Germany Publishes New Broadband Router Security Guidelines

Germany Publishes New Broadband Router Security Guidelines

The German government Federal Office for Information Security published technical security guidelines for broadband routers commonly used in Small Office and Home Office (SOHO) environments. The new guideline provides recommendations to manufacturers on designing and implementing routing products with “adequate state-of-the -art security features.”

The new publication (translated in English), BSI TR-03148: Secure Broadband Router, provides both mandatory and optional security requirements for routing devices designed for SOHO and end-user environments. 

Router risks

As the trend of households using or requiring internet access increases, so does the need for fully functional and secure routers. Routers are used as a user or small business access point and gateway, connecting a private network of a household to the internet. 

“Not only are devices being attacked to harm the assets of its owner, but also to be hijacked and become part of botnets, controlled by the attackers,” the guideline stated.  

Secure networks, interfaces and functionalities

The guideline includes sections for securing networks and interfaces, as well as securing router functionalities. 

Just a few of the security recommendations include, but not limited to: 

  • Enable minimal selection of services on the LAN and WiFi interface of the router (e.g., DNS, HTTPS, etc.) 
  • The router MUST support encryption according to WiFi Protected Access II (WPA2) 
  • Change passwords from default manufacturer setting
  • Two-factor authentication (2FA) and at very least (if 2FA not available) strong passwords used for user authentication (e.g., greater than 8 number of characters and more than two kinds of characters)
  • Display firmware information (status, version number, login attempts, running services, logs, etc.)
  • Allow users to update firmware version
  • Firewalls: The router MUST allow the end-user to define rules for incoming network traffic (public to private network) as well as outgoing (private to public network) network traffic. 

Check out the full guideline for more recommendations and details.