Eleanor Hecks, Editor of Designerly Magazine draws on five key takeaways from the NIST’s consumer-grade router security which includes onboarding support
In September 2024, the United States National Institute of Standards and Technology (NIST) released a 40-page internal report called “NIST IR 8425A Recommended Cybersecurity Requirements for Consumer-Grade Router Products.” Some of its recommendations could affect items sold elsewhere, including the United Kingdom, particularly if company leaders feel it is too time-consuming or cost-prohibitive to make two separate products for each market. Which takeaways should those who purchase or make connected devices consider?
1. Consumer-grade routers should include minimal interfaces
The authors of this NIST report recommend that router manufacturers follow a secure-by-design approach and minimise the number of physical and logical interfaces on these items. That principle also requires router makers to remember that their products’ primary functionality is to bring internet access to devices in the home.
Moreover, routers do not need extraneous features accessible through their interfaces. One possibility mentioned in the NIST IR 8425A content is to allow people to manage configuration through a separate product component, such as an app.
2. Routers should offer integrated network onboarding support
The report’s authors also mention that the process of people adding new routers to their home networks should go beyond entering single passwords and ideally offer better security. One proposed solution is to send a push notification through a mobile app, requiring someone to respond and give explicit permission to add the router to the network. Though the recommendations mention that security measures must not prevent users’ legitimate attempts to use their routers, onboarding-related safeguards should ideally offer consumers more access control.
The UK also focused on onboarding security recently when the government banned easy-to-guess default passwords for connected devices, including routers. That change was part of a more extensive law that holds device manufacturers responsible for implementing minimum security standards to protect consumers.
3. Software update packages should feature multiple signatures
Another recommendation from NIST IR 8425A is that router software update packages have multiple signatures when possible. They should at least include those signed by the update’s source, which is the manufacturer in this case. However, other relevant entities could also cryptographically sign the update packages, adding another security layer. This includes internet service providers that own the routers and distribute them to customers as part of service agreements.
The improved security for software updates could reduce instances of consumers unknowingly downloading and installing malicious software disguised as a security patch. Research indicates that 99% of cyberattacks need human interaction to succeed. Many such engagements come when people click on phishing emails, believing they are legitimate. However, things can also go wrong when internet users wait too long to install updates or never do.
4. Routers need machine-readable asset identification
The NIST report also noted that consumer-grade routers could become more proactive components of overall network security if they include machine-readable asset identification. Such information could do more than provide inventory-related information and feature specifics such as device types and firmware versions. However, any machine-readable asset identification method must preserve users’ privacy.
Additionally, the content mentioned that although home users who buy routers could benefit from these identifiers, they will likely be more valuable in cases where consumers lease their routers from internet service providers or for people operating small businesses. Estimates indicate there will be 30.9 billion connected products used by 2025. Their broadening availability helps people blur the lines between home and work-related router uses, mainly if they operate businesses from their residences.
5. Manufacturers should tighten log-related cybersecurity
The NIST report also emphasises the importance of cybersecurity-state awareness, as captured within the router’s logs. The authors note that log data can become valuable for IT teams doing forensic investigations after incidents, so protecting it with best practices is essential.
They mention safeguards such as encryption and password protection to make the log content less useful if compromised and restrict access to it. Moreover, allowing off-device storage of logs and preventing people from deleting their contents prevents accidental or intentional discarding of the material.
Changes on the way for American-made connected products?
It is important to remember that these are just recommendations. Unlike the UK’s laws, including the PSTI Act — which make manufacturers responsible for meeting cybersecurity minimums — the NIST report may not trigger immediate or far-reaching changes.
However, many consumers in the United States and elsewhere are becoming more aware of cyberattack severity and frequency and want manufacturers to do more to create devices that hackers cannot exploit easily. If that desire keeps gaining momentum, more tech makers may adopt the suggestions here or complement best practices.
Author: Eleanor Hecks, Editor of Designerly Magazine
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.