Singapore tightens security requirements for new home routers

Effective from April 13 next year, home routers will have to meet new security requirements before they can be sold in Singapore.
Written by Eileen Yu, Senior Contributing Editor

Come April 13 next year, home routers will have to meet new security requirements before they can be put up for sale in Singapore. These include unique login credentials and default automatic downloads of security patches. 

The new mandate is aimed at improving the security of these devices, which are popular targets amongst malicious hackers who are looking to breach home networks, according to industry regulator Infocomm Media Development Authority (IMDA). Stipulated as being part of the country's Technical Specifications for Residential Gateways, the enhanced security requirements were finalised following an earlier consultation exercise that sought feedback from the public and industry. 

While these mandates are set to come into effect from 13 April 2021, home routers previously approved by IMDA will be allowed to remain on sale until October 12 next year.

Users of existing home routers will not need to change their current routers, but they are encouraged to purchase devices that are compliant with IMDA's cybersecurity requirements for their next upgrade or replacement. Users should also regularly update their device firmware, the agency said. 

"Home routers are often the first entry point for cyber attacks targeting the public, as they form the key bridge between the internet and residents' home networks," IMDA said in a statement Monday. "[The] minimum security requirements for home routers [will] provide a safer and more secure internet experience for users, and strengthen the resilience of Singapore's telecommunications networks."

The government agency added that the move came amidst continued adoption of networked intelligent devices in homes, such as web cameras and baby monitors, which have given way to higher risks of cyber attacks that target such devices. It noted that Japan imposed similar requirements in April and the UK recently began to evaluate such requirements.

In Singapore, the enhanced security requirements include randomised and unique login credentials for each device, minimum password strength, disabling system services and interfaces that are deemed to be vulnerable, default automatic downloads of firmware updates for security patches, secure authentication of access to the device's management interface, and validation of data inputs to the device to safeguard against remote hacking.

Wi-Fi home routers that comply with IMDA's specifications would also meet Level 1 of the Cybersecurity Labelling Scheme, which was recently introduced by the Cyber Security Agency of Singapore. Home routers, as well as smart home hubs, that are assessed to be secure and compliant will bear these labels.

The labelling initiative is voluntary and comprises four levels of rating based on the number of asterisks, each indicating an additional tier of testing and assessment the product has gone through. The scheme aims to motivate manufacturers to develop more secure products, moving beyond designing such devices to optimise functionality and cost. 

Level one, for instance, indicates that a product meets basic security requirements such as ensuring unique default passwords and providing software updates, while a level four product has undergone structured penetration tests by approved third-party test labs and fulfilled level three requirements.

Singapore is hoping to rope in other Asean nations to recognise the Cybersecurity Labelling Scheme. 

Last week, Singapore unveiled its latest cybersecurity blueprint which focuses on digital infrastructures and cyber activities. The city-state also announced plans to set up a panel comprising global experts to offer advice on safeguarding its operational technology systems.


Editorial standards