The FCC maintains a list of equipment and services (Covered List)
that have been determined to “pose an unacceptable risk to the
national security
Recently, malicious state and non-state sponsored cyber attackers
have increasingly leveraged the vulnerabilities in small and home
office routers produced abroad to carry out direct attacks against
American civilians in their homes.
Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices. Security experts have been trying to call attention to this problem for 2 decades.
Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.
Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.
The US has a bazillion devices with crap security because we set ourselves up for this.
> Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware.
The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one.
What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business.
What you need is the ability for consumers to replace the firmware.
That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them.
> What you need is not a government mandate for infallibility, it's updates
So, we don't need an electrical code to enforce correct wiring. We just need a kind soul driving by our house to notice the company who built our house wired it up wrong. Then that kind person can inform the company of the bad wiring.
And if the company agrees it's their wiring at fault, we can wait 3 months for a fix. Then the next month another kind soul finds more bad wiring. And we just have to hope there is an army of kind strangers out there checking every building built by every company. And hope in the meantime that the building doesn't burn down.
Meanwhile, people have to live with bad wiring for years, that could have been completely prevented to begin with, by an electrician following the electrical code we all already agree on.
> So, we don't need an electrical code to enforce correct wiring.
For an analogy to work, its underlying elements should have a relation to the target. Your analogy is not in the same universe. For electrical work, there is a baseline of materials and practices which is known to produce acceptable results if adhered to. For software, there isn't. (Don't tell me about the Space Shuttle. Consumer software doesn't cost tens of millions and isn't written with dedicated teams over the decades.)
The analogy does work. The house is any software provided by any vendor. The kind strangers are white hat security researchers. The people living in the house are the users.
Software absolutely has baseline materials, have you never written software before? Never used a library? Programming language? API? Protocol? Data format or specification? CPU instruction? Sorting algorithm? A standard material is just a material tested to meet a standard. A 10d nail is a 10d nail if it meets the testing specs for 10d nails (ASTM F1667). Software can be tested against a spec. It's not rocket surgery.
No known practices with acceptable results?? Ever heard of OWASP? SBOMs? Artifact management? OIDC? RBAC? Automated security scanning? Version control? Code signing? Provenance? Profiling? Static code analysis? Strict types? Formal proofs? Automated testing? Fuzzing? Strict programming guidelines (ex. NASA/DOD/MISRA/AUTOSAR)? These are things professionals know about and use when they want standard acceptable results.
What are you talking about re: space shuttle and tens of millions? Have you actually read the coding standards for Air Force or NASA? They're simple, common-sense guidelines that any seasoned programmer would agree are good to follow if you want reliability.
I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about, or jaded old fogeys who were on some horrible government project and decided anything done with rigor will be terrible. That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions. I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
AI is going to introduce 100x more security holes than before, so something will have to be done to improve security and reliability. We need to stop screwing around and create the software building code, before the government does it for us.
I mean this is still a semi-bs response on your case, even if you don't realize it.
Many of these devices have security flaws that are horrific and out of best practices by over a decade.
Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
> Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
It would certainly help, but no economically feasible amount of auditing and best practices could lead to having a warranty on that software. My thesis is that our current understanding of software is fundamentally weaker than that of practical applications of electricity, so it makes no sense to present analogies between the two.
> So, we don't need an electrical code to enforce correct wiring.
Are you familiar with how the actual electrical code works? It's a racket. The code is quite long and most of the inspectors don't know most of it so only a small subset is ever actually checked, and that only in the places where the person doing the work is actually pulling permits and the local inspector isn't corrupt or lax in areas the local tradespeople have learned that they're lax. Then we purposely limit the supply of licensed electricians so that they're expensive enough that ordinary people can't afford one, so that handyman from Craigslist or whatever, who isn't even allowed to pull permits, is the one who ends up doing the work.
It only basically works because no one has the incentive to purposely burn down your house and then it only happens in the cases where the numerous violations turned out to actually matter, which is rare enough for people to not get too upset about it.
But the thing that makes it a racket is the making the official process expensive on purpose to milk wealthy homeowners and corporations who actually use the official process, which is the same thing that drives common people to someone who charges a price they can afford even knowing that then there no inspection.
> Then that kind person can inform the company of the bad wiring.
The point is rather that when the homeowner discovers that their microwave outlet is heating up, they can fix it themselves or hire an independent professional to do it instead of the company that built the house (which may or may not even still exist) being the only one who can feasibly cause it to not stay like that until the house is on fire.
I mean, if you could download an update that would fix the wiring in your house, it would be much less critical that the initial installer got it right. (Still much more important than your router, though; it doesn't stop being an electrocution hazard during the un-updated period.)
Trying to make analogies from software to hardware will always fall down on that point. If you want to argue that there should be stricter security & correctness requirements for routers, maybe look more toward "here is how people actually treat them in practice" with regard to ignoring updates...?
> I mean, if you could download an update that would fix the wiring in your house, it would be much less critical that the initial installer got it right
As in my example, some random stranger needs to first find out your "house" (the vendor's software) is wired wrong. And this needs to happen for every "house" (every piece of software). While waiting for this to be discovered, your house burns down (hackers penetrate millions of devices, or perhaps just Microsoft Sharepoint that the govt is uses).
> What you need is the ability for consumers to replace the firmware.
I don't think that's enough. Most people aren't going to replace the firmware on their device with an open source replacement made by someone else. Now if the firmware was required to be open source, and automatic updates could be seamlessly switched over to a non-profit or government agency in the event of the company going out of business, you might have something. But there would be a lot of details to work out.
I have a PC hooked up to my TV in my living room that has been running the latest version of Kubuntu for over 18 years now. It has had many upgrades in that time but it's still the same basic hardware: A CPU, some memory, USB ports, a video card, and an ethernet port on the back.
That "genericness" is what's missing in the router space. Literally every consumer router that comes out has some super proprietary design that's meant to be replaced in its entirety in 3-4 years. Many can run Linux, sure, but how many have a replaceable/upgradable board? How many are like a PC where you can install whatever OS you want?
Sure, you can forcibly flash a new OS (e.g. OpenWRT) but that is a hack. The company lets you do that because they figure they'll get a bit more market share out of their products if they don't lock the firmware so much. They key point remains, however: They're not just hardware—even though they should be!
The world of consumer routers needs a PC-like architecture change. You can buy routers from companies like Banana Pi and Microtik like this but they're not marketed towards every-day consumers. Mostly because they're considered "too premium" and require too much expertise to setup.
