Singapore IMDA Announces Stronger Security Requirements for Home Routers

Singapore IMDA

Infocomm Media Development Authority (“IMDA”) increases security requirements for home routers sold in Singapore

The increased proliferation of networked intelligent devices in homes such as web cameras and baby monitors has translated to higher risks of cyber-attacks that leverage such devices. Some of these devices have little or weak protection against cyber-attacks and are vulnerable to unauthorised access by malicious actors.

(“RG”), commonly known as home routers, are often the first entry point as they form the key bridge between the Internet and residents’ home networks.

To provide a safer and more secure Internet experience for users, and to strengthen the resilience of Singapore’s telecommunications networks, the Infocomm Media Development Authority (“IMDA”) today launched a public consultation to seek views from the industry and public on a new Technical Specification (“IMDA TS RG-SEC”) that will set out the minimum requirements for RGs.

Together with CSA’s Cybersecurity Labelling Scheme (CLS), this effort will raise the cybersecurity standards of IoT devices in Singapore. This will improve baseline standards for such devices and will be a pre-requisite for CSA’s cybersecurity label. Other jurisdictions are also evaluating similar requirements. Japan will be imposing similar requirements from April 2020, and the United Kingdom has also recently begun evaluating such requirements.

Public Consultation

IMDA is inviting views on the following key requirements:

  • Tightening password administration through mandating no default login passwords, and requiring minimum password strength for RG;
  • Securing default settings to better manage and control access to the RG, such as switching off unsecured Wi-Fi Protected Setup (“WPS”), and switching on the firewall by default;
  • Strengthening RG administration, in particular the applicability of maintaining secure communication protocols such as SSH or HTTPS  for device management interfaces to the RG; and
  • Updating RGs automatically with the latest firmware

IMDA has also engaged key RG manufacturers including Linksys and TP-Link, and also telecommunication service providers, who have expressed support for IMDA’s initiative to strengthen the security of home routers. Through these industry engagements, IMDA notes that some equipment manufacturers have already incorporated similar requirements in newer models of home routers. IMDA expects mainstream models will continue to remain affordable as new equipment compliant with IMDA’s requirements is launched.

To allow time for the industry to comply with the new technical requirements, the proposed changes will be effective six months after the finalised standards come into effect. Additionally, previously-approved home routers can continue to be sold until one year after the finalised standards come into effect. IMDA expects TS RG-SEC compliant RGs to be available from as early as end 2020, and all RGs sold in Singapore will be compliant by Q3 2021.

Source: News Release