[Cerowrt-devel] security guidelines for home routers

Sebastian Moeller moeller0 at gmx.de
Mon Nov 26 17:28:56 EST 2018

Hi Dave,

> On Nov 26, 2018, at 19:40, Dave Taht <dave.taht at gmail.com> wrote:
> On Mon, Nov 26, 2018 at 10:24 AM Sebastian Moeller <moeller0 at gmx.de> wrote:
>> Hi Dave,
>> neither the openwrt folks (see https://openwrt.org) nor the chaos computer club of germany (see German: https://www.ccc.de/en/updates/2018/risikorouter, machinenglish: https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&u=https%3A%2F%2Fwww.ccc.de%2Fen%2Fupdates%2F2018%2Frisikorouter&edit-text=) seem to be fully convinced.
>> Personally I believe this is a step in the right direction, even though hopefully just a first step.
> I would like it very much if my country attempted to get to something
> similar as a requirement for FCC certification or import. Stronger
> yes, would be nice, but there was
> nothing horrible in here that I could see.


> It is extremely well written, could probably use a glossary.

	See table 1 of https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03148/TR03148.pdf?__blob=publicationFile&v=2 for an attempt at a terse glossary

>> Openwrt and CCC mainly critizise:
>> "The Chaos Computer Club (CCC) and OpenWrt took part in multiple review and discussion rounds with the Bundesamt für Sicherheit in der Informationstechnik (BSI) and representatives of multiple device vendors and network operators. These are our two main demands:
>> 1)  Vendors have to inform customer before buying the product for all devices being sold in Germany, how long the device will get security updates in case problems are found.
> I am reminded of the mandatory warnings on all cig smoking cartons.
> Long term, I guess, they've been effective. I seem to be one of the
> few left that still smoke, and most of the other smokers I know use
> rollies, and don't have to read about what they are doing to
> themselves on every pack.

	I tend to think that "real tobacco aficionados" will sooner or later switch to chewing tobacco ;)

>> 2) The customer must have the possibility to install custom software on their devices, to have the possibility to fix security problems even after the official vendor support ended."
>> I believe that 1) is currently supposed to be posted on a web-site so will not be effortlessly visible at the point of sale in a store.
> I would rather like that. With most computer gear today, you are
> essentially buying a lease. "Supported for 1 week longer than our 1
> year warranty".

	If at all! Now there are a few good apples in there as well. e.g. AVM typically supports their new router models for several years, publish EOS and EOL notices regularly and even introduce new features to older hardware as part of their firmware upgrades (I believe they partly do this to reduce the version explosion in their testing matrix, but still it is a win-win, for both AVM and customers). Also evenroute seem to do good with their iq-router brand in that regard.

> People should value a long term support plan, as much
> as they value getting a 10 year "bumper to bumper" warranty on a car.
> Spending 200 bucks on a piece
>> And 2) basically is a complaint that there is a weak MAY clause for guaranteeing that  3rd party firmware like openwrt is installable. I think this was weakened on purpose by the DOCSIS-ISPs which seem to have zero interest for 3rd party firmwares for cable-modems/routers. (I would not be amazed if cable labs would actually rule something like this out per contract, but I have zero evidence for that hypothesis).
> These are the people that *rent* modems to you at an enormous margin
> and are unwilling to support it?

	Yes, even worst, the same companies that distributed the latency-jinxed intel puma5/6/7 based docsis modems that had/have rather unfortunate latency spikes and packet drops; and often have not managed to distribute the newer firmware images that severely ameliorate that issue. In that light I understand ccc/openwrt's frustration with the weak custom firmware requirements.

> Sigh... I have zip, zero problem, if cable folk *leased* you a modem,
> managed it,
> and then provided a new one when their support costs got too great. It
> would do wonders for the entire industry if they simply gave away new
> docsis 3 or 3.1 modems to every one still running an earlier one....