I think there's a huge hole in the market for consumer-minded routers that run hardware like the Banana Pi R4 (which I have). When you buy it, you get the board and nothing else. It's up to you to get a case and install an OS on it (with OpenWRT, Debian, and Ubuntu being the normal options).
We need something like the Framework laptop for routers. Not from a, "it has interchangeable parts" perspective but from a marketing perspective. Normal people are buying Framework laptops because geeky friends and colleagues recommend them and they're not that much more expensive/troublesome than say, a cheap Acer/Asus laptop.
It's not so simple. Routers, like most tech emitting and modulating an RF signal by design, are certified products. The radio frequency bands, output power, allowed channels are all tightly controlled. Allowing end-users control without restrictions over such equipment would be unsafe.
> They key point remains, however: They're not just hardware—even though they should be!
This is the most thoughtful comment I've seen on this topic. I hadn't even considered this approach, but you're right. The hardware needs to be commoditized in a way that makes the software a layer that can be replaced. Someone else said this but in a way that described flashing a third-party package as HN nerds would. That's too much effort and it won't work.
It should be as generic as PC hardware. Every router manufacturer should build devices that can run the OSes of all their competitors' devices and vice versa. Maybe some features won't work with the other company's OS cause it isn't designed for that, but overall it ought to be replaceable. "Normal people" still wouldn't flash a new OS, but making it an option is a step towards making devices more secure.
If every router could get a new OS as easily as your techy friend could install Firefox or an ad-blocker or whatever else, we'd start the long march to a real longterm solution.
If you make something internet commected you must provide lifetime warranty for security. no import or sales sor even leases) until you have in escrow the money to pay for them.
i will allow sunsetting and removing ipv4 after 2020 (that is more that 5 years ago)
The concept of community firmware seems like a huge cop-out that allows companies to externalize costs. And it probably won't help security because 99% of devices will never get the third-party firmware installed anyway.
If they were trying to save costs they would ship the community firmware on the device to begin with because then they wouldn't have to write and maintain their own. The community welcomes them to externalize those costs onto the people with better incentives to improve the software.
What they're actually trying to do is obsolete the devices faster because then they won't add new protocols or other software-only features to older devices so you have to buy a new one, or only expose features in more expensive models that the less expensive hardware would also be capable of doing. Which is all the more reason for us to not have that.
And if they were required to allow anyone to replace the firmware then you would get companies reflashing and selling them that way from the store because the free firmware has more advertisable features. There's a reason you can go to major PC OEMs and pick between Windows, Linux and "don't even install one" and the reason is that if you give customers a choice, they generally don't want their software to be made by the OEM.
> What they're actually trying to do is obsolete the devices faster
This is exactly why. Obsoleting older devices keeps (in their eyes) the purchase treadmill running. Making a device that could be updated forever means never making another sale to that user (unless some physical failure happens, or the user wants a second one).
It could be part of dissolution of the company to mandate community firmware. But it depends on their licenses…
Anyhow, this is a common enough practice. Many companies that provide infrastructure type software and sell to Fortune 500 companies often have a clause whereby they deliver their software to their customers if the shut down.
We don't care about their licenses; that's their problem. If they need firmware with a license that allows them to redistribute it there are plenty of free ones to choose from.
And you can't wait until after they're dead to have them do something. By then they're gone or judgment proof because they're already bankrupt. Especially when you're talking about companies that aren't in the jurisdiction because you can't even make them do anything when they're already not shipping products to you anymore. It has to be from Day 1.
There was a promising design from Azure Sphere for 10 years of IoT device Linux security updates from Microsoft, even if the IoT vendor went out of business. This required a hardware design to isolate vendor userspace code from device security code, so they could be updated independently. Could be resurrected as open standard with FRAND licensing.
The main thing you need is for the lowest-level code to be open and replaceable/patchable because it's the only part which is actually specific to the device. Windows running on Core Boot is a better place to be than custom Linux running on opaque blob, because in the first case you can pretty easily get to newer Windows, vanilla Linux or anything else you want running on Core Boot after the original version of Windows goes out of support, and you can update Core Boot, whereas the latter often can't even get you to a newer version of Linux.
Modern coreboot depends on opaque blobs on CPU (FSP/ACM on Intel) and auxiliary processors (ME/PSP), but AMD is moving in the right direction with OpenSIL host firmware. Arm devices have their own share of firmware blobs.
A decade of security updates for routers would require stable isolation between low-level device security and IoT vendor userspace. In Sphere, the business model for 10 years of paid updates was backed by hardware isolation. Anyone know why it didn't get market traction? There was a dev board, but no products shipped.
Oh gee. Maybe because no one sane looks at an industrial product adversarially built to confine and prevent the end user from doing anything to it and wants anything to do with it? It isn't rocket science. If I can't buy it and get a damn manual and programming tools to twiddle all the bits, I'm not adopting. Not even at gunpoint, or if you're the last supplier on Earth. I won't be held voluntarily hostage because a bunch of corporate types, and bureaucrats decided to work together to normalize adversarial silicon. Multiply by everyone I know, and anyone with enough braincells to rub together to pattern match "regulatory capture" and "capitalist rent seeking". You can call me a bore if you want. The incentives are completely unaligned, as this place is so fond of saying. End user adoption is built on faith in product. End user capacity to have faith in the product is based on the capability of the technically savvy purchaser to keep the thing running, repair, understand, and explain it to the non-technically savvy. I look at adversarial silicon isolating me from the hardware; I have to sound off-my-rocker to my non tech-savvy friends family to actually explain that yes, there are industrial cabals out to keep you from doing things with the thing you bought.
It doesn't make any business sense, or practical sense whatsoever. Don't bother quoting regulations that demand the isolation (baseband processors and radio emission regulations) at me. Yeah. I know. I've read those too.
Get over business models that require normalized game theory, and we can talk. Until then, enjoy never having nice things catch on. Hint: your definition of "nice" (where I can't control how it works after purchase) is mutually exclusive with things I'm willing to syndicate as "nice". Nice people don't manipulate others.
> If I can't buy it and get a damn manual and programming tools to twiddle all the bits, I'm not adopting.
Hence the isolated device security hardware should be an open standard with FRAND licensing. If devices ship with a prepaid commercial license for 10 years of device security updates from BIG_CO, the default commercial baseline would be raised independent of IoT vendors. Tech-savvy users could then have the option to replace the device security layer with the OSS _or_ competing commercial stack of their choice.
