Security design recommendations by governments

CISA (Cybersecurity & Infrastructure Security Agency, the US government's "operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resiliency") recently put out a call for SOHO Device Manufacturers to improve their security design, where "device" means "router". The intent of the call is to encourage the SOHO router designers to better secure their devices against exploitation, particularly against remote exploits. At this point these are recommendations, but one could imagine that some years in the future, they might be requirements.

I hope some of the developers will read this document and the related documents and consider the recommendations. When you think about why they are calling for these features to be implemented, you will see why they are useful, even if they are a PITA.

I believe OpenWRT falls into the group who should evaluate what is being advised. A quick search of the forum didn't show this mentioned, but I am not connected to all the developers who make this a great product.

I see two overall areas of concern for OpenWRT:

  1. Meeting or obviating the security recommendations.
  2. The impact that these recommendations might make on manufacturers that then cause them to block the ability for devices to deploy OpenWRT.

Meeting the security recommendations might encourage a manufacturer to build the physical device, but to have OpenWRT as the only operating system deployed on it. This might save the manufacturer the expense of developing an operating system, maintaining it, and assuring it meets the security requirements. It may also shield the manufacturer from certain liabilities (but that opens a whole can of worms for OpenWRT).

The document itself is pretty generic and itself lists 3 principles. Under principle 1 are 4 example points "SOHO router manufacturers should consider". Among these are signed software updates for vulnerabilities, "ideally without user intervention". It might be difficult, but I think it can be done for OpenWRT.

The one that I think developers might initially react negatively to is the requirement for "manual override" of secure defaults. It is unclear to me whether that means one must physically touch the device, or whether it means that a remote user simply needs to acknowledge the risk of changes.

But don't stop with this fairly generic document. Follow the links. In particular, look at NIST's Preliminary Draft IoT Cybersecurity Profile for Consumer Grade Routers, which currently is little more than an outline, but points to a comparison ("crosswalk") of a NIST document on IoT devices with standards from 4 other governments for consumer-grade routers. That, plus the 4 other standards, may be of interest.

[Just to avoid any confusion, I have no relation to CISA. I work for a private company (unrelated to the manufacture, selling, or servicing of routers). In my company, the requirements of the various US organizations become our requirements. Cyber security has been an interest of mine before it was called that.]

3 Likes

Despite my apparent agreement to this post/argument - this is just a late night, errant swipe on my touch screen.

Bold to read this by them... Especially the part where they say "Prevent Remote Explotation"... Prevent it by who? The others but not them?

Aside from this OpenWRT is already better than many other systems installed on routers since we periodically publish release with up-to-date kernel and provide emergency updates if a big vulnerability is published and is fixed.

5 Likes

While your comment focuses on the country of the authoring organization, I hope you saw & read through at least the comparison to the other standards (Broadband Forum, Cable Labs, BSI (Germany), IMDA (Singapore)) if not the other standards themselves. The differences in security recommendations are always interesting. Each of us has an idea of what is secure (or secure enough, given trade-offs) but reviewing and considering what others set as a standard is healthy.

I chose OpenWRT for my home routers years ago after recognizing the poor security situation for purchased home routers. However, I see OpenWRT as having room for security improvements to meet the evolving security recommendations. Yes, security improvements need a volunteer to take them on, but I think it is important to at least be aware of where OpenWRT may not be up to security standards.

For instance, are OpenWRT.org-distributed sysupgrade files signed? I don't believe there is a default mechanism for doing automatic upgrades for at least vanilla configurations, or for positively alerting users of security updates (versus them polling if updates are available). Per the OpenWRT Security Hardening page, it appears that setting up HTTPS is indicated only for experts, with no mention of disabling HTTP. Another topic in the forum is currently discussing what OpenWRT might indicate as preferred wireless security.

i am not an OpenWRT developer so I would be unaware if there is some effort to evaluate OpenWRT per existing or proposed standards. If not, I hope someone can look into it.