Germany has proposed a security guidelines for routers manufacturer & users. As we know, Online criminals have woken up to the power they can exert through hijacking large numbers of routers into botnets, launching devastating distributed denial-of-service (DDoS) attacks, stealing WiFi credentials, or changing DNS settings to make unwanted pop-up ads continually appear.
Routers Security Guidelines are:
- Wireless routers should use as a minimum WPA2 encryption.
- Any configuration password configured in factory settings should be at least 20 characters long, and must not contain information that is derived from the router’s manufacturer, model name, or MAC address etc.
- In addition, any pre-configured configuration password used with factory settings must not be shared by multiple devices from the same manufacturer.
- Any pre-configured configuration password must contain at least eight characters, and contain a combination of at least two of the following types of characters (uppercase letters [A-Z], lowercase letters [a-z], special characters [e.g. ?, !, $, etc.], and numeric characters [0-9]).
- When changing either the Wi-Fi or configuration password, users should be presented with a password strength meter based upon its number of characters and complexity.
- Users using guest Wi-Fi services should not have any access to the router’s configuration. By default it should not be possible to remotely configure a router, and remote access should only be possible via an encrypted, server-authenticated connection.
- Routers must include functionality to update their firmware, and provide users with the option of initiating the update manually or online. In addition, automatic firmware updates should (as opposed to must) be offered and activated by default (although it must be possible for a user to deactivate this if they wish.)
- If the router determines that its firmware is currently out-of-date, it must inform the user with a meaningful message (such as a pop-up after login).
- If a manufacturer decides to stop supporting the device with firmware updates then the same mechanism should be used to inform users about the end of service.
- Factory resets should return devices to their default secure state, and all personal data should be deleted.