CCC and OpenWrt on the BSI guideline for secure routers

OpenWrt and the Chaos Computer Club participated in several review rounds with Germany’s Federal Office for Information Security (BSI) and consumer-router vendors on the BSI’s draft technical guideline for secure broadband routers.

The published guideline, in our view, is inadequate to prevent the widespread router-security failures it claims to address. End users still have no reliable way to distinguish a router that will receive security updates for years from one that will be abandoned in months, and no recourse once vendor support ends.

In particular: vendors are still allowed to lock OpenWrt out of devices they have already sold, even after the vendor’s own security support has ended. A device with a known security flaw and no remaining vendor patches becomes effectively e-waste — even though a working community firmware exists.

OpenWrt and the CCC have asked for two changes to the guideline:

1. Vendors must disclose, before purchase, how long a device will receive security updates.
2. Customers must be able to install alternative firmware to keep a device secure after official support ends.

The full position is in the joint German-language press release on the CCC site.