HWZ Forums

Login Register FAQ Mark Forums Read

Singapore tightens security requirements for new home routers comes next April 2021

Like Tree9Likes
Reply
 
LinkBack Thread Tools
Old 18-10-2020, 04:58 PM   #16
Supremacy Member
 
Join Date: Sep 2018
Posts: 6,527
Also, updates for how long? This should be stipulated. 2y? 3y? One update after you buy it?
Three years after initial market launch, or two years after product discontinuation, whichever is later?

Certain industry needs to support like 10 years or even longer (not uncommon for a platform to last for 20 years). But this certainly is not possible for the consumer industry.

Last edited by xiaofan; 18-10-2020 at 05:02 PM..
xiaofan is online now   Reply With Quote
Old 18-10-2020, 06:02 PM   #17
Senior Member
 
Join Date: Jan 2000
Posts: 2,465
tiny red dot don't even produce router, but keep demanding customization for a tiny population. This will only cause large player less willing to enter our market, smaller player may customize to our requirements, but paying high price for substandard performance.
forests_gump is offline   Reply With Quote
Old 18-10-2020, 06:15 PM   #18
Senior Member
 
Join Date: Jan 2001
Posts: 1,157
tiny red dot don't even produce router, but keep demanding customization for a tiny population. This will only cause large player less willing to enter our market, smaller player may customize to our requirements, but paying high price for substandard performance.
Well, if more countries come on board and it becomes a global initiative, I'd say it's a good move overall.

Just because they don't produce the equipment does not mean that users should accept substandard security. And since no one bothers to update these things, the process is left to automation.

You only need to look to mobile phones to see that the requirements are not new - set your own password, frequent updates pushed out to devices, 2-3y update policy. These are things done on mobile phones and even desktop computers, so why not automated "smart" boxes through which you receive residential internet access?

But again management must be done within the doors, not from a remote location. The ISP should be restricted in their scope to manage up to the gate of one's private home, not beyond.
firesong is offline   Reply With Quote
Old 18-10-2020, 06:17 PM   #19
Senior Member
 
Join Date: Jan 2001
Posts: 1,157
The phone home feature is probably difficult to ban and for the authority to test and judge what is necessary and not necessary.

As for the ISP remote management thingy, that is probably another thing difficult for the government to enforce.

But yes there are more problematic device like the home security camera, and lots of smart home or IoT devices, and smart TVs, Android TV boxes, mobile phones, etc.
Consumer premises equipment is and should be under the purview of the user, not anything external. If necessary, the ISP has to schedule an onsite visit. If not, they should up their game and do their jobs properly.

I've experienced it myself - if they can't even configure and push the right configurations, you cannot trust them with more important things like security. They demonstrate they don't know what they are doing.
firesong is offline   Reply With Quote
Old 18-10-2020, 08:06 PM   #20
Senior Member
 
Join Date: Jan 2000
Posts: 2,465
Even login credentials & default automatic download security patches are still just substandard security.

It takes much more than to harden.
forests_gump is offline   Reply With Quote
Old 18-10-2020, 09:28 PM   #21
Supremacy Member
 
Join Date: Sep 2018
Posts: 6,527
Consumer premises equipment is and should be under the purview of the user, not anything external. If necessary, the ISP has to schedule an onsite visit. If not, they should up their game and do their jobs properly.

I've experienced it myself - if they can't even configure and push the right configurations, you cannot trust them with more important things like security. They demonstrate they don't know what they are doing.
I understand your unhappiness towards SingTel with regards to the ONR saga and the unresolved IPv6 issue. Basically it is not a good choice for a power user like you to go with SingTel ONR.

On the other hand, you can argue whether it is better to leave the security of the main home router to the ISP or the average user.

One of the compromise may be to leave the security to the ISP yet allow certain aspect to the average user (say simple setup like wireless password and DNS server and parent control) and yet allow power user to have more freedom.

SingTel ONR plus the free wireless AP or the added Mesh is supposed to be the compromise, unfortunately the ONR falls short in terms basic features, the customized Arcadyan AP also falls a bit short (lousy as a router, not too shabby as an AP), the customized SingTel Mesh sucks...

Old Aztech routers have backdoor password. Even the Huawei ONRs have the same backdoor. So in the end I have to agree SingTel is probably not there yet.

