IP-Time A3004NS-M
Important. This router has been sold by IP-Time since at least 2019. Unless a major feature, impacting the security of the router, is deployed post CRA-enactment, it will not be required to comply with the CRA.
This Fast Check is for information purpose only.
Its “old” age may also explain why it does not follow cybersecurity best practices, and the reasons for declaring it as non-CRA compliant. Indeed, during the analysis of the router, i46 found that three core requirements of the CRA were not met:
Annex I, paragraph (b): “be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor made product with digital elements, including the possibility to reset the product to its original state”;
Annex I, paragraph (d): “ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;”
- Annex I, paragraph (j): “be designed, developed and produced to limit attack surfaces, including external interfaces;”
Below, i46 details a few core features of the router, and provides their compliance findings for each of them.
Let us know which product should be reviewed next, by sending us an email to info@i46.cz
Compliance Table
Feature | Findings | Compliance with the CRA |
|---|---|---|
Unique Password | The admin access credentials to the device are admin (username) and the password includes the device unique ID number | 🟢 Yes |
Minimal surface (physical) | The device includes RJ-45 ports, power and reset ports | 🟢 Yes |
Minimal surface (software) | Port 80 (http) is open | 🟢 Yes: this port is required for device management. |
Minimal surface (software) | Port 661 (printer) is open | 🔴 No: as printing is an optional feature of the router, this port should be opened only when needed, in order to avoid potential risks. (Severity: Medium) |
Minimal surface (software) | Port 57605 (remote management?) is open | 🔴 No: the function of this port is unclear. We suspect it might be used for remote maintenance, which is prohibited by the CRA. A redesign of the maintenance feature is required to certify this router. (Severity: High) |
As shown in the above table, the IP-Time A3004NS-M fails i46’s Fast Check.
While the device does not need to comply with the Cyber Resilience Act, due to being manufactured before the Act’s enactment, it bears highlighting that the weaknesses identified during the Fast Check means that businesses and people wishing to use this router should proceed with caution.
Who is i46?
i46 s.r.o, a Czech Republic-based company, is a specialist in cybersecurity compliance for IoT manufacturers. Their team of experts meticulously analyzes various devices within their laboratory, forming the foundation for these initial assessments.
The Fact Check service is provided by Cyber Resilience Act.eu and i46 s.r.o., as a way to empower the community. It is important to remember that the CRA Fast Check analysis is provided “as is” and shouldn’t be considered a replacement for a comprehensive cybersecurity assessment.
If you encounter any errors in this analysis, please don’t hesitate to reach out to us at info@i46.cz.
ACHIEVING COMPLIANCE
I am an IoT device manufacturer
IoT device manufacturers are first in line when it comes to compliance.
The CRA will change the way manufacturers operate.
Our guide covers what you have to do, how much time you have to comply and what the legal ramifications of non-compliance are.
I am a software developer
While free and open-source software, providing that their makers do not derive any profit from their distribution, does not fall under the purview of the Cyber Resilience Act, non-embedded software and software that remote process data from IoT devices need to comply with the Act.
I import / distribute/ resell
IoT device importers, distributors and resellers have many requirements under the CRA and in some circumstances can even be considered as manufacturers themselves.
Our guides detail these stakeholders’ responsibilities and liabilities.