Basis of issue and Technical Guideline

The IT Security Label is issued on the basis of §9c BSI Act.

Devices oft the category router can receive the IT Security Label if the manufacturer assures the device's conformity with the Technical Guideline for Broadband Routers BSI TR-03148. The manufacturer's declaration for the product category router can be found here.

The following listing provides a simplified overview of some declared security functionalities. Detailed descriptions of the necessary and recommended requirements can be found in the Technical Guideline and the associated test specification.

Information on the required and recommended device properties

1. Transparency

The manufacturer assures to provide transparent information regarding the security of the device.

These include in particular:

• Information about the availability of security updates, the version of the router firmware, the status of the firewall or enabled and disabled services.
• The ability to receive information about security- related events (for example: failed login attempts or changes in settings), optionally via app or email.
• No hidden functionalities.

2. Access authorization

The manufacturer ensures mechanisms (e.g. password, PIN or electronic key) so that only authorized persons can access the device.

These mechanisms include, for example:

• A sufficiently strong authorization mechanism when logging in by means of a sufficiently strong password query.
• A change of the factory default password to a customized password accompanied by a mechanism that indicates the strength of the chosen password.
• A change of the factory password to an individual password for the Wi-Fi network.
• A firewall that protects the device from unauthorized access.

The device may also include the following functions, according to the recommendations of the guideline:

• A two-factor authentification during the login process.
• Changing the preset password for login and Wi-Fi network already during initial setup.

3. Update

The manufacturer declares to provide security updates for the device immediately when security vulnerabilities become known.

This includes, for example:

• An encrypted function for updating the firmware (device software).
• The provision of security updates for the duration of the validity of the IT Security Label.

The Technical Guideline further recommends:

• An automatic update mechanism activated by default.
• A mechanism for automatic installation of firmware updates with the possibility of disabling and manually managing the installation of firmware updates.

4. Encryption

The manufacturer assures that the device's communications, interactions, and certain locally stored data (e.g., login credentials) are secured with encryption procedures in accordance with the Technical Guideline.

This concerns in particular:

• Encryption of access to the router via WAN (e.g. via app), optionally via Wi-Fi.
• The provision of encryption using the WPA 2 standard or higher for the users' Wi-Fi or for guest Wi-Fis.

Some devices may also have additional functions, according to the Technical Guideline:

• A way to provide security-related information via app.
• An encrypted communication when using the app.

5. Data cleansing and data hygiene

The manufacturer states that the device includes mechanisms to erase data effectively so that it cannot be recovered easily.

These include, for example:

• A reset mechanism by which all stored data and settings are deleted irrevocably (for example, by a reset button).