[Cerowrt-devel] security guidelines for home routers

Mikael Abrahamsson swmike at swm.pp.se
Tue Nov 27 06:03:35 EST 2018 

On Mon, 26 Nov 2018, Sebastian Moeller wrote:

> I guess that most cheap routers do not actually do "secure boot" but 
> rather make it hard to flash not-approved firmware binaries from the 
> GUI, and for the intents an purposes of the BSI document that level of 
> security, in spite of the talk about firmware authentication by digital 
> signatures, seems sufficient. So no need to secure the JTAG interface, 
> or even a tftp update method that can be initiated by pressing a button 
> on the router or similar.

There are a huge amount of routers in peoples homes in Germany that have 
secure boot enabled. Trying to achieve the requirement that these can have 
any software installed on them requires new functionality to be created, 
perhaps even new administration to handle this in a secure way.

Yes, it might be enough to in the future create a button inside the device 
(so it actually has to be opened up) to disable secure boot, but this 
still does open up for tampering by someone who happens to have physical 
access to the device.

Right now with secure boot on and all code being signed, it's really hard 
to tamper with the device and making it do things it wasn't designed to 
do.

I'd really like to see a wider audience weigh in on the pro:s and con:s of 
this approach. Do parents really want to come home to their 12 year old 
who might have opened up their residential gateway and installed something 
the 12 year old downloaded from the Internet? Perhaps yes, perhaps no.

> 	Why? In my reading 2 basically just turns the "The router MAY 
> allow the installation of unsigned firmware (i.e. custom firmware)" into 
> a "The router MUST allow " it does not rule that the manufacturer needs 
> to actively help to develop said custom firmware IMHO. Now it would be a 
> great idea to do so, but certainly not required.

Ok, I just took for granted that to make the idea practical, one would 
need access to hw / sw specifications.

> 	Yes, I agree, this is one of the issues where one of the 
> heavy-weights needs to get involved. My bet is on the EU picking 
> something like this up first though. ATM I do not see much appetite for 
> such regulatory actions in the US.

Agreed.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the Cerowrt-devel mailing list