TLP Clear Secure by Design Alert - Security Design Improvements for SOHO Device Manufacturers

January 2024

Malicious Cyber Actors Exploiting Insecure SOHO Routers

Threat actors—particularly the People’s Republic of China (PRC)—sponsored Volt Typhoon group—are compromising small office/home office (SOHO) routers by exploiting software defects that manufacturers must eliminate through secure software design and development. Specifically, Volt Typhoon actors are exploiting security defects in SOHO routers to use them as launching pads to further compromise U.S. critical infrastructure entities. CISA and the Federal Bureau of Investigation (FBI) are releasing this Alert based upon recent and ongoing threat activity to urge SOHO router manufacturers to build security into technology products from the beginning and encourage all customers of SOHO routers to demand better security by design. 

Secure by Design Lessons to Learn

A core tenet of secure by design is that manufacturers create safe and secure default behavior in the products they provide to customers. “Secure by Design” means that manufacturers design and build their products in a way that reasonably protects against malicious cyber actors successfully exploiting product defects. Incorporating this risk mitigation at the outset—beginning in the design phase and continuing through the release and updates—reduces the burden of cybersecurity on customers and risk to the public.

SOHO routers are ubiquitous and inexpensive devices that connect millions of Americans and small businesses to the internet. However, due to widespread sale, and subsequent use, of insecure SOHO routers that lack basic security features, threat actors, including the PRC-sponsored Volt Typhoon group, are exploiting these devices at scale. Additionally, these actors are leveraging compromised SOHO routers to move to and further compromise U.S. critical infrastructure entities. The creation of products that lack appropriate security controls is unacceptable given the current threat environment. This case exemplifies how a lack of secure by design practices can lead to real-world harm both to customers, and, in this case, our nation’s critical infrastructure.

Manufacturers often design and build SOHO routers that lack automatic update capabilities and include high numbers of exploitable defects in web management interfaces, which makes these devices vulnerable to common forms of compromise. Manufacturers compound these security issues by creating devices with management interfaces exposed to the public internet by default—often without notifying the customers of this frequently unsafe configuration.

View the detailed report below.

Key Resources

Related Resources

Letter/Comment
AHA Letter to Senate Finance Committee for May 1 Hearing on Change Healthcare Cyberattack
Letter/Comment
AHA Letter to House E&C Subcommittee for May 1 Hearing on Change Healthcare Cyberattack
Advisory
Homeland Security Proposes New Cyber Incident Reporting Requirements
Member
Special Bulletin
UnitedHealth Group Provides Update on Data Impacted By Cyberattack
Member
Testimony
AHA House Statement on “Fiscal Year 2025 Department of Health and Human Services Budget”
Public
Testimony
AHA Testimony for Energy and Commerce Subcommittee Hearing on Cybersecurity