CISA and the FBI created this guidance based upon recent and ongoing activity targeting small office/home office (SOHO) routers by malicious cyber actors—particularly the People’s Republic of China (PRC)-sponsored Volt Typhoon group. CISA and FBI are urging SOHO router manufacturers to build security into the design, development, and maintenance of SOHO routers to eliminate the path these threat actors are taking to (1) compromise these devices and (2) use these devices as launching pads to further compromise U.S. critical infrastructure entities.
Specifically, CISA and FBI are urging manufacturers to:
- Eliminate exploitable defects—during the product design and development phases—in SOHO router web management interfaces.
- Adjust default device configurations in a way that:
- Automates update capabilities.
- Locates the web management interfaces on LAN side ports.
- Requires a manual override to remove security settings.
CISA and FBI also urge manufacturers to protect against Volt Typhoon activity and other cyber threats by disclosing vulnerabilities via the Common Vulnerabilities and Exposures (CVE) program as well as by supplying accurate Common Weakness Enumeration (CWE) classification for these vulnerabilities. The Alert also urges manufacturers to implement incentive structures that prioritize security during product design and development.
This guidance aligns to principles one through three of the joint guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software:
- Take ownership of customer security outcomes.
- Embrace Radical Transparency and Accountability.
- Build organizational structure and leadership to achieve these goals.
To learn more about this series, and how vendor decisions can reduce harm at a global scale, refer to the Secure by Design Alert Series blog.
For more information on the PRC-sponsored Volt Typhoon group, visit CISA's People's Republic of China Cyber Threat webpage.