CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers

Today, CISA and the Federal Bureau of Investigation (FBI) published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design (SbD) Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating security into product design and development.

This third publication in CISA’s SbD Alert series examines how manufacturers can eliminate the path threat actors—particularly the People’s Republic of China (PRC)-sponsored Volt Typhoon group—are taking to compromise small office/home office (SOHO) routers. Specifically, CISA and FBI urge manufacturers to:

• Eliminate exploitable defects—during the product design and development phases—in SOHO router web management interfaces (WMIs).
• Adjust default device configurations in a way that:
  • Automates update capabilities.
  • Locates the WMI on LAN side ports.
  • Requires a manual override to remove security settings.

CISA and FBI also urge manufacturers to protect against Volt Typhoon activity and other cyber threats by disclosing vulnerabilities via the Common Vulnerabilities and Exposures (CVE) program as well as by supplying accurate Common Weakness Enumeration (CWE) classification for these vulnerabilities. The Alert also urges manufacturers to implement incentive structures that prioritize security during product design and development.

CISA and FBI urge SOHO device manufacturers to read and implement Security Design Improvements for SOHO Device Manufacturers, which aligns to principles one through three of the joint guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software:

1. Take ownership of customer security outcomes.
2. Embrace Radical Transparency and Accountability.
3. Build organizational structure and leadership to achieve these goals.

By implementing these principles in their design, development, and delivery processes, manufactures can prevent exploitation of SOHO routers. To learn more, visit Secure by Design.