HWZ Forums

Login Register FAQ Mark Forums Read

Singapore tightens security requirements for new home routers comes next April 2021

Like Tree9Likes
Reply
 
LinkBack Thread Tools
Old 18-10-2020, 12:18 PM   #1
Arch-Supremacy Member
 
Join Date: May 2005
Posts: 24,535
Singapore tightens security requirements for new home routers comes next April 2021

Effective from April 13 next year, home routers will have to meet new security requirements before they can be sold in Singapore.

Come April 13 next year, home routers will have to meet new security requirements before they can be put up for sale in Singapore. These include unique login credentials and default automatic downloads of security patches.

The new mandate is aimed at improving the security of these devices, which are popular targets amongst malicious hackers who are looking to breach home networks, according to industry regulator Infocomm Media Development Authority (IMDA). Stipulated as being part of the country's Technical Specifications for Residential Gateways, the enhanced security requirements were finalised following an earlier consultation exercise that sought feedback from the public and industry.

While these mandates are set to come into effect from 13 April 2021, home routers previously approved by IMDA will be allowed to remain on sale until October 12 next year.

Users of existing home routers will not need to change their current routers, but they are encouraged to purchase devices that are compliant with IMDA's cybersecurity requirements for their next upgrade or replacement. Users should also regularly update their device firmware, the agency said.

"Home routers are often the first entry point for cyber attacks targeting the public, as they form the key bridge between the internet and residents' home networks," IMDA said in a statement Monday. "[The] minimum security requirements for home routers [will] provide a safer and more secure internet experience for users, and strengthen the resilience of Singapore's telecommunications networks."

The government agency added that the move came amidst continued adoption of networked intelligent devices in homes, such as web cameras and baby monitors, which have given way to higher risks of cyber attacks that target such devices. It noted that Japan imposed similar requirements in April and the UK recently began to evaluate such requirements.

In Singapore, the enhanced security requirements include randomised and unique login credentials for each device, minimum password strength, disabling system services and interfaces that are deemed to be vulnerable, default automatic downloads of firmware updates for security patches, secure authentication of access to the device's management interface, and validation of data inputs to the device to safeguard against remote hacking.

Wi-Fi home routers that comply with IMDA's specifications would also meet Level 1 of the Cybersecurity Labelling Scheme, which was recently introduced by the Cyber Security Agency of Singapore. Home routers, as well as smart home hubs, that are assessed to be secure and compliant will bear these labels.

The labelling initiative is voluntary and comprises four levels of rating based on the number of asterisks, each indicating an additional tier of testing and assessment the product has gone through. The scheme aims to motivate manufacturers to develop more secure products, moving beyond designing such devices to optimise functionality and cost.

Level one, for instance, indicates that a product meets basic security requirements such as ensuring unique default passwords and providing software updates, while a level four product has undergone structured penetration tests by approved third-party test labs and fulfilled level three requirements.

Singapore is hoping to rope in other Asean nations to recognise the Cybersecurity Labelling Scheme.

Last week, Singapore unveiled its latest cybersecurity blueprint which focuses on digital infrastructures and cyber activities. The city-state also announced plans to set up a panel comprising global experts to offer advice on safeguarding its operational technology systems.

https://www.zdnet.com/article/singap...-home-routers/
Apparatus is online now   Reply With Quote
Old 18-10-2020, 12:36 PM   #2
Senior Member
 
Join Date: Jan 2001
Posts: 1,157
Targeting routers is not enough. They need to target all networking devices - especially web cameras, door locks, and smart devices.

And frankly, the bar of entry is still low for "Level 1". They should raise it to forbidding devices from phoning home unnecessarily.

And they should mandate that devices be secured on the consumer end, not at the ISP level. So no such thing as backdoors for ISPs to remote manage any devices located within consumer premises.
firesong is offline   Reply With Quote
Old 18-10-2020, 01:24 PM   #3
Arch-Supremacy Member
 
Henry Ng's Avatar
 
Join Date: Aug 2011
Posts: 12,195
Targeting routers is not enough. They need to target all networking devices - especially web cameras, door locks, and smart devices.

