Tuesday, October 13th 2020

Singapore Introduces Strict Security Requirements for New Home Routers

The Singaporean Infocomm Media Development Authority (IMDA) has recently unveiled a suite of new security requirements for home routers. The new security requirements will include requiring unique login credentials, and automatic security patch updates. The new requirements were developed by IMDA in collaboration with private industry and the public. The mandates will apply to all new home routers sold in Singapore from 13 April 2021 however a grace period will apply for existing models until 12 October 2021. Singapore is one of the first countries to introduce such requirements after Japan, while the UK is currently evaluating such measures.
Source: zdnet
Add your own comment

20 Comments on Singapore Introduces Strict Security Requirements for New Home Routers

#1
TheLostSwede
Looks like a lot of router companies will be pulling out of Singapore now then. Too small market for this to have an impact regardless of how good this incentive is.
Posted on Reply
#2
zmeul
TheLostSwede
Looks like a lot of router companies will be pulling out of Singapore now then. Too small market for this to have an impact regardless of how good this incentive is.
assuming Singapore will be the only country making this requirement into law
Posted on Reply
#3
TheLostSwede
zmeul
assuming Singapore will be the only country making this requirement into law
If you read the article, they're the second country after Japan, with the UK possibly considering it as well.
These are still too small markets.
Obviously Japanese companies would follow this requirement, but in the UK, most people get a router from their ISP as part of their Internet service, so not many buy their own router. The last time I lived in the UK, I had a fibre connection from BT and one of their routers. I could not update the router myself, instead BT pushed updates to the router as and when they had an update. For this to become a common practice, a bigger market like the EU or the US needs to require this. I don't have anything against as such, as too many router makers issue one or two firmwares in the lifetime of a router, which simply isn't good enough.
Posted on Reply
#4
zmeul
they're not going to pull out because there are already consumer routers that do self FW updates, and it's easy to do
and if at least one producer does it will be enough to get the others into it
Posted on Reply
#5
ExcuseMeWtf
Why would they pull out? Whether really needed or not, those requirements don't seem all that stringent nowadays?
Posted on Reply
#6
TheLostSwede
zmeul
they're not going to pull out because there are already consumer routers that do self FW updates, and it's easy to do
and if at least one producer does it will be enough to get the others into it
Do you seriously think these companies are going to spend time and money to update already selling products to support these new features for Singapore alone? Not a snowballs chance in hell.
They would rather pull those products and even pull out of such a small market than spend the extra money and resources needed to support this. Singapore is a drop in the ocean for these companies.

I doubt any Chinese router maker would do this. I mean, look at TP-Link as a great example, they're easily the biggest and most well known Chinese router brand. Even their top tier routers get what, 3-4 updates in the life of the product.
Keep in mind that the manufacturers would also need additional server and service infrastructure for this to work.
Not even big brands like Netgear are all that good at providing security updates at a regular basis, although their more modern routers have an auto update feature.

Based on your answers, I can tell neither of you have worked in the router market. I have and the company I worked for was one of the few that actually provided regular updates. Sadly the company has gone tits up, as they made some flawed decisions that caused some financial problems in the end.
Posted on Reply
#7
mechtech
TheLostSwede
Looks like a lot of router companies will be pulling out of Singapore now then. Too small market for this to have an impact regardless of how good this incentive is.
"Singapore is one of the first countries to introduce such requirements after Japan "

Japan not so small........in terms of population and tech.
Posted on Reply
#8
TheLostSwede
mechtech
"Singapore is one of the first countries to introduce such requirements after Japan "

Japan not so small........in terms of population and tech.
It's still a small market, albeit, not tiny like Singapore.
As I mentioned above, Japanese companies are likely to conform, as that's what they do. The only Japanese router maker that I'm aware of that sells products outside of Japan is Buffalo. They have had a terrible UI for years, although I have no idea if that has improved over the past 5-6 years since I last used one.

Again, this needs a major market like the US or EU to implement the same requirements for this to really matter on a global scale.

Don't ge me wrong, I'm all in favour of regular security updates for routers, although I'm not so keen on automatic updates, as I've seen a few too many "smart home" products that have bricked themselves after receiving a non user controllable update.
Posted on Reply
#9
mechtech
TheLostSwede
It's still a small market, albeit, not tiny like Singapore.
As I mentioned above, Japanese companies are likely to conform, as that's what they do. The only Japanese router maker that I'm aware of that sells products outside of Japan is Buffalo. They have had a terrible UI for years, although I have no idea if that has improved over the past 5-6 years since I last used one.

Again, this needs a major market like the US or EU to implement the same requirements for this to really matter on a global scale.

