In a historic and unique decision in the world, the National Telecommunications Agency (Anatel) has just sanctioned Act No. 77 of January 5, 2021, which provides for new rules for the commercialization of routers in Brazilian territory. Following the Cybersecurity Regulation Applied to the Telecommunications Sector, the equipment now needs to meet a series of requirements to be approved for sale in Brazil.
The first – and most interesting of them – is that no router marketed here will be able to “use initial credentials and passwords to access its configurations that are the same among all devices produced”. This means the definitive end of control panels with standardized logins easy to guess as “admin”, since the regulation also provides that the manufacturer will have to “force, in the first use, the change of the initial password to access the equipment configuration”.
In addition, factory passwords cannot be derived from easily obtainable information (such as MAC addresses), the system cannot accept the registration of easy credentials, it must not store cryptographic keys in the firmware itself. and should have native tools against brute force attacks. In addition, each and every product must guarantee, at least, two years of updates and security patches for the customer from its launch date, while maintaining a history of the identified vulnerabilities.
Anatel’s decision can be considered revolutionary because, although it only concerns devices that want approval for sale in Brazil, it is very likely that manufacturers adapt their devices globallythus creating a universal security standard for routers that will eliminate the problem of weak credentials once and for all. The act comes into force 180 days after its publication.
See the original post at: https://thehack.com.br/em-ato-historico-anatel-proibe-venda-de-roteadores-com-senhas-faceis-ou-padronizadas/?rand=48873