The steps were criticised by the organizations of specialists and software developers.
Last week, trying to deal with the broadband routers’ security, the german government published some suggestions about minimum standards, receiving quickly complaints about the reach of their proposals.
According to the digital forensic experts, the BSI, the information technology security office in Germany, mentioned that they wanted “ an easy to handle security level” and defined the security traits that they thought that should be “availables by desaign and by default” in the routers.
The german government seeks to protect the routers from attacks thought the internet by implementing measures like:
- Restriction of the predetermined services from LAN/Wi-Fi to DNS, HTTP/HTTPS,DHCP/DHCP6 and ICMPv6, and a minimum group of available systems in the public interface.
- Make sure that the hosts’ Wi-Fi services dont have access to the device’s configuration.
- Establish the WPA2 encode at least predetermined, with a safe password that excludes identifyers like the manufacturer, the model or the MAC adress.
- Protection with a solid password in the configuration interface, secured by HTTPS if it is available in the WAN interface.
- The firewall traits are obligatory.
- The distant configuration must be deactivated predeterminedly, and can only be accessed thought encoded connection and authorised by the server.
- Firmware updates controled by the user, with a self-winding option for updates.
These recommendations also shows that the default restoration must return the router to a secure predetermined status, and all of the personal data must be eliminated from the unit during the process.
During the last weekend, the digital forensic experts of OpenWRT and the Chaos Computer Club (CCC) went out to point out that these recommendations were “inappropriate”.
The BSI said that these recommendations are the result of “2 years of enquiries with suppliers, network operators and defense agencies of consumers”. OpenWRT and CCC said that there were too much consideration for the opinion of the vendors and not much attention about the opinion of the consumers.
According to OpenWRT, 2 security meassures for the users have been left aside from the recommendation list of the BSI. The suppliers should inform the users about how much time do they plan to give support for their products with security updates; besides, teh clients must have the right to install custom software (like OpenWRT), “even after finishing the official support of the supplier”.
By the other hand, CCC said that they believe that the current security diagram has failed, because the companies provide a minimum security standard, according to the manufacturer’s convenience. CCC mentioned that “it wasn’t very clear” how this new polithics would counter cyber threats like Heartbleed, Sambacry or the botnet BCMUPnP who was recently discovered this month.
Hauke Mehrtens, digital forensic expert of OpenWRT said that preventing the user to install firmware like OpenWRT “generates doubts about the seriousness of the governments to take care of the computing security.
Various members of the cybersecurity community consider that the CCC is right about demanding information for the suers from the manufacturers about the “life” of a device because is mostly sure that the suppliers have this information rpesent when they create their products.