Don't ge me wrong, I'm all in favour of regular security updates for routers, although I'm not so keen on automatic updates, as I've seen a few too many "smart home" products that have bricked themselves after receiving a non user controllable update.
Yes nothing wrong with better security, from glancing over it, the bar doesn't seem to be set too high

www.imda.gov.sg/news-and-events/Media-Room/Media-Releases/2020/IMDA-Publishes-Technical-Specifications-for-Residential-Gateways-Home-Routers-to-Enhance-Security

www.imda.gov.sg/-/media/Imda/Files/Regulation-Licensing-and-Consultations/ICT-Standards/Telecommunication-Standards/Radio-Comms/IMDA-TS-RG-SEC.pdf?la=en
Posted on Reply
#10
TheUn4seen
TheLostSwede
Do you seriously think these companies are going to spend time and money to update already selling products to support these new features for Singapore alone? Not a snowballs chance in hell.
They would rather pull those products and even pull out of such a small market than spend the extra money and resources needed to support this. Singapore is a drop in the ocean for these companies.

I doubt any Chinese router maker would do this. I mean, look at TP-Link as a great example, they're easily the biggest and most well known Chinese router brand. Even their top tier routers get what, 3-4 updates in the life of the product.
Keep in mind that the manufacturers would also need additional server and service infrastructure for this to work.
Not even big brands like Netgear are all that good at providing security updates at a regular basis, although their more modern routers have an auto update feature.

Based on your answers, I can tell neither of you have worked in the router market. I have and the company I worked for was one of the few that actually provided regular updates. Sadly the company has gone tits up, as they made some flawed decisions that caused some financial problems in the end.
But seriously, where do you see a problem? Unique passwords are already used even on cheap routers, and the requirement states, quote "automatic security patch updates". They don't require a set number or frequency of such updates, just the ability to perform them with no user intervention. You must have the ability to conform to the requirements, but you don't have to actually spend money to push any updates, which is exactly what will happen.
Let's be honest here, most users are not smart, not to say dumb as a brick. The number of people I've seen with "12345678" password they personally set "to make their life easier" is just scary.
Posted on Reply
#11
newtekie1
Semi-Retired Folder
TheLostSwede
Looks like a lot of router companies will be pulling out of Singapore now then. Too small market for this to have an impact regardless of how good this incentive is.
Honestly, this is a simple software fix. It would be stupid to pull out of an entire market just to avoid tweaking some software. Especially since this seems to be the way the industry is going anyway.
Posted on Reply
#12
TheLostSwede
newtekie1
Honestly, this is a simple software fix. It would be stupid to pull out of an entire market just to avoid tweaking some software. Especially since this seems to be the way the industry is going anyway.
Simple? Auto updating software is anything by simple, as it requires a whole bunch of server side stuff that I would be a lot of the cheap router makers aren't going to be willing to do for a nation of less than 6 million people. You have no idea how cheap some of these companies are.

Besides that, it means making new firmwares for products already in the market, if they want to continue selling those in Singapore from October 2021 and it simply won't happen in a lot of cases. Do you seriously think these companies are going to spend money, time and effort on doing a firmware update for a product that they never intended to update the firmware on? Way too many cheap routers, the most popular kind, sees one or two firmware updates in their lifespan, simple due to cheap ass companies. So no, I don't see any company doing this specifically for Singapore.
TheUn4seen
But seriously, where do you see a problem? Unique passwords are already used even on cheap routers, and the requirement states, quote "automatic security patch updates". They don't require a set number or frequency of such updates, just the ability to perform them with no user intervention. You must have the ability to conform to the requirements, but you don't have to actually spend money to push any updates, which is exactly what will happen.
Let's be honest here, most users are not smart, not to say dumb as a brick. The number of people I've seen with "12345678" password they personally set "to make their life easier" is just scary.
I wasn't talking about the unique passwords, hasn't that been pretty much standard for the past five years or something?

The issue is as per above, the automatic updates. It's a much bigger task than a lot of you seem to think it is. If it's not already there today, it won't be next year either and those product simply will no longer be on sale in Singapore.
Posted on Reply
#13
HugsNotDrugs
TheLostSwede
Do you seriously think these companies are going to spend time and money to update already selling products to support these new features for Singapore alone? Not a snowballs chance in hell.
They would rather pull those products and even pull out of such a small market than spend the extra money and resources needed to support this. Singapore is a drop in the ocean for these companies.

I doubt any Chinese router maker would do this. I mean, look at TP-Link as a great example, they're easily the biggest and most well known Chinese router brand. Even their top tier routers get what, 3-4 updates in the life of the product.
Keep in mind that the manufacturers would also need additional server and service infrastructure for this to work.
Not even big brands like Netgear are all that good at providing security updates at a regular basis, although their more modern routers have an auto update feature.