So now all the other ISPs (except Viewquest 2Gbps, and Whizcomms) uses ONT (not counting SI 10Gbps plan). Do you think it is really good? Certainly not. Average users may set simple wireless password for "simplicity". The vendor may not provide security updates. Even those who do provide updates also use very old Linux kernels.

That is also what happens to home security cameras, default passwords are everywhere, no FW updates after release. Suddenly MyRepublic carrier NAT becomes a blessing, at least the attack surfaces are reduced.
xiaofan is online now   Reply With Quote
Old 18-10-2020, 09:31 PM   #22
Supremacy Member
 
Join Date: Sep 2018
Posts: 6,527
In the end, probably all stake holders, the authorities, the equipment vendors, ISPs, consumers, all need to play their part.

Not easy indeed.
xiaofan is online now   Reply With Quote
Old 18-10-2020, 10:08 PM   #23
Senior Member
 
Join Date: Jan 2001
Posts: 1,157
I understand your unhappiness towards SingTel with regards to the ONR saga and the unresolved IPv6 issue. Basically it is not a good choice for a power user like you to go with SingTel ONR.

On the other hand, you can argue whether it is better to leave the security of the main home router to the ISP or the average user.

One of the compromise may be to leave the security to the ISP yet allow certain aspect to the average user (say simple setup like wireless password and DNS server and parent control) and yet allow power user to have more freedom.

SingTel ONR plus the free wireless AP or the added Mesh is supposed to be the compromise, unfortunately the ONR falls short in terms basic features, the customized Arcadyan AP also falls a bit short (lousy as a router, not too shabby as an AP), the customized SingTel Mesh sucks...

Old Aztech routers have backdoor password. Even the Huawei ONRs have the same backdoor. So in the end I have to agree SingTel is probably not there yet.

So now all the other ISPs (except Viewquest 2Gbps, and Whizcomms) uses ONT (not counting SI 10Gbps plan). Do you think it is really good? Certainly not. Average users may set simple wireless password for "simplicity". The vendor may not provide security updates. Even those who do provide updates also use very old Linux kernels.

That is also what happens to home security cameras, default passwords are everywhere, no FW updates after release. Suddenly MyRepublic carrier NAT becomes a blessing, at least the attack surfaces are reduced.
The only reason they even came up with this half baked solution was primarily to enable their proprietary implementations. Which is why, as anyone knows, whenever things change, they become even more entrenched in a hole they should never have begun digging. The other operators with phone don't have this problem - the other local operator that provides TV does not have this problem either. It is a clear demonstration of the proprietary nature of their implementation.

Point is again the same: beyond the gate of the house, the ISP can manage. Once within the premises, it is up to the home user to manage. Leaving security to be managed by people who prove time and again they don't know what they are doing is suicidal. Having backdoors open is not a security-minded approach at all, from any security standpoint.

As you point out rightly, Singtel by implementation has been forcing all their users to leave backdoors open. Backdoors are free for anyone on the Internet to exploit. Power user or not, this should never be the approach: the separate router implementation is already more secure by design than someone else having configuration access to your router.

The fact that they can only do bridge mode on one particular ONR and not any of the others they deploy (3 separate models, at least), proves that it is a proprietary and not a standard implementation.
firesong is offline   Reply With Quote
Old 18-10-2020, 11:00 PM   #24
Senior Member
 
Join Date: Mar 2016
Posts: 606
i think most likely will just have special firmware for sg. onus could be on retailer to flash (ive had an incident before where netgear instructs the distributor (kaira i think) to flash special vlan enabled fw for routers).

in this case if people feel their privacy is threatened due to autoupdate can always flash back to global fw..
miloaisdino is offline   Reply With Quote
Old 18-10-2020, 11:07 PM   #25
Senior Member
 
Join Date: Mar 2016
Posts: 606
Yep. I suspect it's far easier to reflash and disable routing features in order to move stocks off the shelf. Anyway, people need more APs than routers at home. They need to work at educating people for proper coverage. It could work if they play their cards right.