It might also be illegal. Don't know about the US but forcing a bankruptcy to avoid regulations is usually frowned upon by the court system here. So putting a product in a child-dummycorp to go poof when you want and let the parent stay afloat usually puts the parent in the line of fire directly and you are screwed either way.
It is possible to require escrow accounts for cover costs of fixing future security issues) - these survive bankruptcy. They need to be big enough to cover the costs though - insurance can calculate this but it isn't cheap.
The obvious problem with that is the detriment to smaller companies, but it makes a good alternative to releasing the code.
Then if you're a five person shop making routers and you publish the firmware source under a license that allows anyone to make and distribute modifications you're all set. And if you're Apple or Microsoft and you want to make a router without publishing the source code, you post the enormous bond which you have no trouble doing because you're an enormous company and you're all set.
Why not just put the onus on ISPs? 99% of users lease their router from their ISP. If updates stop after three years, looks like you're getting a complimentary service appointment to get a new router.
> What you need is the ability for consumers to replace the firmware.
> That solves the problem in three ways.
That alleviates the problem, but definitely doesn't solve it. Updates are still required, and most people will never update devices they don't directly interact with.
Which introduces new security risks, but more importantly, the consumer has to configure the device to use open source firmware, and set up auto updates, unless the device is being auto updated by the device manufacturer and forces all of their customers to switch to the new firmware, which seems very unlikely.
How? The device phones home to the manufacturer's servers to get new updates. Manufacturer goes out of business, servers get shut down. How does it know where to get updates now?
> Manufacturer goes out of business, servers get shut down.
Continue your chain of reasoning: DNS name becomes unmaintained, gets grabbed by open source / foundation / gov agency, pushes open source firmware update.
The government obviously cares less about citizens running firmware China can hack than it does about citizens potentially running firmware the government can't hack.
> But then vendors want to stop issuing them after 3 years
Tough shit. You provide updates for the mandated amount of time, or you lose access to the market. No warnings, you're just done.
> And "require longer support" doesn't fix it because many of the vendors will go out of business.
Source code escrow plus a bond. The bond is set at a level where a third party can pay engineers to maintain the software and distribute updates for the remainder of the mandated support period. And as time passes with documented active support, the bond requirements for that device go down until the end of the support period.
Requiring that the customer be allowed to replace the firmware is essential, I agree, but not for this reason. That requirement, by itself, just externalizes the support costs onto open source communities. Companies that sell this sort of hardware need to put up the resources, up front, irrevocably, to ensure the cost of software maintenance is covered for the entire period.
Personally I don't buy consumer router hardware that I can't immediately flash OpenWRT on, but that option is not suitable for the general public.
How does this help? 99% of the population aren't technically minded enough. Most people just buy a wifi router, plug it in (maybe having read the instructions) and that's it. They have neither the skills nor the inclination to update firmware.
The real problem is: assuming that firmware can be updated, how do you run a nationwide update programme overcoming a population that doesn't really care or have the skills to do it.
Vehicle safety standards (mandated annual safety checks like the UK MoT test) is the closest analogy I can think of - in the UK you can't insure your car without a valid MoT. If you were serious, then maybe tying ISP access to updated router firmware would be the way to go.
Customers notice higher prices at time of purchase a lot more than they notice a lack of future security updates, so good luck selling them for that price when someone else just puts an existing open source firmware on the existing hardware and sells it for the existing price.
>And "require longer support" doesn't fix it because many of the vendors will go out of business.
Do you mean 'out of business so they cannot provide updates'?
Because, if you mean cheap companies won't be able to provide updates and stay in business, surely that's the point. Companies would have to shim to a standardised firmware that was robust, or something, to keep costs down.
Isn't this all to protect USA business interests and ensure the Trump regime can install their own backdoor though?
"You ship something with no known bugs and then someone finds one."
You managed to say that with a straight face!
Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out.
How on earth is embedded creds in any way: "no known bugs"?
I think we are on the same side (absolutely) but please don't allow the buggers any credibility!
> How on earth is embedded creds in any way: "no known bugs"?
You misunderstand how organizational knowledge works. You see, it doesn't.
Some embeds the credentials, someone else ships the product. The first person doesn't even necessarily still work there at that point.
Remember that time NASA sent a Mars orbiter to Mars and then immediately crashed it because some of them were using pounds and the others newtons? Literally rocket scientists.
The best we know how to do here is to keep the incentives aligned so the people who suffer the consequences of something can do something about it. And in this case the people who suffer the consequences are the consumers, not the company that may have already ceased to exist, so we need to give the consumers a good way to fix it.
> When you are building software, you build a security process, not security individuals or stuff like this happens.
You can't solve an incentive problem with process because then they lack the incentive to follow the process.
To enforce a law you need to be able to identify a violation at a point in time when you can still impose a penalty for it. When a device is first released, you don't yet know if anyone will find a vulnerability in it or if the company will stay around to update it if they do. By the time you find out if it will happen, you can't punish them for the same reason they can't provide updates: they've ceased operations and no longer exist. So that doesn't work.
> With software writers the losses occur to the end user.
Which is why the end user needs to be empowered to efficiently prevent the losses, since they're the one with the strongest incentive to do it.
Somebody has to pay for the support. There is no free meal.
Enterprise must be able to pay for support for as long as they use devices. Solved.
I can only think of requiring the devices to be serviceable, as you say. The absolute only way I can think of charging the consumers, ie the owners, is to charge a tax on internet connections. Then the government would pay somehow vulnerability hunters working along patchers, who can oversee each other.
Consumers are tricky: if you include support in the sale price, the company will grab the money and run in 3 or 5 years; and some companies will sell cheaper because they know they won't provide support.
> Somebody has to pay for the support. There is no free meal.
The problem is not that people need a free meal. The problem is that people need the ability to eat some other food when the OEM's restaurant is closed or unsatisfactory.
> Who creates and regularly keeps the firmware for the dozens and dozens of router models secure and up-to-date?
99% of the firmware is not actually device specific, and more to the point no one has to create it because it already exists and is already maintained. You don't have to write the Linux kernel from scratch for every different device.
The problem looks like this: The vendor creates an opaque blob that runs on part of the device. This is only 1% of the code that runs on the device but it's the device-specific part. Moreover, that code interacts with the kernel, but was written to assume a specific older version of the kernel which is now out of date.
