Tuesday, October 13th 2020
Singapore Introduces Strict Security Requirements for New Home Routers
The Singaporean Infocomm Media Development Authority (IMDA) has recently unveiled a suite of new security requirements for home routers. The new security requirements will include requiring unique login credentials, and automatic security patch updates. The new requirements were developed by IMDA in collaboration with private industry and the public. The mandates will apply to all new home routers sold in Singapore from 13 April 2021 however a grace period will apply for existing models until 12 October 2021. Singapore is one of the first countries to introduce such requirements after Japan, while the UK is currently evaluating such measures.
Source:
zdnet
20 Comments on Singapore Introduces Strict Security Requirements for New Home Routers
These are still too small markets.
Obviously Japanese companies would follow this requirement, but in the UK, most people get a router from their ISP as part of their Internet service, so not many buy their own router. The last time I lived in the UK, I had a fibre connection from BT and one of their routers. I could not update the router myself, instead BT pushed updates to the router as and when they had an update. For this to become a common practice, a bigger market like the EU or the US needs to require this. I don't have anything against as such, as too many router makers issue one or two firmwares in the lifetime of a router, which simply isn't good enough.
and if at least one producer does it will be enough to get the others into it
They would rather pull those products and even pull out of such a small market than spend the extra money and resources needed to support this. Singapore is a drop in the ocean for these companies.
I doubt any Chinese router maker would do this. I mean, look at TP-Link as a great example, they're easily the biggest and most well known Chinese router brand. Even their top tier routers get what, 3-4 updates in the life of the product.
Keep in mind that the manufacturers would also need additional server and service infrastructure for this to work.
Not even big brands like Netgear are all that good at providing security updates at a regular basis, although their more modern routers have an auto update feature.
Based on your answers, I can tell neither of you have worked in the router market. I have and the company I worked for was one of the few that actually provided regular updates. Sadly the company has gone tits up, as they made some flawed decisions that caused some financial problems in the end.
Japan not so small........in terms of population and tech.
As I mentioned above, Japanese companies are likely to conform, as that's what they do. The only Japanese router maker that I'm aware of that sells products outside of Japan is Buffalo. They have had a terrible UI for years, although I have no idea if that has improved over the past 5-6 years since I last used one.
Again, this needs a major market like the US or EU to implement the same requirements for this to really matter on a global scale.
Don't ge me wrong, I'm all in favour of regular security updates for routers, although I'm not so keen on automatic updates, as I've seen a few too many "smart home" products that have bricked themselves after receiving a non user controllable update.
www.imda.gov.sg/news-and-events/Media-Room/Media-Releases/2020/IMDA-Publishes-Technical-Specifications-for-Residential-Gateways-Home-Routers-to-Enhance-Security
www.imda.gov.sg/-/media/Imda/Files/Regulation-Licensing-and-Consultations/ICT-Standards/Telecommunication-Standards/Radio-Comms/IMDA-TS-RG-SEC.pdf?la=en
Let's be honest here, most users are not smart, not to say dumb as a brick. The number of people I've seen with "12345678" password they personally set "to make their life easier" is just scary.
Besides that, it means making new firmwares for products already in the market, if they want to continue selling those in Singapore from October 2021 and it simply won't happen in a lot of cases. Do you seriously think these companies are going to spend money, time and effort on doing a firmware update for a product that they never intended to update the firmware on? Way too many cheap routers, the most popular kind, sees one or two firmware updates in their lifespan, simple due to cheap ass companies. So no, I don't see any company doing this specifically for Singapore. I wasn't talking about the unique passwords, hasn't that been pretty much standard for the past five years or something?
The issue is as per above, the automatic updates. It's a much bigger task than a lot of you seem to think it is. If it's not already there today, it won't be next year either and those product simply will no longer be on sale in Singapore.
You can see the new requirements here: www.imda.gov.sg/-/media/Imda/Files/News-and-Events/Media-Room/Media-Releases/10/Key-Cybersecurity-Requirements-by-IMDA.pdf?la=en
I see nothing in there about manufacturers being required to support products with new firmwares and security patched for a certain amount of time. The only requirement is that if there is a new firmware, it is downloaded
and installedautomatically.Edit: The requirements are that the firmware is downloaded automatically, not installed.