Tuesday , March 21 2023

How an expiration date should make routers safer


Many Telekom customers experienced an unexpected reflection weekend two years ago in the pre-Christmas period: after a hacker attack, more than a million routers failed – the phones were silent, the Internet was paralyzed and received the TV program the supplier of a black TV.

The incident happened without any problems: the equipment ran again soon, missing more damage – probably because the attacker behaved without any doubt. However, it was a wake-up call for politicians and authorities. Thus, Interior Minister Thomas de Maizière (CDU) has called for more responsibility for producers.

Now, the Federal Security Information Office (BSI) is taking a first step to improve router security: The agency presented a guidance on Friday setting a minimum level of IT security, for example with encryption proposals and password security.

Specifications are not required. BSI Chairman Arne Schönbohm called on manufacturers to "accept this offer and install a minimum level of security in routers through design security." You should show this by a "mark on device". An official seal of approval does not exist until now – which could come later.

The router is the central device on your home network. It connects notebooks and smartphones, as well as an increasing number of smart home products such as network thermostats and Internet security cameras. With each new device they grow "the available attack area," Schönbohm explained.

What cyber criminals do with botnets

On the one hand, offenders can access sensitive data, at least under certain circumstances – so that routers send emails, passwords, and websites they visit. On the other hand, they use the computing power of devices to send malicious email or to attack web sites.

The district court in Cologne has now condemned the case, pleading guiltily that he wants to build the so-called botnet. It is a composite of thousands of computers and other electronic devices that can remotely control criminals.

The British said he acted on behalf of a Liberian telecommunications provider. He wanted to paralyze a competitor with a botnet, he said in court. When you try to disturb the malicious software crashed the customers of Telekom routers.

BSI now specifies the specific security requirements. Thus, manufacturers are urged to close serious security gaps through updates – or make them transparent if they no longer update the software. Consumers should also recognize when they buy how long devices get security updates.

IT security should become a point of sale

Additional instructions in the guide refer, for example, to password handling. So manufacturers should not use a default password for multiple devices – often an entry point for hackers. A firewall should also be standard equipment.

Whether or not consumers are better protected, it depends on whether manufacturers implement the directive on a broad front. BSI insists that IT becomes a point of sale – similar to familiarity with the quality labels awarded by the Stiftung Warentest. However, the Agency does not intend to carry out controls.

A legal obligation is imaginable. The federal government is working on a project "for an IT 2.0 Security Act that, among other things, creates the conditions for a uniform IT security label and will also focus on software and hardware manufacturers," said the Home Secretary Horst Seehofer (CSU) recently.

In general, experts believe it is logical to develop standards. However, certification must be based on it so that the confidence of a product can be verified, writes New Work Foundation (SNV) in a working document. In addition, "effective and receptive market surveillance" was needed to sanction violations.

Source link