	Well, they, as well as most dsl-ISPs in Germany, will happily rent you something, and at least the dsl isp tend to get "timely" firmware updates (at least if conpared with the docsis isps). The sad thing is that in the past these devices were factored into the plans but now are run as profit centers (say 4 EUR for a device that is expected to last for 5 years at a customers home will net you 4*12*5 = 240 EUR for hardware and support).

> There's a huge difference in "leasing" vs "renting" vs "buying" I guess.
> There's a movement here called "right to repair", which is not
> something I've been tracking here. How's it going over there? It's
> used a lot when arguing with John Deer about their tractors....

	It is discussed in the media, and I have (so far unsubstantiated) hopes that the EU-parlament might tackle this somehow, somewhen ;)

>>> On Nov 26, 2018, at 19:05, Dave Taht <dave.taht at gmail.com> wrote:
>>> I only briefly scanned this, but I did find some things that made me
>>> happy. Still, What happens after end of life?
>>> https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03148/TR03148.pdf;jsessionid=01F54E80B004E9BFB194DBC00DE9B961.2_cid360?__blob=publicationFile&v=2
>>> "To be able to react to newly appearing exploits of soft- or hardware
>>> vulnerabilities of the router or any of its components the router MUST
>>> have a functionality to update the firmware (operating system and
>>> applications) using a firmware package. The router MUST allow the
>>> end-user to fully control such a firmware update and determine to
>>> initiate an online update (router retrieves firmware package from the
>>> Internet (WAN interface)) and/ or manually update the firmware through
>>> the configuration interface (user provides firmware package) described
>>> in Section 4.1: Configuration and Information."
>>> The router SHOULD offer an option to automatically retrieve security
>>> relevant firmware updates from a trustworthy source over the Internet
>>> (WAN interface). If the router offers this functionality it SHOULD be
>>> activated by default, but MUST be possible for the end-user to
>>> deactivate it when using customized settings. In both scenarios
>>> (manual and automated update) the firmware update function of the
>>> router MUST check the authenticity of the firmware package (file)
>>> before it is installed on the router. This SHOULD be done by a digital
>>> signature that is applied to the firmware package by the manufacturer
>>> and checked by the router itself. For this purpose only signature
>>> schemes in accordance to [SOG-IS] Section 5.2: Digital Signatures MUST
>>> be used. The router MUST NOT automatically install any unsigned
>>> firmware. The router MAY allow the installation of unsigned firmware
>>> (i.e. custom firmware) IF a meaningful warning message has been shown
>>> to the authenticated end-user and the end-user accepts the
>>> installation of the unsigned firmware.
>>> the manufacturer of the router MUST provide information on how long
>>> firmware updates fixing common vulnerabilities and exposures that have
>>> a high severity (i.e. a CVSS combined score higher than 6.0 according
>>> to the Common Vulnerability Scoring System3 assigned to the specific
>>> device or a component used by the device) will be made available. This
>>> information SHOULD be available on the manufacturer website.
>>> Additionally it MAY be made available on the router configuration
>>> interface described in Section 4.1.2: Providing Information. The
>>> manufacturer MUST provide information if the router has reached the
>>> End of its Support (EoS) and will not receive firmware updates by the
>>> manufacturer anymore. This information (EoS) MUST be made available on
>>> the router configuration as described in Section 4.1.2: Providing
>>> Information. The manufacturer MUST provide firmware updates to fix
>>> common vulnerabilities and exposures of a high severity without
>>> culpable delay (without undue delay) after the manufacturer obtains
>>> knowledge
>>> --
>>> Dave Täht
>>> CTO, TekLibre, LLC
>>> http://www.teklibre.com
>>> Tel: 1-831-205-9740
>>> _______________________________________________
>>> Cerowrt-devel mailing list
>>> Cerowrt-devel at lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
> -- 
> Dave Täht
> CTO, TekLibre, LLC
> http://www.teklibre.com
> Tel: 1-831-205-9740

More information about the Cerowrt-devel mailing list