And frankly, the bar of entry is still low for "Level 1". They should raise it to forbidding devices from phoning home unnecessarily.

And they should mandate that devices be secured on the consumer end, not at the ISP level. So no such thing as backdoors for ISPs to remote manage any devices located within consumer premises.
At a start they concentrate on router first. Then later do other devices. They start with low expectations first, later sure upgrade. This is a very good start.
Henry Ng is offline   Reply With Quote
Old 18-10-2020, 01:28 PM   #4
Senior Member
 
Join Date: Mar 2016
Posts: 606
Targeting routers is not enough. They need to target all networking devices - especially web cameras, door locks, and smart devices.

And frankly, the bar of entry is still low for "Level 1". They should raise it to forbidding devices from phoning home unnecessarily.

And they should mandate that devices be secured on the consumer end, not at the ISP level. So no such thing as backdoors for ISPs to remote manage any devices located within consumer premises.
many retailers might just label the devices as "wireless access points (AP)" rather than routers to skirt this requirement...
daylight likes this.
miloaisdino is online now   Reply With Quote
Old 18-10-2020, 01:39 PM   #5
Arch-Supremacy Member
 
Henry Ng's Avatar
 
Join Date: Aug 2011
Posts: 12,195
many retailers might just label the devices as "wireless access points (AP)" rather than routers to skirt this requirement...
The box will have the manufacturer printing on it so whether it is router or access point can tell. May be they have some way to control such classification whether it is router or Access Point. It is just not mentioned in the press release.
Henry Ng is offline   Reply With Quote
Old 18-10-2020, 02:31 PM   #6
Supremacy Member
 
Join Date: Mar 2018
Posts: 5,126
Provided Router updates.....

Quite a number of router products will fail this requirement.
claypot_king is offline   Reply With Quote
Old 18-10-2020, 02:38 PM   #7
Master Member
 
TanKianW's Avatar
 
Join Date: Apr 2005
Posts: 3,265
Anything is better than nothing.

With more WFH, the importance of securing the home network has greatly increased.
__________________
春有百花秋有月,夏有凉风冬有雪;若无闲事挂心头,便是人间好时节。
TanKianW is offline   Reply With Quote
Old 18-10-2020, 03:08 PM   #8
Senior Member
 
Apex's Avatar
 
Join Date: Jan 2000
Posts: 1,820
Will this cause router to increase price as end of the day somebody has to pay for all this new requirements.
Apex is offline   Reply With Quote
Old 18-10-2020, 04:01 PM   #9
Supremacy Member
 
Join Date: Sep 2018
Posts: 6,528
Provided Router updates.....

Quite a number of router products will fail this requirement.
Yes this is the real problem that many networking device will fail. Linksys is certainly not the worst but it is already not good.

Just take a look at the popular Starhub Linksys EA8100 (HW version 1).

https://www.linksys.com/sg/support-a...icleNum=226212

FIRMWARE FOR STARHUB
Ver. 1.0.2.193233
Latest Date: 4/15/2018

It is launched on 7 July 2018 as Starhub exclusive. Basically it has never got FW update after release.
https://www.hardwarezone.com.sg/tech...-ac2600-router

EA7500 v2 is a bit better.
https://www.linksys.com/us/support-a...icleNum=183933

FIRMWARE
Ver. 2.0.8.194281
Latest Date: 8/15/2019
Download 33.0 MB

M1 Linksys WRT32X Gaming router
https://www.linksys.com/us/support-a...icleNum=226203
FIRMWARE
Ver. 1.0.180404.58
Latest Date: 4/23/2018
Download 10.2 MB

D-Link and TP-Link will not be good either.
The old Starhub D-Link DIR-868L last Starhub Firmware 1.21 is also quite some time ago.
https://www.dlink.com.sg/starhub/DIR-868L.html

Hopefully Level 1 will require vendors to provide FW security updates for 5 years (at least three years as routers are usually used for more than 3 years).