Updating it to use a newer kernel requires very little work if you have the source code -- in that case much of it is just automated refactoring -- but without the code it becomes a much more arduous reverse engineering effort. Likewise, if the device-specific code has a bug and you have the source code, the cause of the problem is easier to identify and the fix is to change two lines and recompile it. But without the code just identifying the problem becomes an intensive reverse engineering task again.
So you have a community which is willing and able to do a finite amount of work. Some subset of the device owners are programmers and if they can spend two hours fixing a problem that they themselves have, it gets fixed for everyone. But if fixing the same problem takes them two months, they don't. Therefore, the solution is to do the thing that allows it to take the shorter amount of time so that it actually happens.
It would be ideal if we could come up with a way to get people paid to maintain a community firmware. However, that's a considerably harder problem than "you absolutely must allow community firmware to be flashed".
I agree. It's a harder problem and it's the more critical problem.
Businesses aren't incentivized to maintain it and hoping that the community can support it by opening it is perhaps necessary, but it's far from sufficient.
Either the business or maintainers need to be sufficiently incentivized--whether it's through funding, reputation, or something else (graduate-student torture).
I mean, OEM would make the device upgradeable, government will pay independent bounty hunters and patchers and will push the updates. Then consumers pay for all that.
> Secure software won't protect you from insecure hardware
Then what's KPTI etc.?
> which also needs to be formally verified for a secure system.
Now we just need a correct and complete theory of quantum mechanics and to do something about that Heisenberg thing.
In general formal proofs tell you if something is true given a stipulated set of assumptions. They don't tell you if one of the stipulated assumptions is wrong or can be caused to be wrong on purpose by doing something nobody had previously known to be possible.
You're being sarcastic, right? The entire concept of "guaranteed to be secure" is a fantasy.
Even EAL7 can't guarantee anything. It can only say that the tools used for verification didn't find anything wrong. I'm not saying the tools are garbage, but the tools were made by humans, and humans are fallible.
Plenty of consumer-grade devices have had very lax security settings or backdoors baked in for purposes of “troubleshooting” and recovery assistance. It’s never been limited to foreign-made devices.
Security has never been part of the review process. The only time any agency has really cared is when encryption is involved, and that’s just been the FBI wanting it to be neutered so they can have their own backdoors.
> no Gov agency would ever mandate secure firmware
Interestingly, Europe is about to try this: the Cyber Resilience Act is going to become obligatory for all sold digital products (hardware & software) by the end of 2027, with a bunch of strict minimum requirements: no hardcoded default passwords, must check for known vulnerabilities in components/dependencies, encryption for data at rest, automatic security updates by default (which must be separate from functionality updates), etc.
Remains to be seen whether this'll help, but good to see somebody have a go at fixing this.
Encrypting data at rest is security theatre right? Unless consumers control the keys (which they generally dont want to), the keys will have to be accessible by the system storing the data. So if the system is compromised so are the keys? Like I cannot see the security benefits from encrypting data at rest in a non E2E system.
Right but access to those keys will be available in an unhardened location then? Otherwise you're serving encrypted data. So if the system accessing the data and using the keys is compromised, which we can assume is the case if the data is compromised, then access to the keys is as well?
Maybe I'm being an idiot but it seems like a lot of extra complexity to protect against really only physical attacks where someone directly steals the data storage.
> This includes the FCC which license their devices
The FCC licenses devices to the extent that devices can cause spurious transmissions in the radio spectrum. It’s not a general consumer protection agency. Computer security also is outside the mandate of the FTC, which exists to protect consumers from anticompetitive conduct and unfair business practices, not crappy products.
I could see why someone might be confused in the Mayer of what the FCC can regulate, considering that it regulates the content of television and radio broadcasts and somehow regulates cable TV providers, despite the use of wired connections to customers, instead of radio transmissions.
> somehow regulates cable TV providers, despite the use of wired connections
They regulate broadcast TV. Those rules leak into cable TV because the originators generally want content that can be sold for broadcast in the future and is advertiser friendly. Cable operators are also often beholden to community standards imposed by municipalities they serve. The FCC isn't responsible for content restrictions on cable.
Where in the Federal Communications Commission's governing legislation does it say that they're only allowed to regulate things sent through the airwaves?
It applies to communications over radio or wire: “The provisions of this act shall apply to all interstate and foreign communication by wire
or radio and all interstate and foreign transmission of energy by radio, which originates and/or is received within the United States, and to all persons engaged within the United States in such
communication or such transmission of energy by radio, and to the licensing and regulating of all radio stations as hereinafter provided…”
So if a company uses as part of its marketing for a product the phrase "advanced security, privacy, and connectivity for homes of every shape and size" and then is later found to have lied about the "advanced security" and "privacy" part of their marketing by shipping firmware with security bugs, does that not now fall under the "deceptive" category of the "unfair, deceptive and fraudulent business practices" part of the FTC's mission?
Sounds like it does to me. Also you're forgetting the part where the FTC under a prior administration either banned DLINK from selling in the US or heavily fined them for selling routers in the US that they knew were running insecure, buggy firmware.
(both quotes were taken verbatim from first, Netgear's US website, and secondly the Bureau of Consumer Protections' section of the FTC's website)
I know it's the norm to criticize the admin, but I don't think its what they're saying. I think they're saying "they know of the vulns they leave in and only fix them after it's been exploited by their states".
Not that any consumer router is super nice and safe, honestly, you're better off making your own these days.
> Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices.
True, but the country of manufacture is related to the risk of back doors.
There is a huge security problem (everywhere, not just the US) with insecure consumer devices (not just routers, everything from Wi-fi enabled lightbulbs to cars). AT least someone seems to be waking up to the problem even if their solution is half-baked.
IMO they should have a choice between open source that can be updated out of band from the manufacturer or assuming direct liability for issues for the product's life.
So after two decades, the FCC finally does something about insecure routers by banning security updates unless you jump through a bunch of extra hoops. That's definitely going to improve the situation.
I suppose foreign routers might not have convenient mechanisms for the government to access and control them at will, hence the "unacceptable risk to the national security".
> Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices.
Sorry but this is merely a convenient excuse. Source: I have hard evidence of a Chinese IoT device where crap security practices were later leveraged by the same company to inject exploit code. It's called plausible deniability and it's foolish to tell me it's a coincidence.
You're not going to convince me that a foreign state actor pressuring a company to include a backdoor wouldn't disguise it as a "whoopsie, our crap code lol" as opposed to adding in the open with a disclaimer on it.
