Singapore tightens security requirements for new home routers comes next April 2021

Apparatus

High Supremacy Member
Joined
May 27, 2005
Messages
43,939
Reaction score
6,156
Effective from April 13 next year, home routers will have to meet new security requirements before they can be sold in Singapore.

Come April 13 next year, home routers will have to meet new security requirements before they can be put up for sale in Singapore. These include unique login credentials and default automatic downloads of security patches.

The new mandate is aimed at improving the security of these devices, which are popular targets amongst malicious hackers who are looking to breach home networks, according to industry regulator Infocomm Media Development Authority (IMDA). Stipulated as being part of the country's Technical Specifications for Residential Gateways, the enhanced security requirements were finalised following an earlier consultation exercise that sought feedback from the public and industry.

While these mandates are set to come into effect from 13 April 2021, home routers previously approved by IMDA will be allowed to remain on sale until October 12 next year.

Users of existing home routers will not need to change their current routers, but they are encouraged to purchase devices that are compliant with IMDA's cybersecurity requirements for their next upgrade or replacement. Users should also regularly update their device firmware, the agency said.

"Home routers are often the first entry point for cyber attacks targeting the public, as they form the key bridge between the internet and residents' home networks," IMDA said in a statement Monday. "[The] minimum security requirements for home routers [will] provide a safer and more secure internet experience for users, and strengthen the resilience of Singapore's telecommunications networks."

The government agency added that the move came amidst continued adoption of networked intelligent devices in homes, such as web cameras and baby monitors, which have given way to higher risks of cyber attacks that target such devices. It noted that Japan imposed similar requirements in April and the UK recently began to evaluate such requirements.

In Singapore, the enhanced security requirements include randomised and unique login credentials for each device, minimum password strength, disabling system services and interfaces that are deemed to be vulnerable, default automatic downloads of firmware updates for security patches, secure authentication of access to the device's management interface, and validation of data inputs to the device to safeguard against remote hacking.

Wi-Fi home routers that comply with IMDA's specifications would also meet Level 1 of the Cybersecurity Labelling Scheme, which was recently introduced by the Cyber Security Agency of Singapore. Home routers, as well as smart home hubs, that are assessed to be secure and compliant will bear these labels.

The labelling initiative is voluntary and comprises four levels of rating based on the number of asterisks, each indicating an additional tier of testing and assessment the product has gone through. The scheme aims to motivate manufacturers to develop more secure products, moving beyond designing such devices to optimise functionality and cost.

Level one, for instance, indicates that a product meets basic security requirements such as ensuring unique default passwords and providing software updates, while a level four product has undergone structured penetration tests by approved third-party test labs and fulfilled level three requirements.

Singapore is hoping to rope in other Asean nations to recognise the Cybersecurity Labelling Scheme.

Last week, Singapore unveiled its latest cybersecurity blueprint which focuses on digital infrastructures and cyber activities. The city-state also announced plans to set up a panel comprising global experts to offer advice on safeguarding its operational technology systems.

https://www.zdnet.com/article/singapore-tightens-security-requirements-for-new-home-routers/
 

firesong

Supremacy Member
Deluxe Member
Joined
Jan 17, 2001
Messages
7,913
Reaction score
3,948
Targeting routers is not enough. They need to target all networking devices - especially web cameras, door locks, and smart devices.

And frankly, the bar of entry is still low for "Level 1". They should raise it to forbidding devices from phoning home unnecessarily.

And they should mandate that devices be secured on the consumer end, not at the ISP level. So no such thing as backdoors for ISPs to remote manage any devices located within consumer premises.
 

Henry Ng

Arch-Supremacy Member
Joined
Aug 9, 2011
Messages
14,014
Reaction score
221
Targeting routers is not enough. They need to target all networking devices - especially web cameras, door locks, and smart devices.

And frankly, the bar of entry is still low for "Level 1". They should raise it to forbidding devices from phoning home unnecessarily.