Last edited by xiaofan; 18-10-2020 at 04:29 PM..
xiaofan is offline   Reply With Quote
Old 18-10-2020, 04:02 PM   #10
High Supremacy Member
 
zuoom's Avatar
 
Join Date: Feb 2002
Posts: 28,251
Those homebrew how Sia?
zuoom is offline   Reply With Quote
Old 18-10-2020, 04:05 PM   #11
Supremacy Member
 
Join Date: Sep 2018
Posts: 6,528
Those homebrew how Sia?
No problem as you are on your own.

They are targeting the router vendors. You can always use your own OpenWRT/pfsense/etc based router.
xiaofan is offline   Reply With Quote
Old 18-10-2020, 04:22 PM   #12
Supremacy Member
 
Join Date: Sep 2018
Posts: 6,528
In terms of FW updates, Asus is pretty good.

M1 RT-AC1200G+: 2020 FW available
https://www.asus.com/Networking/RT-A...HelpDesk_BIOS/

M1 RT-AC2600: 2020 FW available
https://www.asus.com/sg/Networking/R...HelpDesk_BIOS/

Older M1 RT-AC56S: 2019 FW available
https://www.asus.com/sg/Networking/R...HelpDesk_BIOS/

2020 FW are available for popular models like RT-AC68U/85U/86U/87U/88U and RT-AC5300.

Last edited by xiaofan; 18-10-2020 at 04:38 PM..
xiaofan is offline   Reply With Quote
Old 18-10-2020, 04:43 PM   #13
Senior Member
 
Join Date: Jan 2001
Posts: 1,157
At a start they concentrate on router first. Then later do other devices. They start with low expectations first, later sure upgrade. This is a very good start.
I accept it's a start. As to whether it can be considered a good start, that's not necessarily the case.

The recent exposition of home web camera footage being uploaded to pornographic web sites shows that these other devices also come with default passwords and poor configuration (for the sake of "plug and play", and by whatever internal routing algorithms, can bypass router settings (or just get through using UPnP). This usually has almost nothing to do with the router configuration. They need to raise the bar to force proper configuration for the sake of security, not merely at the gateway end, but also at the device end.

This is why I stated that it's not enough. They don't address the problem by targeting the routers, and it's a poor level of targeting if they are serious about security. It is far too low to make any significant change at all, when you consider everything as a whole. In fact, it may not be of any actual improvements, and lull users to a false sense of security.
firesong is offline   Reply With Quote
Old 18-10-2020, 04:46 PM   #14
Senior Member
 
Join Date: Jan 2001
Posts: 1,157
many retailers might just label the devices as "wireless access points (AP)" rather than routers to skirt this requirement...
Yep. I suspect it's far easier to reflash and disable routing features in order to move stocks off the shelf. Anyway, people need more APs than routers at home. They need to work at educating people for proper coverage. It could work if they play their cards right.

Provided Router updates.....

Quite a number of router products will fail this requirement.
Also, updates for how long? This should be stipulated. 2y? 3y? One update after you buy it?
firesong is offline   Reply With Quote
Old 18-10-2020, 04:51 PM   #15
Supremacy Member
 
Join Date: Sep 2018
Posts: 6,528
Targeting routers is not enough. They need to target all networking devices - especially web cameras, door locks, and smart devices.

And frankly, the bar of entry is still low for "Level 1". They should raise it to forbidding devices from phoning home unnecessarily.

And they should mandate that devices be secured on the consumer end, not at the ISP level. So no such thing as backdoors for ISPs to remote manage any devices located within consumer premises.
The phone home feature is probably difficult to ban and for the authority to test and judge what is necessary and not necessary.

As for the ISP remote management thingy, that is probably another thing difficult for the government to enforce.

But yes there are more problematic device like the home security camera, and lots of smart home or IoT devices, and smart TVs, Android TV boxes, mobile phones, etc.

Last edited by xiaofan; 18-10-2020 at 05:13 PM..
xiaofan is offline   Reply With Quote
Reply
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.


Thread Tools

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On