It's all closed source firmware. Even the GPL packages from most consumer router vendors are loaded with binary blobs. Tell me I should trust it.
Sure, but this also bans pretty much all routers made by American companies too, since they're not fully assembled in the US. So I'm not sure that explanation fits.
If US manufacturers (or manufacturers in allied countries) do this, legal avenues exist to hold those manufacturers accountable. Not so with China.
(That is not to say that the FCC change will move the needle on the underlying issue of router security; as some of the ancestor comments have said, lax security practices are common industry-wide, irrespective of country of development/manufacture.)
The Snowden leak showed that Cisco routers had been altered to enable surveillance [1]. Whether or not the manufacturer is complicit, or how the alteration is performed is ultimately irrelevant to the end user. Ultimately, the only people that got in legal trouble for this were Snowden and people who provided service to him.
It is absolutely relevant. It is completely within the realm of feasibility that a foreign nation state would pressure a manufacturer in their jurisdiction to include a backdoor, or simply insert it themselves. Routers are in every home and office in the country, and can be leveraged for immense attacks. It’s a hugely attractive target, and it’s a reasonable security policy to try to limit our exposure to this threat. And it would absolutely make sense for adversaries to avoid buying U.S. made routers for exactly the same reason. Unfortunately this administration is generating more adversaries by the day.
I think you're responding to the wrong comment, or missing the nuance above.
Having state actors redirecting products after shipping, without telling the company or the client it's happening, and installing backdoors, has nothing at all to do with backdoors from manufacturers.
>a foreign nation state would pressure a manufacturer in their jurisdiction to include a backdoor
That absolutely is about jurisdiction and is a much bigger, more scalable attack than intercepting and installing implants. More to the point, it can be done at _any time_ not just the initial ship.
> legal avenues exist to hold those manufacturers accountable
Maybe in theory. I think the practical chance of enforcing anything meaningful through those legal avenues against a US manufacturer is not meaningfully higher than the chance of doing so against a Chinese manufacturer, so it doesn't make sense to treat them differently on these grounds.
And who hasn't seen American software companies where crap security practices are later leveraged by the same company to run exploits? It's of course always phrased in Orwellian terms of business practices, terms of service, "security", etc but we can still call a spade a spade.
One dog's exploit is another's Clippy. I've certainly seen companies downgrade security generally when they deploy (and enable by default) new features. Start with web browsers. Ads in software you paid for. Always on app telemetry. Cloud backups. Cloud-compute assisted "desktop" tools. Sorry, out of time.
This part of the press release seems pretty crucial:
> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.
In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").
If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
> foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing
That is not what's going to happen. What's going to happen is that anyone coughing up payola to the current executive in chief's people will get approved, and anyone that doesn't will remain blocked. This practice is currently widespread, in the form of tariffs.
We're going to keep seeing this in all kinds of industries throughout the next three or so years: "Your products are banned or your country is tariffed, but if you pay enough in bribes, er I mean undergo our approval process, then you'll be exempt."
to me the greatest damage the trump admin is doing is bringing out corruption in the open.
if there's really one thing that destroys countries is corruption. being originally from a 3rd world country - I have seen it. now the US is heading towards the same path.
having worked in the IOT industry before - I can tell even domestic manufactures will be forced to pay bribes soon cloaked in 'state secrets' - there's already export laws etc - but now they will be forced to pay for compliance e.g maybe donating the president's vanity project.
You know that's exactly how it's going to be. There are two attributes of this administration that are just as prominent as corruption -- laziness and incompetence.
That descriptions already fits the payola model. It's almost never about directly handing money to a politician. That's illegal, so it's not worth doing when there's legal ways to do it. Instead, payola usually involves regulations requiring using some kind of product or certification, then the organizations that sell the product or perform the certification contribute to the politicians.
Also, the biggest benefactors of payola aren't the politicians, it's the rent seekers, that is the businesses already in place that want to prevent competition. Because of this, they usually directly contribute to the politicians that promise to restrict the path to doing business.
For example, if you want a newest-generation extremely-efficient air conditioner in the US, you won't be able to buy it and even if you could, you wouldn't be able to get anyone to install it. Any given model of air conditioners needs to be on an approved list to be sold in the US, and the installer needs to be on an approved list, too. This means that by the time an air conditioner makes it onto the list, it's already old. Also, installers can require you buy it from them, and almost all do, so by the time time an installer on the list has it for sale, it's even older than that. Ironically this is all enabled by the EPA, on the auspices that they are ensuring that it's energy inefficient, when in reality they are preserving the market for the older, more expensive, and inefficient models.
Trump made $4B last year. It's open and direct bribery at this point. He's said he plans to hide behind qualified immunity and pardons for people he pays (with tax money) to break the law on his behalf.
Dario (CEO of Anthropic) said the DoW contract violations and threats were direct retaliation for not paying Trump "campaign" money. Later, he was forced to apologize for speaking the truth.
> If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
Wow NGL this sounds great if you ignore the reality that it'll be used as a partisan backdoor to enriching the administration.
> So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
You're assuming a non-partisan technocratic process, which this administration has amply shown is neither capable nor willing to provide. This requirement becomes another opportunity for Pay-to-Play, either in cash or quid pro quo, to the government directly (see, e.g., NVidia and AMD export allowances) or to Trump's inner circle (see, e.g., crypto venture regulation, merger approvals).
This is the problem with erosion of norms. We’ve all known for decades that consumer routers have shit security. We’ve all known about the risk of implants or intentional backdoors in the supply chain. And now when the FCC appears to be finally doing something about it, there’s a massive cloud of mistrust hanging over the whole idea.
The mistrust comes from those doing it, and the clearly corrupt ways they are operating. The maggot movement is basically rooted in a lot of very real frustrations from very real longstanding problems, but the only thing it offers as solutions is performative vice signalling.
People who care about the problems of digital security are not going to lean into the idea of simply banning devices based on where they were manufactured. Rather they would work at general standards and solutions to actually solve the problems - things like untying the markets for hardware/firmware/services, requiring firmware source escrow, mandating LAN protocols and controllers so every single IoT device isn't backhauling to its own mothership, and so on.
Likewise people who care about domestic manufacturing first and foremost are not going to champion applying steep blanket tariffs two decades after all of that industry has already left, or using regulatory agencies to shake down manufacturers for unrelated concessions.