And they should mandate that devices be secured on the consumer end, not at the ISP level. So no such thing as backdoors for ISPs to remote manage any devices located within consumer premises.
At a start they concentrate on router first. Then later do other devices. They start with low expectations first, later sure upgrade. This is a very good start.
 

miloaisdino

Senior Member
Joined
Mar 25, 2016
Messages
955
Reaction score
53
Targeting routers is not enough. They need to target all networking devices - especially web cameras, door locks, and smart devices.

And frankly, the bar of entry is still low for "Level 1". They should raise it to forbidding devices from phoning home unnecessarily.

And they should mandate that devices be secured on the consumer end, not at the ISP level. So no such thing as backdoors for ISPs to remote manage any devices located within consumer premises.
many retailers might just label the devices as "wireless access points (AP)" rather than routers to skirt this requirement...
 

Henry Ng

Arch-Supremacy Member
Joined
Aug 9, 2011
Messages
14,014
Reaction score
221
many retailers might just label the devices as "wireless access points (AP)" rather than routers to skirt this requirement...
The box will have the manufacturer printing on it so whether it is router or access point can tell. May be they have some way to control such classification whether it is router or Access Point. It is just not mentioned in the press release.
 

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,907
Reaction score
2,222
Anything is better than nothing.;)

With more WFH, the importance of securing the home network has greatly increased.
 

Apex

Senior Member
Joined
Jan 1, 2000
Messages
2,373
Reaction score
162
Will this cause router to increase price as end of the day somebody has to pay for all this new requirements.
 

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,128
Reaction score
2,888
Provided Router updates.....

Quite a number of router products will fail this requirement.

Yes this is the real problem that many networking device will fail. Linksys is certainly not the worst but it is already not good.

Just take a look at the popular Starhub Linksys EA8100 (HW version 1).

https://www.linksys.com/sg/support-article?articleNum=226212

FIRMWARE FOR STARHUB
Ver. 1.0.2.193233
Latest Date: 4/15/2018

It is launched on 7 July 2018 as Starhub exclusive. Basically it has never got FW update after release.
https://www.hardwarezone.com.sg/tec...-first-offer-linksys-new-ea8100-ac2600-router

EA7500 v2 is a bit better.
https://www.linksys.com/us/support-article?articleNum=183933

FIRMWARE
Ver. 2.0.8.194281
Latest Date: 8/15/2019
Download 33.0 MB

M1 Linksys WRT32X Gaming router
https://www.linksys.com/us/support-article?articleNum=226203
FIRMWARE
Ver. 1.0.180404.58
Latest Date: 4/23/2018
Download 10.2 MB

D-Link and TP-Link will not be good either.
The old Starhub D-Link DIR-868L last Starhub Firmware 1.21 is also quite some time ago.
https://www.dlink.com.sg/starhub/DIR-868L.html

Hopefully Level 1 will require vendors to provide FW security updates for 5 years (at least three years as routers are usually used for more than 3 years).
 
Last edited:

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,128
Reaction score
2,888
Last edited:

firesong

Supremacy Member
Deluxe Member
Joined
Jan 17, 2001
Messages
7,913
Reaction score
3,948
At a start they concentrate on router first. Then later do other devices. They start with low expectations first, later sure upgrade. This is a very good start.

I accept it's a start. As to whether it can be considered a good start, that's not necessarily the case.

The recent exposition of home web camera footage being uploaded to pornographic web sites shows that these other devices also come with default passwords and poor configuration (for the sake of "plug and play", and by whatever internal routing algorithms, can bypass router settings (or just get through using UPnP). This usually has almost nothing to do with the router configuration. They need to raise the bar to force proper configuration for the sake of security, not merely at the gateway end, but also at the device end.

