i46 can provide compliance assessments for most IoT devices, via software and network-based tools.
For devices running familiar operating systems like Ubuntu/Debian or OpenWRT, i46 offers a fast initial assessment via the i46.io software.
Our lightweight tool analyses the device's configuration (e.g., open ports), generates a Software Bill of Materials (SBOM) to identify software components, and performs various tests to assess overall cybersecurity posture.
The i46.io analysis provides a valuable starting point for our experts who then conduct additional targeted testing to deliver a comprehensive CRA compliance assessment report for our customers' devices.
Below, we showcase two quick assessments performed by the i46.io software.
Important. This router has been sold by Huawei since at least 2021. Unless a major feature, impacting the security of the router, is deployed on the router post CRA-enactment, it will not be required to comply with the CRA.
The information presented below is for information purpose only.
i46.io’s analysis finds that this router is poorly secured and fails to meet all the requirements of the Cyber Resilience Act. During the analysis of the router, i46 found that three core requirements of the CRA were not met:
Annex I, paragraph (b): “be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor made product with digital elements, including the possibility to reset the product to its original state”;
Annex I, paragraph (d): “ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;”
Annex I, paragraph (j): “be designed, developed and produced to limit attack surfaces, including external interfaces;”
Feature
|
i46.io analysis
|
Compliance status
|
---|---|---|
Unique password
|
No: the password is admin
|
🔴 No
|
Strong password enforcement
|
No
|
🔴 No
|
Minimal surface (physical)
|
The device includes RJ-45 ports, power and reset ports
|
🟢 Yes
|
Minimal surface (software)
|
Port 80 (http) is open
|
🟢 Yes: this port is required for device management.
|
Minimal surface (software)
|
Port 53 (domain) is open
|
🔴 No: DNS server should be optional as, in many cases, this feature is not used. (Severity: Low)
|
Minimal surface (software)
|
Port 20249 (Link quality information) is open
|
🔴 No: It is not clear why this information is required for the end-user. Technical information port should be closed by default. (Severity: High)
|
Minimal surface (software)
|
Port 31215 (UPnP as http) is open
|
🔴 No: UPnP service should be optional and closed by default. CVE-2017-17215 is associated with port 37215. This could potentially allow attackers to take control of the device. (Severity: Very High)
|
Minimal surface (software)
|
Port 37443 (UPnP as https) is open
|
🔴 No: UPnP service should be optional and closed by default. (Severity: Medium)
|
As shown above, the Huawei B311 fails i46.io automated assessment.
Important note: the device does not need to comply with the Cyber Resilience Act, due to being manufactured before the Act’s enactment.
Important. This router has been sold by TP-Link since at least 2021. Unless a major feature, impacting the security of the router, is deployed on the router post CRA-enactment, it will not be required to comply with the CRA.
The information presented below is for information purpose only.
i46’s analysis finds that this router is relatively well secured, but still fails to meet all the requirements of the Cyber Resilience Act. Indeed, during the analysis of the router, i46 found that three core requirements of the CRA were not met:
Annex I, paragraph (b): “be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor made product with digital elements, including the possibility to reset the product to its original state”;
Annex I, paragraph (d): “ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;”
Annex I, paragraph (j): “be designed, developed and produced to limit attack surfaces, including external interfaces;”
Feature
|
i46.io analysis
|
Compliance status
|
---|---|---|
Unique password
|
OK: 8 digits password (numbers only)
|
🟢 Yes
|
Strong password enforcement
|
No
|
🔴 No
|
Minimal surface (physical)
|
The device includes RJ-45 ports, power and reset ports
|
🟢 Yes
|
Minimal surface (software)
|
Port 80 (http) is open
|
🟢 Yes: this port is required for device management.
|
Minimal surface (software)
|
Port 53 (domain) is open
|
🔴 No: DNS server should be optional as, in many cases, this feature is not used. (Severity: Low)
|
Minimal surface (software)
|
Port 1900 (UPNP) is open
|
🔴 No: plug-and-play can be considered a basic functionality for this router. (Severity: Low)
|
Minimal surface (software)
|
Port 20001 (secure connection between the WiFi router and the Tether app) is open
|
🔴 No: while the feature is part of the main functionalities of the router, this type of port must be closed by default. (Severity: High)
|
As shown above, the TP-Link Archer AX73 V2 fails i46.io automated assessment.
Important note: the device does not need to comply with the Cyber Resilience Act, due to being manufactured before the Act’s enactment.
Many IoT devices operate without traditional operating systems, making compliance assessment a complex challenge. Software-based tools, commonly used by labs like i46, are incompatible with these devices.
To address this, i46 has established its own private 5G network in the Prague laboratory. This advanced infrastructure allows i46 to assess non-OS devices equipped with network interfaces, ensuring they meet CRA compliance standards. i46 further leverages this private network to conduct comprehensive testing of network interfaces for devices with operating systems.
Learn more about our private 5G network and its capabilities below.
i46 uses open-source frameworks like Open5GS, to build its own private 5G networks.
Core components of our 5G Network:
To ensure that IoT devices meet the security requirements of the Cyber Resilience Act , i46 uses advanced network-based analysis techniques, including:
i46 collaborates with leading research institutions such as Fraunhofer University (Germany) and EURECOM (France) to drive innovation in 5G technology.
i46 is also involved in various 5G projects, such as Target-X, for which our team is developing an authentication method for IoT devices over the 5G network.