Share this article on:
New Secure by Design Alert comes on the back of Chinese threat actor Volt Typhoon targeting small office/home office devices.
Both the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a new Secure By Design document, this time addressing the makers of SOHO – or small office/home office – devices.
In particular, the document addresses router manufacturers following the widespread exploitation of such devices by the Chinese government-backed threat actor known as Volt Typhoon.
“CISA and FBI are urging SOHO router manufacturers to build security into the design, development, and maintenance of SOHO routers to eliminate the path these threat actors are taking to compromise these devices and use these devices as launching pads to further compromise US critical infrastructure entities,” CISA said in a statement.
The first directive from the two agencies is a simple one: eliminate any defect within SOHO routers’ web interfaces that might be exploited by a threat actor. A simple directive, but no doubt harder in practice – but also no doubt achievable.
Secondly, CISA and the FBI want router makers to change the default configuration of SOHO devices so that updates are automated and a manual override is needed to remove security settings. The web management interface should also ideally be located on the LAN side ports.
Router manufacturers should also disclose any vulnerabilities using the Common Vulnerabilities and Exposures program, along with complete Common Weakness Enumeration (CWE) classifications. Such a move, CISA suggests, would help protect against campaigns like Volt Typhoon’s, which uses living-off-the-land techniques to lurk on the networks of US critical infrastructure operations.
“Just as software and hardware manufacturing executives care about cost, they should prioritise the security of their products,” CISA said. “Leaders must consider the full picture: that customers, our economy, and our national security are currently bearing the brunt of business decisions to not build security into their products.”
“Moreover, directing the business toward secure-by-design software development may reduce financial and productivity costs as well as complexity. Leaders should make the appropriate investments and develop the right incentive structures that promote security as a stated business goal.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.