This is why I stated that it's not enough. They don't address the problem by targeting the routers, and it's a poor level of targeting if they are serious about security. It is far too low to make any significant change at all, when you consider everything as a whole. In fact, it may not be of any actual improvements, and lull users to a false sense of security.
 

firesong

Supremacy Member
Deluxe Member
Joined
Jan 17, 2001
Messages
7,913
Reaction score
3,948
many retailers might just label the devices as "wireless access points (AP)" rather than routers to skirt this requirement...

Yep. I suspect it's far easier to reflash and disable routing features in order to move stocks off the shelf. Anyway, people need more APs than routers at home. They need to work at educating people for proper coverage. It could work if they play their cards right.

Provided Router updates.....

Quite a number of router products will fail this requirement.

Also, updates for how long? This should be stipulated. 2y? 3y? One update after you buy it?
 

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,128
Reaction score
2,888
Targeting routers is not enough. They need to target all networking devices - especially web cameras, door locks, and smart devices.

And frankly, the bar of entry is still low for "Level 1". They should raise it to forbidding devices from phoning home unnecessarily.

And they should mandate that devices be secured on the consumer end, not at the ISP level. So no such thing as backdoors for ISPs to remote manage any devices located within consumer premises.

The phone home feature is probably difficult to ban and for the authority to test and judge what is necessary and not necessary.

As for the ISP remote management thingy, that is probably another thing difficult for the government to enforce.

But yes there are more problematic device like the home security camera, and lots of smart home or IoT devices, and smart TVs, Android TV boxes, mobile phones, etc.
 
Last edited:

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,128
Reaction score
2,888
Also, updates for how long? This should be stipulated. 2y? 3y? One update after you buy it?

Three years after initial market launch, or two years after product discontinuation, whichever is later?

Certain industry needs to support like 10 years or even longer (not uncommon for a platform to last for 20 years). But this certainly is not possible for the consumer industry.
 
Last edited:

forests_gump

Arch-Supremacy Member
Joined
Jan 1, 2000
Messages
10,881
Reaction score
3,507
tiny red dot don't even produce router, but keep demanding customization for a tiny population. This will only cause large player less willing to enter our market, smaller player may customize to our requirements, but paying high price for substandard performance.
 

firesong

Supremacy Member
Deluxe Member
Joined
Jan 17, 2001
Messages
7,913
Reaction score
3,948
tiny red dot don't even produce router, but keep demanding customization for a tiny population. This will only cause large player less willing to enter our market, smaller player may customize to our requirements, but paying high price for substandard performance.

Well, if more countries come on board and it becomes a global initiative, I'd say it's a good move overall.

Just because they don't produce the equipment does not mean that users should accept substandard security. And since no one bothers to update these things, the process is left to automation.

You only need to look to mobile phones to see that the requirements are not new - set your own password, frequent updates pushed out to devices, 2-3y update policy. These are things done on mobile phones and even desktop computers, so why not automated "smart" boxes through which you receive residential internet access?

But again management must be done within the doors, not from a remote location. The ISP should be restricted in their scope to manage up to the gate of one's private home, not beyond.
 

firesong

Supremacy Member
Deluxe Member
Joined
Jan 17, 2001
Messages
7,913
Reaction score
3,948
The phone home feature is probably difficult to ban and for the authority to test and judge what is necessary and not necessary.

As for the ISP remote management thingy, that is probably another thing difficult for the government to enforce.

But yes there are more problematic device like the home security camera, and lots of smart home or IoT devices, and smart TVs, Android TV boxes, mobile phones, etc.

Consumer premises equipment is and should be under the purview of the user, not anything external. If necessary, the ISP has to schedule an onsite visit. If not, they should up their game and do their jobs properly.

I've experienced it myself - if they can't even configure and push the right configurations, you cannot trust them with more important things like security. They demonstrate they don't know what they are doing.
 

forests_gump

Arch-Supremacy Member
Joined
Jan 1, 2000
Messages
10,881
Reaction score
3,507
Even login credentials & default automatic download security patches are still just substandard security.

It takes much more than to harden.
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top