Also, updates for how long? This should be stipulated. 2y? 3y? One update after you buy it?
yea, imagine if the power cuts during flashing or there is corruption in the ota download file, it would be an RMA nightmare for router manufacturers and distributors.. disabling routing features makes a lot more sense!

another notable part of the press release is also that the regulations only apply to "home routers/residential gateways", meaning
retailers could always push stocks as "soho routers/enterprise gear" instead..

i should think imda would tolerate this as they trust consumers would be able to discern.. if the product doesnt have their label, then consumers might think its security is "not fit for home use"?

https://www.imda.gov.sg/-/media/Imda...-SEC.pdf?la=en for reference

4.2.1 Device Pre-loaded Settings
a. The Residential Gateway shall disable the following system services (on both LAN and WAN
interfaces) by default:
i. WPS
ii. HNAP
iii. SSH
b. The Residential Gateway shall disable the following Residential Gateway WAN interfaces by
default:
i. NAT-PMP
ii. PCP
iii. Remote Administration
iv. SNMP
v. Telnet
vi. UPnP
c. The Residential Gateway shall disable feature(s) that collects and sends the device’s network
statistics data back to manufacturer by default.
d. The Residential Gateway shall enable its firewall by default and support NAT to prevent its
internal systems from being accessed directly from the Internet.
e. The Residential Gateway shall disable IPv6 tunnelling mechanisms by default. Most modern
operating systems use IPv6 by default and thus, some operating systems will attempt to pass
IPv6 traffic in an IPv4 wrapper using tunnelling capabilities, such as Teredo, 6to4, or ISATAP.

4.2.3 Authentication Handling
b. Authentication credentials shall be salted and hashed.

many router manufacturers may not want to customise just for this

d. Network management credentials, e.g., remote login credentials specified in Broadband
Forum’s Technical Report 069 (“TR-069”) shall not be displayed on the Residential
Gateway’s management web page.

will this mean users wont be able to disable tr069 without jumping through hoops?

4.3 Firmware Updates
a. The Residential Gateway shall automatically download the latest security patches.
b. The Residential Gateway shall be updated with the latest security patches automatically. Patching
could be carried out through different means and mechanisms, e.g., when Residential Gateway is
powered off and on.

more bricked routers might come

Last edited by miloaisdino; 18-10-2020 at 11:39 PM..
miloaisdino is offline   Reply With Quote
Old 20-10-2020, 04:47 PM   #26
Junior Member
 
Join Date: Jan 2020
Posts: 44
They explicitly state that SSH must be disabled by default on both WAN/LAN interfaces, yet say nothing about telnet?

They state that IPv6 tunnels should be disabled by default - but it is already an IMDA requirement since 2013 that all residential connections must support IPv6. When native IPv6 connectivity is available, tunnels won't be used.

"The Residential Gateway shall enable its firewall by default and support NAT to prevent its internal systems from being accessed directly from the Internet." - this is likely to cause confusion, NAT is not a security mechanism, the firewall is... Ideally you have routable addresses both sides with no NAT, and the firewall providing access control. Such access control should prohibit inbound connections by default but allow users to open as required.

Disable UPNP and NAT-PMP by default - makes sense, although sometimes inbound connectivity is desirable (eg for p2p applications, enabling lower latency for voip and gaming among other things)... Users would need to understand and explicitly enable such things, which they probably won't.

"The login account shall be blocked after a fixed number of unsuccessful login attempts." - by blocking the login account, you've implemented an easy DoS... There is a requirement for a fallback, however the option of a factory reset could be extremely inconvenient as you'd lose all your configuration.

Login page requiring HTTPS - if the certificate is self signed then there's little point as it's susceptible to an easy MITM... If they use a public cert then what hostname and cert do they use? They will end up using a static public cert on a common hostname then someone can extract the cert and private key from the device and reuse it for attacks.
firesong and Mach3.2 like this.
bert64 is offline   Reply With Quote
Old 20-10-2020, 04:52 PM   #27
Junior Member
 
Join Date: Jan 2020
Posts: 44
Angry

I accept it's a start. As to whether it can be considered a good start, that's not necessarily the case.

The recent exposition of home web camera footage being uploaded to pornographic web sites shows that these other devices also come with default passwords and poor configuration (for the sake of "plug and play", and by whatever internal routing algorithms, can bypass router settings (or just get through using UPnP). This usually has almost nothing to do with the router configuration. They need to raise the bar to force proper configuration for the sake of security, not merely at the gateway end, but also at the device end.

This is why I stated that it's not enough. They don't address the problem by targeting the routers, and it's a poor level of targeting if they are serious about security. It is far too low to make any significant change at all, when you consider everything as a whole. In fact, it may not be of any actual improvements, and lull users to a false sense of security.
In many cases its not even UPNP..
A lot of these cameras implement a cloud model to bypass NAT, so the data is actually transferred via a server operated by the manufacturer and the camera itself makes an outbound connection to the manufacturer's server. So long as you allow outbound connections (which almost all routers will by default), the camera can phone home and be controlled by the manufacturer's server.

