Institutional

In order to strengthen the security of networks and devices, ANATEL introduced ATO-77 in January 2021, establishing a series of security requirements for telecommunications equipment, aiming to minimize vulnerabilities through software updates or configuration recommendations.

The scope of ATO-77 covers a wide range of requirements applied to Internet-connected terminal equipment (CPE) and telecommunications network infrastructure devices.

In March 2023, ANATEL also published ACT No. 2436, which establishes the technical requirements and criteria to be verified in the Conformity Assessment of telecommunications products for their certification, with this approval being mandatory from March 2024 for the homologation of each product at ANATEL.

1 - Cybersecurity Policy

In compliance with ATO-77 and ATO-2436, Datacom develops its products following the principles of Security by Design and presents below an overview of the main cybersecurity requirements present in its products.

The following CPE (Customer Premises Equipment) products are within the scope of this policy:

• Cable modem;
• xDSL modem;
• ONT;
• Router or modem intended for fixed wireless access (FWA - Fixed Wireless Access);
• Router or modem intended for fixed broadband access via satellite; and
• Wireless router or access point.

1.1 Main Requirements

1.1.1 Password Complexity

The following password complexity requirements are applied to both user accounts and WiFi network passwords when available.

• At least one uppercase character (e.g.: A, B, C, D,...);
• At least one lowercase character (e.g. a, b, c, d, ...);
• At least one numeric character (e.g. 1, 2, 3, 4, ...);
• At least one special character (e.g. !, @, #, $, ...);
• At least 8 digits;
• Each product has a unique default password that is different for all products;
• Weak or blank passwords are not allowed.

1.1.2 Security Mechanisms

• The products have a restrictive factory configuration, that is, protocols are disabled by default, such as UPnP, DMZ, Port Forwarding, among others. The user should enable these features only if necessary for their application.
• Configuration files saved as backups are protected by encryption.
• Timeouts for inactive sessions are pre-configured in the products.

1.2 Software Updates and Vulnerabilities

Datacom makes the Release Notes document available to its customers. This document is released with each commercially released software version and contains all corrections, improvements, vulnerabilities and new features implemented, as well as compatibility between different Hardware, Software and Management Systems.

Software updates are guaranteed for at least 2 years after the release or while the product is being distributed on the market, whichever option lasts longer. These updates will be free of charge to customers.

2 - General Public Communication Channel

Datacom provides below the exclusive communication channel with which all users of its products can report detected vulnerabilities or questions regarding the security of the products sold.

Under the link https://www.datacom.com.br/en/fale-conosco, select the option: Support - Security Vulnerability (ATO - No77).

2.1 General Recommendations

When reporting a vulnerability, Datacom recommends that:

• The vulnerability be described with as much information as possible.
• Indicate the product(s) in which the vulnerability was detected.
• It is possible to send the vulnerability description in Portuguese or English.
• Any failure in any functionality or incorrect behavior should follow the standard procedure for calling the Datacom Support team.

2.2 What to expect from Datacom

The team responsible for the Cybersecurity of Datacom products guarantees:

• Analyzing and responding to the reported vulnerability within a maximum period of 10 days.
• If the vulnerability is confirmed, a deadline will be announced for its correction.
• When the vulnerability is corrected, it will be disclosed through the product's Release Notes and the name of the author will be disclosed if they accept.

3 - Datacom's Commitment

Datacom is strongly committed to meeting cybersecurity requirements in its products. This compliance reinforces the security of customers' networks, making them more resilient against cyber threats.

4 - Vulnerabilities Detected and Corrected

The detected vulnerabilities are presented below so that any user can analyze and determine whether they are applicable to their network environment.