I’m reading this as “tariffs didn’t work, so now we need different pain levers to wield against trading partners to bully them at the expense of consumers”.
Any router made by a company that "donates" (bribes) to Trump's "ballroom" or other vanity projects will get approved. Irrespective of anything else. This is just another grift.
Does it occurs to someone that in this time of encryption backdoor and such, this is also a good starting point to another mass surveillance system ? Mandate US manufacturers to embed remote access for the use of the government, then as you've made those routers the only ones authorized on the us soil (let's not be foolish about that approval process, it will be a smoke screen) you basically have a backdoor to every citizen home.
Yes china routers are a liability, but free trade and open market ensure at least one thing that's essential : no single state has surveillance capability on its entire population
This is why users need to have an american router, chinese router, and russian router, all wired in series. That way no one spy branch has full backdoor access through the chain ;-)
How would that work? Backdoors usually go the other way: malware calls home. How can the first router in the chain differentiate TLS backdoor traffic from the 3rd router (the one with access to your LAN) from legitimate traffic from LAN?
Questions of mass surveillance aside, I always wonder how useful these things (motion detection when you're not home) actually are given how many American households have dogs and cats.
I wouldn't be surprised if they can't tell the difference between a person and pet. Also wouldn't be surprised if they used that data to push pet food ads at you somewhere or just sold that info to a data broker.
Is there any confirmation whether this includes Ubiquiti equipment? I think this blanket affects consuner routers but exempts business routers? And I’m not sure which ubiquiti would fall under!
The FCC is bypassing the public comment period by having the DOD classify this as a national security concern. This is blatant collaboration between agencies to expand their respective authorities into a new amalgamation that stretches far beyond their congressional authorization.
A little rich coming from the administration that supports a strict view of the major questions doctrine. They have no problem kneecapping the EPA. But the communications commission has the right to ban all drones (and not the FAA for example).
I'd say I'm shocked but I am not. Their next order forcing backdoors will be secret.
The business model is simple: Sell nice hardware at a premium, then sponsor and upstream improvements to OpenWRT.
If the software is an important differentiator (arguably, it is for things like Ubiquiti, but clearly it is not for most consumer routers), then release the patches under the Business Source License with a 3-5 year sunset back to BSD / Apache / GPL.
Open to audits doesn't mean free software, it just means visible source. The business model for selling routers with auditable firmware is selling routers.
And the public doesn't have to audit it. The govt already audits/inspects/validates plenty of sensitive physical products, typically through 3rd party industry associations. You don't get to peek inside, but people signing NDAs do.
Even if this wasn't done, at the very least they must publish their software testing procedures, the way UL, ETL, and CSA require to certify devices for the US power grid. (https://www.komaspec.com/about-us/blog/ul-etl-csa-certificat...) They can also do black box testing.
But ideally they would actually inspect the software to ensure its design is correct. Otherwise vibe-coded apps with swiss cheese code will be running critical infrastructure and nobody will know until it's too late.
Open firmware for your own devices is commercially viable. That is why hardware vendors create FOSS drivers. not all do, but it is a viable business model.
There's also Turris from cz.nic [1]. Technically they use a fork of OpenWRT with some convenience features like auto-updates, although it looks like you can run OpenWRT on (some of their routers?) if you wanted to [2].
There's a whole interesting physiology behind learned helplessness (of which this is a minor variation).
In its defense, there's some practicality to it; we wouldn't say that a "get out of debt" plan that involved spending all available money on lottery tickets is worthwhile because "its not gonna happen". But defeatism is just a shortcut to say "I don't want to talk/think about it" in many cases.
And in this one, if the US Gov't required that all routers purchased by any agency they could influence had the ability to run open source code it would certainly shake up the market.
Why? You'd need to get someone electorally useful involved. That, unfortunately, elimiates a lot of the nihilistic, holier-than-thou tech types. But that's pretty doable nowadays. You just need an electorally-relevant group of people on your side.
I'm no fan of imaginary property, but you're going to have to lay out your reasoning here. Firmware security is such crap precisely because most hardware manufacturers see it as nothing but a cost center they wish they could avoid.
The difficulty of installing OpenWRT or Linux in general on hardware comes from that hardware not being documented, or not having straightforward APIs like BIOS/EFI.
Or for some devices, community distributions that dubiously remix manufacturer-supplied binaries are available. But we generally see that as soon as the manufacturer stops their updates, the community versions start lagging behind as well.
What are you referring to? Would you not say there is a difference between OpenWRT having to make a list of supported whole systems, whereas an amd64 Linux distribution making a list of chipsets? I can go buy an off the shelf laptop, stick a generic "Linux install" USB in it, and be reasonably certain most things are going to work. Whereas OpenWrt I have to look at their list of supported machines, and buy exactly that one, even down to the hardware rev. Some of this is due to embedded constraints, but a good chunk is also due to the lack of hardware discoverability.
>> community distributions that dubiously remix manufacturer-supplied binaries are available
> The reason OpenWrt abandoned most routers was
I didn't mean things like OpenWrt, which I'd say is a general Linux distribution that does contortions to fit on specific devices. Rather I was talking about things like Valetudo which are closer to rooting the stock distribution with some tweaks, or the countless "custom ROMs" you see (saw?) in the phone world which are effectively remixing the manufacturer images. I thought DD-WRT was in that camp, especially for many devices (eg where do these "older kernels" come from?), but I'm hazy on that.
(personally I gave on up OpenWrt some 10 years back, and just use generic Linux (NixOS) on amd64. A VM on my server for the router, and lower-power amd64 boards for the additional APs (most of which double as Kodi terminals))
You will first probably need Congress to legislate away the long standing prohibitions against offering (easily) user-modifiable RF devices on the market.
Self ownership and full 'right to repair' has carve-outs in the FCC's regulations in the name of limiting unintentional broadcasting/radiation. Maybe a challenge to those would survive in the post-Chevron environment. I wouldn't expect any Congress in the last 25 years to pass a law which would go against the incumbent telecom lobbyist interests though, and I'd expect such a hole if it did hit case law, to get 'patched' fairly quickly.
About the only way to really solve that would be to embarrass vendors enough to open their moats.
