[Cerowrt-devel] security guidelines for home routers

Dave Taht dave.taht at gmail.com
Mon Nov 26 13:40:54 EST 2018

On Mon, Nov 26, 2018 at 10:24 AM Sebastian Moeller <moeller0 at gmx.de> wrote:
> Hi Dave,
> neither the openwrt folks (see https://openwrt.org) nor the chaos computer club of germany (see German: https://www.ccc.de/en/updates/2018/risikorouter, machinenglish: https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&u=https%3A%2F%2Fwww.ccc.de%2Fen%2Fupdates%2F2018%2Frisikorouter&edit-text=) seem to be fully convinced.
> Personally I believe this is a step in the right direction, even though hopefully just a first step.

I would like it very much if my country attempted to get to something
similar as a requirement for FCC certification or import. Stronger
yes, would be nice, but there was
nothing horrible in here that I could see.

It is extremely well written, could probably use a glossary.

> Openwrt and CCC mainly critizise:
> "The Chaos Computer Club (CCC) and OpenWrt took part in multiple review and discussion rounds with the Bundesamt für Sicherheit in der Informationstechnik (BSI) and representatives of multiple device vendors and network operators. These are our two main demands:
> 1)  Vendors have to inform customer before buying the product for all devices being sold in Germany, how long the device will get security updates in case problems are found.

I am reminded of the mandatory warnings on all cig smoking cartons.
Long term, I guess, they've been effective. I seem to be one of the
few left that still smoke, and most of the other smokers I know use
rollies, and don't have to read about what they are doing to
themselves on every pack.

> 2) The customer must have the possibility to install custom software on their devices, to have the possibility to fix security problems even after the official vendor support ended."
> I believe that 1) is currently supposed to be posted on a web-site so will not be effortlessly visible at the point of sale in a store.

I would rather like that. With most computer gear today, you are
essentially buying a lease. "Supported for 1 week longer than our 1
year warranty". People should value a long term support plan, as much
as they value getting a 10 year "bumper to bumper" warranty on a car.
Spending 200 bucks on a piece

> And 2) basically is a complaint that there is a weak MAY clause for guaranteeing that  3rd party firmware like openwrt is installable. I think this was weakened on purpose by the DOCSIS-ISPs which seem to have zero interest for 3rd party firmwares for cable-modems/routers. (I would not be amazed if cable labs would actually rule something like this out per contract, but I have zero evidence for that hypothesis).

These are the people that *rent* modems to you at an enormous margin
and are unwilling to support it?

Sigh... I have zip, zero problem, if cable folk *leased* you a modem,
managed it,
and then provided a new one when their support costs got too great. It
would do wonders for the entire industry if they simply gave away new
docsis 3 or 3.1 modems to every one still running an earlier one....

There's a huge difference in "leasing" vs "renting" vs "buying" I guess.

There's a movement here called "right to repair", which is not
something I've been tracking here. How's it going over there? It's
used a lot when arguing with John Deer about their tractors....

> > On Nov 26, 2018, at 19:05, Dave Taht <dave.taht at gmail.com> wrote:
> >
> > I only briefly scanned this, but I did find some things that made me
> > happy. Still, What happens after end of life?
> >
> > https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03148/TR03148.pdf;jsessionid=01F54E80B004E9BFB194DBC00DE9B961.2_cid360?__blob=publicationFile&v=2
> >
> > "To be able to react to newly appearing exploits of soft- or hardware
> > vulnerabilities of the router or any of its components the router MUST
> > have a functionality to update the firmware (operating system and
> > applications) using a firmware package. The router MUST allow the
> > end-user to fully control such a firmware update and determine to
> > initiate an online update (router retrieves firmware package from the
> > Internet (WAN interface)) and/ or manually update the firmware through
> > the configuration interface (user provides firmware package) described
> > in Section 4.1: Configuration and Information."
> >
> > The router SHOULD offer an option to automatically retrieve security
> > relevant firmware updates from a trustworthy source over the Internet
> > (WAN interface). If the router offers this functionality it SHOULD be
> > activated by default, but MUST be possible for the end-user to
> > deactivate it when using customized settings. In both scenarios
> > (manual and automated update) the firmware update function of the
> > router MUST check the authenticity of the firmware package (file)
> > before it is installed on the router. This SHOULD be done by a digital
> > signature that is applied to the firmware package by the manufacturer
> > and checked by the router itself. For this purpose only signature
> > schemes in accordance to [SOG-IS] Section 5.2: Digital Signatures MUST
> > be used. The router MUST NOT automatically install any unsigned
> > firmware. The router MAY allow the installation of unsigned firmware
> > (i.e. custom firmware) IF a meaningful warning message has been shown
> > to the authenticated end-user and the end-user accepts the
> > installation of the unsigned firmware.
> >
> > the manufacturer of the router MUST provide information on how long
> > firmware updates fixing common vulnerabilities and exposures that have
> > a high severity (i.e. a CVSS combined score higher than 6.0 according
> > to the Common Vulnerability Scoring System3 assigned to the specific
> > device or a component used by the device) will be made available. This
> > information SHOULD be available on the manufacturer website.
> > Additionally it MAY be made available on the router configuration
> > interface described in Section 4.1.2: Providing Information. The
> > manufacturer MUST provide information if the router has reached the
> > End of its Support (EoS) and will not receive firmware updates by the
> > manufacturer anymore. This information (EoS) MUST be made available on
> > the router configuration as described in Section 4.1.2: Providing
> > Information. The manufacturer MUST provide firmware updates to fix
> > common vulnerabilities and exposures of a high severity without
> > culpable delay (without undue delay) after the manufacturer obtains
> > knowledge
> >
> >
> > --
> >
> > Dave Täht
> > CTO, TekLibre, LLC
> > http://www.teklibre.com
> > Tel: 1-831-205-9740
> > _______________________________________________
> > Cerowrt-devel mailing list
> > Cerowrt-devel at lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/cerowrt-devel


Dave Täht
CTO, TekLibre, LLC
Tel: 1-831-205-9740

More information about the Cerowrt-devel mailing list