If someone compromises that server, or gains access to the user's account etc, you can view the footage. In some cases gaining access is as simple as knowing the serial number of the device, or scanning a qr code. Serial numbers can be brute forced pretty easily as they are usually sequential.

Preventing inbound connections at the router level provide a false sense of security in cases like this, and many lowend routers won't provide facilities to monitor the outbound traffic being generated by cameras and other random devices.
firesong and Mach3.2 like this.
bert64 is offline   Reply With Quote
Old 20-10-2020, 05:06 PM   #28
Senior Member
 
Join Date: Jan 2001
Posts: 1,157
They state that IPv6 tunnels should be disabled by default - but it is already an IMDA requirement since 2013 that all residential connections must support IPv6. When native IPv6 connectivity is available, tunnels won't be used.
I was looking for the source for this. Can't find it so I thought it was pulled.

Also, it's only Singtel that uses IPv6 tunnels. The others implement it natively.

In many cases its not even UPNP..
A lot of these cameras implement a cloud model to bypass NAT, so the data is actually transferred via a server operated by the manufacturer and the camera itself makes an outbound connection to the manufacturer's server. So long as you allow outbound connections (which almost all routers will by default), the camera can phone home and be controlled by the manufacturer's server.

If someone compromises that server, or gains access to the user's account etc, you can view the footage. In some cases gaining access is as simple as knowing the serial number of the device, or scanning a qr code. Serial numbers can be brute forced pretty easily as they are usually sequential.

Preventing inbound connections at the router level provide a false sense of security in cases like this, and many lowend routers won't provide facilities to monitor the outbound traffic being generated by cameras and other random devices.
This is why I said upfront that targeting routers only was a poor idea from the start. Do it right the first time, and target all devices that must connect to the internet.

Edit: Even midrange routers will likely not have these facilities. Unless they mandate that routers block phoning home, but this will also block software updates.

Last edited by firesong; 20-10-2020 at 05:12 PM..
firesong is offline   Reply With Quote
Old 20-10-2020, 05:41 PM   #29
Junior Member
 
Join Date: Jan 2020
Posts: 44
I was looking for the source for this. Can't find it so I thought it was pulled.
Document is at: https://www.imda.gov.sg/-/media/Imda...-SEC.pdf?la=en

Section: 4.2.1 Device Pre-loaded Settings, subsection e.

Also, it's only Singtel that uses IPv6 tunnels. The others implement it natively.
Yes, and not enabled by default, and not available for new customers... It's no wonder that singapore has now fallen behind myanmar in terms of ipv6 deployment (https://stats.labs.apnic.net/ipv6)

This is why I said upfront that targeting routers only was a poor idea from the start. Do it right the first time, and target all devices that must connect to the internet.

Edit: Even midrange routers will likely not have these facilities. Unless they mandate that routers block phoning home, but this will also block software updates.
There are simply too many different devices, it would become a nightmare to manage, and people will in any case end up using grey market imports etc... But yes the focus on the externally facing perimeter completely misses these other risks and gives a false sense of security.
bert64 is offline   Reply With Quote
Old 20-10-2020, 05:51 PM   #30
Senior Member
 
Join Date: Jan 2001
Posts: 1,157
Document is at: https://www.imda.gov.sg/-/media/Imda...-SEC.pdf?la=en

Section: 4.2.1 Device Pre-loaded Settings, subsection e.
Oh not this part. I meant the latter part, about mandating IPv6. I was looking for that stipulation. I have this document already.

Sorry I was unclear.

There are simply too many different devices, it would become a nightmare to manage, and people will in any case end up using grey market imports etc... But yes the focus on the externally facing perimeter completely misses these other risks and gives a false sense of security.
Or just leave it to users to report errant devices. They only need to set the law and to fine aberrant manufacturers and retailers, not manage the devices themselves. It is not their responsibility to manage individual devices, but it is to raise security requirements to protect citizens.

On the flip side, citizens who constantly flout these laws can likewise be punished appropriately. If they can manage a smartphone and set passwords for that, they can definitely manage some router configurations.
firesong is offline   Reply With Quote
Reply
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.


Thread Tools

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On