German Govt mulls security standards for SOHOpeless routers
WPA2 with 20-character passwords? Ja! No firmware updates and CSRF? Nein.
The German Government is mulling an assessment of the security chops of consumer routers in a bid to lift current abysmal standards and help inform buyers.
Berlin's Ministry of the Interior IT security office says it wants to test routers for support of security features like WPS, encryption, and brute force protection of passwords. MAC address filtering and firewalls will also make the list.
The agency points out in a draft document (PDF in German) that poorly-secured routers can lead to mass compromise of users.
It says the increased functionality of SOHO routers with things like network attached storage and the ability to place voice-over-internet-protocol calls makes security of "paramount importance".
Attackers can do things like enslave users into botnets, place premium phone calls, and deny net access, the agency says, using a multitude of previously disclosed and un-patched vulnerabilities.
The agency would look at simple and deeper security measures including holes like cross-site request forgery, the integrity of guest networks, and various defences against external attack.
A scoreboard will be created based on how each performs with a total score of 770 points, according to the document. Some security facets will be considered essential, attracting more points than those marked recommended, and optional.
Routers that advise users of an available firmware update on login to the web admin interface are winners, as are those that rock WPA2 with a key spinning out to at least 20 characters, and units with WPS that is disabled by default and generates new random PINs on activation.
Those battered boxes with brand-name SSIDs like 'DLINKx' will get a thumbs down as this unnecessarily offers attackers information on a potential target, the agency says.
Dissenters and supporters have until the end of next month to comment on the proposal. ®