I dunno, I'm pretty big on FOSS but I don't think you would need that to improve. Requiring that the firmware have its source code available to audit doesn't mean that users can replace it. AFAIK you could, today, with no legal changes, have a vendor release 100% of the code under eg. a MIT license while also making the device refuse to run firmware not signed with their keys. Researchers could poke at it to find bugs, and FCC regulations wouldn't be touched. (Note: IANAL, so feel free to point out if I'm wrong about that)
(To be clear, I don't think that's good enough; at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help, but I think it's useful to point out that auditing code doesn't require being able to install it)
> AFAIK you could, today, with no legal changes, have a vendor release 100% of the code under eg. a MIT license while also making the device refuse to run firmware not signed with their keys.
This is already the case today with many embedded devices. They have secure boot enabled so even if the vendor releases the GPL source code (big if), you can't do anything because the device will only boot the vendor's signed firmware.
> at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help
This is already possible. The RF components frequently have a signed firmware blob that is verified on load. There is no reason but planned obsolescence and greed keeping the application processor locked to running the vendor's signed code.
> That sounds like what Software Freedom Conservancy would call a GPL violation
Sure, it is. So what? Have you got 200k for lawyers and years of your life to spend in court fighting over it?
I have personally contacted the SFC with ample evidence of deliberate and wilful GPL violations, such as providing a written offer for source code and then ignoring or flat out refusing requests for the source code. The SFC has acknowledged the vendors are violating the spirit and letter of the GPL.
Nothing happens. The SFC is one organisation with limited resources, FOSS developers don't want to spend their time in court, they'd rather develop software. Vendors know 9 times out of 10 they will get away with the GPL violation scot-free.
It's fine to put on your rose colored glasses and pretend GPL forces companies to release source code. Reality is, the vendors have a larger marketing budget than the entire SFC endowment and the vendor's legal team is happy to tar-pit requests ad infinitum.
Not all of the functionality is in the firmware though. You can put stuff in the silicon itself that allows backdoors.
It's very difficult to inspect a laid out chip for nefarious elements - there's too much of it to do manually. Having a secure supply chain is probably the best way to prevent that happening.
Which is not to say that I support this rule - it sounds like another import weapon trump can swing against people who aren't his friends.
problem is: how do you prove the firmware in the flash chip matches source? And I do not mean me, with a disassembler and a pi pico to read out the flash chip. I mean the 70-yaer-old corner shop owner that buys this router to provide free WiFi for customers?
A process not working on occasion doesn't mean the entire verification method is garbage.
I get the desire to not have to trust a third party, but realistically, there isn't a way to function without doing so, outside of going out and living in the forest in a cabin you've built yourself, either doing without electricity, or with solar panels you've built yourself from raw materials.
Human processes aren't like computers. They're messy. They fail sometimes. They need checks and balances. Sometimes those checks and balances don't work. Sometimes the checks only work well after the fact, and the people who were harmed aren't all made whole.
Yes. But a lot of people still got cars that were not as represented. So if we follow the same pattern, somebody will go to jail, but most routers will not be running verified or safe code.
So you personally test your produce to ensure it's safe to eat, has no pesticides embedded in it that could harm you, etc.? You do that after every single trip to the grocery store or farmer's market? Every trip? You don't spot check, and assume/hope/trust that the ones you don't test are safe?
A trusted website that compiles it from source and a way for you to go to a webpage and flash from there automatically. The FPV community does that all the time with a set of websites for their ESC, flight controllers, radio, all open source. You can add signatures etc but just a trusted website goes a long way vs a random blob preinstalled
That proves that the one they checked, had the correct firmware. It does not prove that the one from the next batch that you bought did. We are all technical people here we and understand that there isn’t really an easy way to do this that a random non-technical person could actually understand and use.
Isn't the person you're replying to suggesting people can update the firmware to the trusted version via a website? So it doesn't matter if you get one from 'the next batch' - provided you're on top of updating the firmware.
If only somebody could make a firmware that claims to have accepted the update, but then proceeds to not actually update itself. Read out the version string from the update and save it. Show that when asked what your version is.
There's no solution to that other than having knowledge and researching the code/device yourself. You can pick apart modern Linux/busybox based IoTs fairly quickly, so effort needed is not really a huge issue.
Maybe trusted community of people could do it for everyone, but there's currently all kinds of potential legal trouble brewing in that approach. Complete and public reverse engineering of every aspect of any device would have to be made completely legal, so that people could freely publish all artifacts extracted from a device and produced during reverse engineering and collaborate on them without any fear of repercussions. Also HW manufacturers would have to be prohibited from NDAing documentation for SoCs, etc.
Side benefit would be that this would also serve as a documentation for freeing the device and developing alternative firmwares with modernized sw/reduced attack surface.
We are in violent agreement. And precisely because there is no simple solution to it, half-measures like what is proposed here do absolutely no good, and often times do harm.
Considering this is after Loper Bright Enterprises v. Raimondo (2024), it will be interesting to see if this holds up to judicial scrutiny.
The FCC's power just got substantially nerfed, and "we've decided to slow lane all foreign-made routers" feels like that may have been beaten on the old, higher, standard. Let alone the new one that gives the FCC almost no power.
> As outlined below, today’s action does not impact a consumer’s continued use of routers they previously acquired. Nor does it prevent retailers from continuing to sell, import, or market router models approved previously through the FCC’s equipment authorization process. By operation of the FCC’s Covered List rules, the restrictions imposed today apply to new device models.
I’m sure plenty of US factories are capable of importing boxes that look like routers but are actually just switches (because the router firmware is missing) and re-flashing them here…
Qualcomm is a US company right? I've worked on a few WiFi router devices and their chips are pretty popular in that segment. But WiFi is not a priority for Qualcomm (in fact they actively sabotage it for their more profitable 5G segment), and software is even less of a priority. So you had "parsing 802.11 TLVs in the kernel with obvious stack overflows" quality code drops.
(Which is why it's a bit ironic I saw the Google Fiber guy post on X about how they always had TPM^TM "security" in their routers; thats cool, but the drivers you used still made them "general purpose computing over the air" devices)
Doesn't matter where they're headquartered if they use foreign-made components. I don't think there's a robust enough supply chain of domestic materials available (nor cheap enough labor) to feasibly stop using foreign-made components.
> In conjunction with original software development, Island is designed and assembled in the USA to improve security and enable tighter quality control throughout the entire production process. The code for Island routers has only been loaded internally at Island HQ in the U.S; customer support is also managed directly in our U.S. Headquarters.
But the fact that a company can manufacture consumer(ish) routers in Latvia means it's very practical that another company could manufacture consumer routers in the US.
