Monday, June 17, 2024
- Advertisement -
More

    Latest Posts

    Telecom Equipment Makers Seek Two-Year Extension for Security Testing Deadline

    Telecom equipment manufacturers have requested a two-year extension on the deadline by which they are expected to complete mandatory security testing of WiFi customer premises equipment (CPE) and IP (internet protocol) routers, according to an ET report. In a submission to the Department of Telecommunications (DoT), the Manufacturers Association of Information Technology (MAIT) has argued that since there are only three labs accredited to carry out security testing, the cost of testing is very high. It also suggests that security certifications for this equipment should be done on a voluntary basis.

    This comes after the Department of Telecommunications (DoT) extended the date for mandatory security testing for WiFi CPEs and IP routers from 1 January 2024 to 1 April 2024 in December last year and then finally to 1 July 2024 in March this year. The DoT had mandated telecom equipment certification in the amendments made to the Indian Telegram Rules in 2017. These rules state that every piece of telecom equipment must undergo mandatory testing and certification before sale, import or use in India. The testing is expected to be carried out for conformance to essential requirements for the equipment, by Indian accredited labs designated by the Telecommunications Engineering Center (TEC). TEC issues certification based on reports by these accredited labs.

    These mandatory tests are expected to ensure the telecom equipment doesn’t degrade the performance of the existing network to which it is connected and that the end user is safe.  Earlier in 2023, the Telecom Regulatory Authority of India (TRAI) released a set of recommendations to promote Networking and Telecom Equipment (NATE) Manufacturing in India where it asked telecom equipment makers to focus on components and subassembly manufacturing.

    Key security requirements for WiFi CEPs and IP routers:

    For Wi-Fi CPEs:

    • CPE shall have a mechanism that protects against brute force and dictionary attacks which aim to use manual/automated guessing to obtain the passwords for user and machine accounts. If a CPE sees a user making multiple failed attempts to guess a password it will implement at least one of the following measures:
      • Increasing the delay for each incorrect password entered
      • Blocking an account after a specific number of failed attempts
      • Using CAPTCHA to prevent automated attempts.  
    • User passwords will be stored using password hashes or encrypted, based on a strong hashing mechanism designed for use with passwords. They must not be stored as plain text.
    • Information must only flow between authorized endpoints and must not be intercepted or diverted in the middle. As such, the security mechanisms in place should protect against attacks like capture decryption (where an attacker captures the encrypted data and tries to decrypt it) and key recovery (where an attacker attempts to recover encryption keys.)

    For IP routers:

    • The use of cryptographically protected network protocols is required. It must be ensured that the protocol being used is without known vulnerabilities.
    • The various user and machine accounts on a system shall be protected from misuse. To achieve this, an authentication attribute, such as cryptographic keys, tokens, or passwords, is typically used in combination with the username. Users must not be authenticated via parameters that can be spoofed such as phone numbers or IP addresses.
    • If a password is used as a means for authentication, then there must be protection in place against brute force and dictionary attacks that hinder password guessing.
    • Software updates for the routers should be secure and based on code-signing certificates. These are digital certificates that allow software vendors to ensure that a piece of code has not been altered and determine whether the code is trustworthy for a specific purpose. The updates shall only be allowed if the code signing certificate is valid. 

    [Note: We have reached out to MAIT asking them to comment on the reasons why the extension is being sought. The story will be updated to reflect their response.]

    Also read:

    The post Telecom Equipment Makers Seek Two-Year Extension for Security Testing Deadline appeared first on MEDIANAMA.

    Latest Posts

    - Advertisement -

    Don't Miss

    Stay in touch

    To be updated with all the latest news, offers and special announcements.