[Cerowrt-devel] security guidelines for home routers
swmike at swm.pp.se
Tue Nov 27 06:03:35 EST 2018
On Mon, 26 Nov 2018, Sebastian Moeller wrote:
> I guess that most cheap routers do not actually do "secure boot" but
> rather make it hard to flash not-approved firmware binaries from the
> GUI, and for the intents an purposes of the BSI document that level of
> security, in spite of the talk about firmware authentication by digital
> signatures, seems sufficient. So no need to secure the JTAG interface,
> or even a tftp update method that can be initiated by pressing a button
> on the router or similar.
There are a huge amount of routers in peoples homes in Germany that have
secure boot enabled. Trying to achieve the requirement that these can have
any software installed on them requires new functionality to be created,
perhaps even new administration to handle this in a secure way.
Yes, it might be enough to in the future create a button inside the device
(so it actually has to be opened up) to disable secure boot, but this
still does open up for tampering by someone who happens to have physical
access to the device.
Right now with secure boot on and all code being signed, it's really hard
to tamper with the device and making it do things it wasn't designed to
I'd really like to see a wider audience weigh in on the pro:s and con:s of
this approach. Do parents really want to come home to their 12 year old
who might have opened up their residential gateway and installed something
the 12 year old downloaded from the Internet? Perhaps yes, perhaps no.
> Why? In my reading 2 basically just turns the "The router MAY
> allow the installation of unsigned firmware (i.e. custom firmware)" into
> a "The router MUST allow " it does not rule that the manufacturer needs
> to actively help to develop said custom firmware IMHO. Now it would be a
> great idea to do so, but certainly not required.
Ok, I just took for granted that to make the idea practical, one would
need access to hw / sw specifications.
> Yes, I agree, this is one of the issues where one of the
> heavy-weights needs to get involved. My bet is on the EU picking
> something like this up first though. ATM I do not see much appetite for
> such regulatory actions in the US.
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the Cerowrt-devel