[Cerowrt-devel] security guidelines for home routers

Sebastian Moeller moeller0 at gmx.de
Mon Nov 26 17:13:14 EST 2018

Hi Mikael,

> On Nov 26, 2018, at 19:35, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
> On Mon, 26 Nov 2018, Sebastian Moeller wrote:
>> And 2) basically is a complaint that there is a weak MAY clause for guaranteeing that 3rd party firmware like openwrt is installable. I think this was weakened on purpose by the DOCSIS-ISPs which seem to have zero interest for 3rd party firmwares for cable-modems/routers. (I would not be amazed if cable labs would actually rule something like this out per contract, but I have zero evidence for that hypothesis).
> 2 is interesting from a security point of view. With secure boot special provisions have to be put into the router to turn off secure boot to be able to install anything on it. Question is how this would be done in a way that is both secure and somewhat user friendly.

I guess that most cheap routers do not actually do "secure boot" but rather make it hard to flash not-approved firmware binaries from the GUI, and for the intents an purposes of the BSI document that level of security, in spite of the talk about firmware authentication by digital signatures, seems sufficient. So no need to secure the JTAG interface, or even a tftp update method that can be initiated by pressing a button on the router or similar. 

> 2 also implies sharing drivers etc, and it's unclear how this would be done.

	Why? In my reading 2 basically just turns the "The router MAY allow the installation of unsigned firmware
(i.e. custom firmware)" into a "The router MUST allow " it does not rule that the manufacturer needs to actively help to develop said custom firmware IMHO. Now it would be a great idea to do so, but certainly not required.

> I believe Germany is too small to drive this requirement, we'd need at least US or EU size market to really succeed with this.

	Yes, I agree, this is one of the issues where one of the heavy-weights needs to get involved. My bet is on the EU picking something like this up first though. ATM I do not see much appetite for such regulatory actions in the US.

> -- 
> Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the Cerowrt-devel mailing list