Compliance Assessment Methods
i46 can provide compliance assessments for most IoT devices, via software and network-based tools.
Software-based assessment
For devices running familiar operating systems like Ubuntu/Debian, OpenWRT, or even Windows, i46 offers a fast initial assessment via the i46.io software.
Our lightweight tool analyses the device's configuration (e.g., open ports), generates a Software Bill of Materials (SBOM) to identify software components, and performs various tests to assess overall cybersecurity posture.
The i46.io analysis provides a valuable starting point for our experts who then conduct additional targeted testing to deliver a comprehensive CRA compliance assessment report for our customers' devices.
Below, we showcase two quick assessments performed by the i46.io software.
Huawei B311 Home Router
Important. This router has been sold by Huawei since at least 2021. Unless a major feature, impacting the security of the router, is deployed on the router post CRA-enactment, it will not be required to comply with the CRA.
The information presented below is for information purpose only.
i46.io’s analysis finds that this router is poorly secured and fails to meet all the requirements of the Cyber Resilience Act. During the analysis of the router, i46 found that three core requirements of the CRA were not met:
Annex I, paragraph (b): “be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor made product with digital elements, including the possibility to reset the product to its original state”;
Annex I, paragraph (d): “ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;”
Annex I, paragraph (j): “be designed, developed and produced to limit attack surfaces, including external interfaces;”
|
Feature
|
i46.io analysis
|
Compliance status
|
|---|---|---|
|
Unique password
|
No: the password is admin
|
🔴 No
|
|
Strong password enforcement
|
No
|
🔴 No
|
|
Minimal surface (physical)
|
The device includes RJ-45 ports, power and reset ports
|
🟢 Yes
|
|
Minimal surface (software)
|
Port 80 (http) is open
|
🟢 Yes: this port is required for device management.
|
|
Minimal surface (software)
|
Port 53 (domain) is open
|
🔴 No: DNS server should be optional as, in many cases, this feature is not used. (Severity: Low)
|
|
Minimal surface (software)
|
Port 20249 (Link quality information) is open
|
🔴 No: It is not clear why this information is required for the end-user. Technical information port should be closed by default. (Severity: High)
|
|
Minimal surface (software)
|
Port 31215 (UPnP as http) is open
|
🔴 No: UPnP service should be optional and closed by default. CVE-2017-17215 is associated with port 37215. This could potentially allow attackers to take control of the device. (Severity: Very High)
|
|
Minimal surface (software)
|
Port 37443 (UPnP as https) is open
|
🔴 No: UPnP service should be optional and closed by default. (Severity: Medium)
|
As shown above, the Huawei B311 fails i46.io automated assessment.
Important note: the device does not need to comply with the Cyber Resilience Act, due to being manufactured before the Act’s enactment.
TP-Link Archer AX73 V2 (US)
Important. This router has been sold by TP-Link since at least 2021. Unless a major feature, impacting the security of the router, is deployed on the router post CRA-enactment, it will not be required to comply with the CRA.
The information presented below is for information purpose only.
i46’s analysis finds that this router is relatively well secured, but still fails to meet all the requirements of the Cyber Resilience Act. Indeed, during the analysis of the router, i46 found that three core requirements of the CRA were not met:
Annex I, paragraph (b): “be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor made product with digital elements, including the possibility to reset the product to its original state”;
Annex I, paragraph (d): “ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;”
Annex I, paragraph (j): “be designed, developed and produced to limit attack surfaces, including external interfaces;”
|
Feature
|
i46.io analysis
|
Compliance status
|
|---|---|---|
|
Unique password
|
OK: 8 digits password (numbers only)
|
🟢 Yes
|
|
Strong password enforcement
|
No
|
🔴 No
|
|
Minimal surface (physical)
|
The device includes RJ-45 ports, power and reset ports
|
🟢 Yes
|
|
Minimal surface (software)
|
Port 80 (http) is open
|
🟢 Yes: this port is required for device management.
|
|
Minimal surface (software)
|
Port 53 (domain) is open
|
🔴 No: DNS server should be optional as, in many cases, this feature is not used. (Severity: Low)
|
|
Minimal surface (software)
|
Port 1900 (UPNP) is open
|
🔴 No: plug-and-play can be considered a basic functionality for this router. (Severity: Low)
|
|
Minimal surface (software)
|
Port 20001 (secure connection between the WiFi router and the Tether app) is open
|
🔴 No: while the feature is part of the main functionalities of the router, this type of port must be closed by default. (Severity: High)
|
As shown above, the TP-Link Archer AX73 V2 fails i46.io automated assessment.
Important note: the device does not need to comply with the Cyber Resilience Act, due to being manufactured before the Act’s enactment.
Network-based assessment
Many IoT devices operate without traditional operating systems, making compliance assessment a complex challenge. Software-based tools, commonly used by labs like i46, are incompatible with these devices.
To address this, i46 has established its own private 5G network in the Prague laboratory. This advanced infrastructure allows i46 to assess non-OS devices equipped with network interfaces, ensuring they meet CRA compliance standards. i46 further leverages this private network to conduct comprehensive testing of network interfaces for devices with operating systems.
Learn more about our private 5G network and its capabilities below.
5G core network
A dedicated computer runs i46's Core Network to enabled control and access to the 5G network
RAN (USRP)
The USRP simulates various 5G network components, such as gNodeBs and User Equipments
Servers
Dedicated private servers to support the i46 5g network
I46's private 5G network
i46 uses open-source frameworks like Open5GS, to build its own private 5G networks.
Core components of our 5G Network:
- 5G Core Network: This component handles essential functions such as user authentication, data routing, and network slicing.
- Radio Access Network: This component facilitates communication between user devices and the core network. We use USRP technology to create adaptable and programmable radio access networks.
- Private Servers: These servers, storing important network data and running virtualised network functions, provide additional services to our 5G network.
More on i46’s 5G technology capabilities
i46 collaborates with leading research institutions such as Fraunhofer University (Germany) and EURECOM (France) to drive innovation in 5G technology.
i46 is involved in various 5G projects, such as Target-X, for which our team is developing an authentication method for IoT devices over the 5G network.
To ensure that IoT devices meet the security requirements of the Cyber Resilience Act , we use advanced network-based analysis techniques, including:
- Vulnerability Scanning: We identify and assess potential vulnerabilities in a device’s network configuration
- Penetration Testing: We simulate real-world attacks (e.g: DoS) to identify weaknesses and evaluate the device’s security defences.
- Network Traffic Analysis: We analyse network traffic patterns to identify anomalies and potential security threats.
English 
Chinese