[Cerowrt-devel] security guidelines for home routers

Dave Taht dave.taht at gmail.com
Mon Nov 26 13:05:09 EST 2018

I only briefly scanned this, but I did find some things that made me
happy. Still, What happens after end of life?


"To be able to react to newly appearing exploits of soft- or hardware
vulnerabilities of the router or any of its components the router MUST
have a functionality to update the firmware (operating system and
applications) using a firmware package. The router MUST allow the
end-user to fully control such a firmware update and determine to
initiate an online update (router retrieves firmware package from the
Internet (WAN interface)) and/ or manually update the firmware through
the configuration interface (user provides firmware package) described
in Section 4.1: Configuration and Information."

The router SHOULD offer an option to automatically retrieve security
relevant firmware updates from a trustworthy source over the Internet
(WAN interface). If the router offers this functionality it SHOULD be
activated by default, but MUST be possible for the end-user to
deactivate it when using customized settings. In both scenarios
(manual and automated update) the firmware update function of the
router MUST check the authenticity of the firmware package (file)
before it is installed on the router. This SHOULD be done by a digital
signature that is applied to the firmware package by the manufacturer
and checked by the router itself. For this purpose only signature
schemes in accordance to [SOG-IS] Section 5.2: Digital Signatures MUST
be used. The router MUST NOT automatically install any unsigned
firmware. The router MAY allow the installation of unsigned firmware
(i.e. custom firmware) IF a meaningful warning message has been shown
to the authenticated end-user and the end-user accepts the
installation of the unsigned firmware.

the manufacturer of the router MUST provide information on how long
firmware updates fixing common vulnerabilities and exposures that have
a high severity (i.e. a CVSS combined score higher than 6.0 according
to the Common Vulnerability Scoring System3 assigned to the specific
device or a component used by the device) will be made available. This
information SHOULD be available on the manufacturer website.
Additionally it MAY be made available on the router configuration
interface described in Section 4.1.2: Providing Information. The
manufacturer MUST provide information if the router has reached the
End of its Support (EoS) and will not receive firmware updates by the
manufacturer anymore. This information (EoS) MUST be made available on
the router configuration as described in Section 4.1.2: Providing
Information. The manufacturer MUST provide firmware updates to fix
common vulnerabilities and exposures of a high severity without
culpable delay (without undue delay) after the manufacturer obtains


Dave Täht
CTO, TekLibre, LLC
Tel: 1-831-205-9740

More information about the Cerowrt-devel mailing list