becomes part of a botnet.

      I would have spent a day trying to config it, and when it was that much of a PITA, it would have gone back to Amazon or Best Buy or whoever. Make it the MANUFACTURER'S problem, because hitting them in the pocketbook is the only way to encourage them to make non-shit products.

      1. John Brown (no body) Silver badge

        Re: ...and no mention of ugly "cloud" management features...

        "I would have spent a day trying to config it, and when it was that much of a PITA, it would have gone back to Amazon or Best Buy or whoever. Make it the MANUFACTURER'S problem, because hitting them in the pocketbook is the only way to encourage them to make non-shit products."

        How does that make it the manufactures problem? Most retailers will just put it back in stock, possibly as a "second" but many would just tell the next buyer that the box was opened to check everything was there or some other BS. It's highly unlikely the manufacturer would ever know about returns to retailers.

        1. JohnFen Silver badge

          Re: ...and no mention of ugly "cloud" management features...

          "It's highly unlikely the manufacturer would ever know about returns to retailers."

          I will admit that it's been a decade or so since I've sold products through retailers, and perhaps the standard procedures have changed. But they probably haven't... when I use to to do this, here's how returns worked:

          Every item a customer returned would result in a charge-back to me -- in other words, the retailer is not paying for it. Whether or not the item was actually physically returned to me depended on the retailer and their standard procedures. I would usually opt not to get the physical returns if possible. Sometimes, retailers would insist on physically returning the items (at my expense). Going through those returns, I'd say that about 1/3 of them were in perfect condition.

          So, at least how it worked in those days, manufacturers are absolutely aware of the number of returns, because -- at best -- they're paying for them. At worst, they're getting trucks that are physically delivering them.

    2. JohnFen Silver badge

      Re: ...and no mention of ugly "cloud" management features...

      Yes, that's what made me stop even considering Linksys equipment for future purchases. I got burnt by it too, and ended up using the router for parts.

  13. tcmonkey

    "Setting WPA2 encryption as a minimum default, with a strong password that excludes identifiers like manufacturer, model, or MAC address"

    If I had a quid for every time I had personally seen a manufacturer break this rule, I could buy every commentard here a drink. Mind you, I'd be doing it with a cold, haunted look in my eyes. The lack of even the simplest of due-diligence on the part of some manufacturers is truly spectacular.

  14. DougS Silver badge

    Actually installing third party firmware is niche

    But making it POSSIBLE to do has other benefits, like a non-zero resale value for routers that are no longer supported. It would also potentially be useful for ISPs that distribute routers to customers - rather than let customers continue using routers that go off support and become insecure when unfixed exploits become known, the ISP could "upgrade" them to a DD-WRT or OpenWRT flavor.

    Or they might do that up front, to add their own branding. That would have the side effect of helping DD-WRT/OpenWRT as they'd likely get some additional funding from the ISPs in exchange for help with customizing to their needs.

    That would be particularly valuable for DD-WRT, which is pretty much 'expert level' considering it has been "beta" status for over decade so you really need know to what you're doing with it. If a major ISP used DD-WRT, one could look up what hardware they are using and download that build knowing it has been a lot better tested than what they release.

  15. FlamingDeath Bronze badge

    Money is a terrible incentive

    Everything is done for all of the wrong reasons

    If money is all that motivates us and businesses then we're all royally fucked

  16. Andy Denton

    The thing is..

    ....the vast majority of users don't ever buy a router. They just use whatever POS their broadband provider supplies at the start of their contract. Some ISPs will even go as far as to try and prohibit the use of a 3rd party router/modem (I'm looking at you Sky).

    1. LDS Silver badge

      "ISPs will even go as far as to try and prohibit the use of a 3rd party router/modem"

      It's illegal in EU - see Regulation 2120/15:

      "When accessing the internet, end-users should be free to choose between various types of terminal equipment as defined in Commission Directive 2008/63/EC (4). Providers of internet access services should not impose restrictions on the use of terminal equipment connecting to the network in addition to those imposed by manufacturers or distributors of terminal equipment in accordance with Union law."

      It's the "Net Neutrality" regulation, see:

      https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015R2120

      In Italy the communication authority this Summer has forbidden ISP to mandate their modem/router, but telco got a delay until December 31 to become compliant (and are still trying to fight in courts, can't see how they could win without exiting EU....)

      Of course when Britons are out of EU, it's up to them to defend your rights....

      1. DougS Silver badge

        Re: "ISPs will even go as far as to try and prohibit the use of a 3rd party router/modem"

        It's illegal in EU

        So they have no problems doing it in the UK, since by the time any action could be brought against them Brexit will have happened and they won't be bound by EU regs.

        1. John Brown (no body) Silver badge

          Re: "ISPs will even go as far as to try and prohibit the use of a 3rd party router/modem"

          "So they have no problems doing it in the UK, since by the time any action could be brought against them Brexit will have happened and they won't be bound by EU regs."

          EU regs are not EU law. The regs are passed to each country to implement in accordance with their own legal system and must implement the regs closely. This means that those EU regs are backed by UK law in the UK. Even if, after Brexit, all UK laws based on EU regs were immediately revoked, you could still bring a case based on the fact the infringement occurred during a time the law was in force and was being broken.

  17. bish

    Sell an upgrade

    "Support for open firmware is, arguably, a niche consideration at the moment, but you could argue that one of the reasons to block it on end-of-life devices would be to protect the vendor's chance to sell an upgrade."

    You could also argue that releasing new hardware that improves or adds features, reliability and speed would be a good way for the vendors to protect their chance to sell an upgrade.

  18. steviebuk Silver badge

    Virgin

    Not read the whole article but that would screw Virgin up then, if in the UK. Their routers are shit. No HTTPS, the password is visible as you type and you can't have a secure password. Others, that know more than me, have also looked at the code for the routers, the web code. I think they say you can just send JSON requests to it, to get it to do things you want.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019