Based on your answers, I can tell neither of you have worked in the router market. I have and the company I worked for was one of the few that actually provided regular updates. Sadly the company has gone tits up, as they made some flawed decisions that caused some financial problems in the end.
Large manufacturers are very much capable of providing better software support on their routers. I suspect they will offer only a handful of routers for sale in these markets and support them appropriately.
Posted on Reply
#14
TheLostSwede
HugsNotDrugs
Large manufacturers are very much capable of providing better software support on their routers. I suspect they will offer only a handful of routers for sale in these markets and support them appropriately.
Right, that's kind of my point. The smaller players will pull out, as it's too much of a hassle for them. Asus, Netgear and a few others that already have these features will take over the market.
Posted on Reply
#15
Makaveli
If you are using an asus router I believe you will be fine, as for the other vendors YMMV.
Posted on Reply
#16
newtekie1
Semi-Retired Folder
TheLostSwede
Simple? Auto updating software is anything by simple, as it requires a whole bunch of server side stuff that I would be a lot of the cheap router makers aren't going to be willing to do for a nation of less than 6 million people. You have no idea how cheap some of these companies are.
Not really. If you just designate a spot on your website where the latest firmware will be located at all times, then program the router firmware to check that location for a firmware that is newer than what is currently installed, you're done. Heck, the location of the latest firmware can be an FTP site if they want to make it really simple.
TheLostSwede
Besides that, it means making new firmwares for products already in the market, if they want to continue selling those in Singapore from October 2021 and it simply won't happen in a lot of cases. Do you seriously think these companies are going to spend money, time and effort on doing a firmware update for a product that they never intended to update the firmware on? Way too many cheap routers, the most popular kind, sees one or two firmware updates in their lifespan, simple due to cheap ass companies. So no, I don't see any company doing this specifically for Singapore.
As far as I can tell, there is no requirement that manufacturers constantly keep releasing new firmwar's for their routers, only that if they do release new firmware that the router automatically download and install it.

You can see the new requirements here: www.imda.gov.sg/-/media/Imda/Files/News-and-Events/Media-Room/Media-Releases/10/Key-Cybersecurity-Requirements-by-IMDA.pdf?la=en

I see nothing in there about manufacturers being required to support products with new firmwares and security patched for a certain amount of time. The only requirement is that if there is a new firmware, it is downloaded and installed automatically.

Edit: The requirements are that the firmware is downloaded automatically, not installed.
Posted on Reply
#17
TheUn4seen
TheLostSwede
The issue is as per above, the automatic updates. It's a much bigger task than a lot of you seem to think it is. If it's not already there today, it won't be next year either and those product simply will no longer be on sale in Singapore.
Well, not really. Even cheap routers have an "Internet update" function. Just put that on a timer to run unattended and you have your law-compliant solution. This is not a 10GB software package downloaded a million times a day we're talking about.
Posted on Reply
#18
Minus Infinity
TheLostSwede
Do you seriously think these companies are going to spend time and money to update already selling products to support these new features for Singapore alone? Not a snowballs chance in hell.
They would rather pull those products and even pull out of such a small market than spend the extra money and resources needed to support this. Singapore is a drop in the ocean for these companies.

I doubt any Chinese router maker would do this. I mean, look at TP-Link as a great example, they're easily the biggest and most well known Chinese router brand. Even their top tier routers get what, 3-4 updates in the life of the product.
Keep in mind that the manufacturers would also need additional server and service infrastructure for this to work.
Not even big brands like Netgear are all that good at providing security updates at a regular basis, although their more modern routers have an auto update feature.

Based on your answers, I can tell neither of you have worked in the router market. I have and the company I worked for was one of the few that actually provided regular updates. Sadly the company has gone tits up, as they made some flawed decisions that caused some financial problems in the end.
Well just support them for all routers. Why not improve security. Companies like DLink and Netgear are already a joke so anything that improves their pathetic approach to security is welcome.
Posted on Reply
#19
TheLostSwede
Minus Infinity
Well just support them for all routers. Why not improve security. Companies like DLink and Netgear are already a joke so anything that improves their pathetic approach to security is welcome.
Not disagreeing that this shouldn't be done, I simply can't see some companies doing it. Netgear does this in their recent models already and if you buy the "right" models, then you actually get some form of support. That said, If highly recommend getting one of the routers supported by Voxel or Merlin if you want proper support.
Posted on Reply
#20
RoutedScripter
More like a smokescreen to add more hidden snooping to your router, doing things and making connections to unknown WAN locations on it's own, seems intrusive.
Posted on Reply
Add your own comment