Usually the argument is that X can't be made in the US because China's so good at it that the US could never compete, so we shouldn't even try. But if a company with 367 employees in a country with the population of a medium-size metro area can do it, it proves that argument is bunk.
> But the fact that a company can manufacture consumer(ish) routers in Latvia means it's very practical that another company could manufacture consumer routers in the US.
Assembling them in Latvia, or the US, from internationally sourced components isn't a solution to anything.
> Usually the argument is that X can't be made in the US because China's so good at it that the US could never compete, so we shouldn't even try. But if a company with 367 employees in a country with the population of a medium-size metro area can do it, it proves that argument is bunk.
Unless Latvia is a much better environment for this kind of industry than the US is.
> Assembling them in Latvia, or the US, from internationally sourced components isn't a solution to anything.
I disagree. It's the first step. I mean, how did China do it? They started with assembly and low-value manufacturing and worked their way up the value chain. The US still had fabs. Once you get assembly reshored, start pushing to to reshore components (which are mostly chips, and pretty soon the equipment is mostly domestic.
> Unless Latvia is a much better environment for this kind of industry than the US is.
In what way?
Even if the US is utterly terrible for this kind of industry, we're talking about a small-medium sized tech company. It seems extremely doable.
For the device manufacturers, the obvious solution is to sell them as general-purpose computers. You can already get devices that had started out as Raspberry Pi clones but evolved into excellent DIY network appliances, with multiple high-speed Ethernet and SSD ports that are great for running a NAS, proxy server, firewall, or all three, and more. Rarely do they have good WiFi, but if manufacturers start selling hardware that has been traditionally sold as a locked-down routers or access points, but include a generic Linux installation, it'll compete will well with the aforementioned hardware.
Companies want to sell what consumers want to buy. But the average consumer doesn't want a general-purpose computer for this job; they instead want to buy a "router".
If companies market the devices as something other than "routers" then consumers will not buy them for routing duty.
(Meanwhile, the non-average people who want to use general-purpose computers as homespun router/NAS/do-all boxes are already aware of how this all works...and many of us have been doing it this way for decades. (Often, this happens alongside dedicated access points that do have good wifi radios.))
The average consumer doesn't want a router full stop. Their ISP hands them an all-in-one modem+router+switch+WAP box and they just accept that the internet lives inside of it.
I have roommates who are engineers and I had to explain to them the difference between Wi-fi access point and LAN when I replaces our wireless router with a router + 3 APs.
That's quite true. Most people don't know, and most people don't care. And of those who do care, many elect to rent/buy things like managed wifi mesh systems and/or faster service from their ISP to solve performance or coverage issues when a bit of SQM and another access point might do the trick in a once-and-done fashion.
And I don't mean to suggest, in any way, that this means that most people are stupid or anything like that. They can have ridiculously high intelligence while the nuts and bolts of networking remain completely beyond the scope of their thought processes.
But yet: Every-day consumer-oriented stores (including Wal-Mart) have routers (and mesh systems and...) in stock on the shelf for purchase in Anytown, USA right now. So while they may not be the majority, people are buying them.
> But the average consumer doesn't want a general-purpose computer for this job; they instead want to buy a "router".
So start your own company called usa router co, and sell some random arm board with a preinstalled router image... the end user won't know the difference.
Oh, for sure. That's easy enough; it's what GL.inet does: They sell router-shaped computers that run a skinned openwrt -- out of the box. (There's been some questions about GPL compliance over the years, but that's a separate issue.)
And superficially, it sounds like a straight-forward thing for me or anyone else to do here in the states, but things get murky quickly: What differentiates a foreign-made router from a US-made router?
Can I get some flunky push the button in his studio apartment in Idaho to flash open (but globally-sourced!) firmware onto some boxes from Alibaba (in exchange for startup promises) and call that good enough?
Do I have to spin up the boards here in the States? And the ICs, too? How about the passive jelly-bean parts like the capacitors and resistors and the antennas?
What of the rest of the device? Like, things such as the housing, the packaging, the power supply, and the included ethernet cable: Do I need to source those from domestic US production or is it OK if they're foreign-made components?
Do I have to produce the software in the States? (If so, Linux is right out.)
Occupancy sensing is a FEATURE on comcast home routers. It notifies you if someone is moving in the house and probably sells the occupancy data also. Makes location data from other sources far more valuable and verifiable.
You mean further war? It doesn't break out, people cause it. Then those people might, for example, lie about peace talks to make $Billions on futures trades.
They're not likely to go to war against people with long-range missiles though. Even they are not demented enough for that.
"Will turn off"... are you claiming that consumer-grade routers have a secret backdoor kill switch that one government or another can use to turn them off? That's a little hard to believe (even when they are security Swiss cheese).
Seeing the operational capability of Mossad in Iran means if desired, one should assume the US and China are equally capable.
The US didn’t make a space force to please the ego, it was likely to occur eventually. They aren’t spending all their time wargaming a moon invasion lol
Logistically, hacking tons of different model routers is not feasible. It would be more useful to yank the power grid.. which can be accomplished with missiles or software.
I'm not sure what you're suggesting, exactly, but we seem to have escalated from "kill the consumer-grade WiFi routers" to "kill the entire US power grid" in one post? If anyone did that, with missiles or software, things are going to escalate very quickly from there.
More likely they have RCE vulnerabilities known to various governments than intentionally made secret backdoors... which is worse since a backdoor would probably at least only be usable by the county that manufactured it (for example see Jia Tan's attempted backdoor).
The DOCSIS (Data Over Cable Service Interface Specification) standard for cable internet end user routers specifies total remote control. Most ISP originated routers are set up this way.
What exactly does "produced" mean in this context? That the final assembly was done here, software was written here, PCB was assembled here, SoCs and ICs wwre manufactured here, or something else? Regardless, while consumer routers are 9 of 10 times insecure garbage, it's hard to think of any that aren't manufactured outside the US.
Prediction: there will appear new "Made in the USA" routers that differ from some Chinese model only by the label. Already the case in Russia for e.g. powerbanks.
I would be more impressed if they would ban all enterprise routers manufactured in China. I have had to continuously patch and meticulously mitigate severe vulnerabilities and bugs in Cisco, Dell, HPE, Extreme, Arista routers, switches, fabrics, and others. These are all manufactured in China, Taiwan, Hong Kong, Vietnam, Malaysia, Thailand, and probably elsewhere in the Greater China region... Actually I take it all back. I wish they would just ban companies from shipping bad code and sanction them for causing millions of hours of required labor to ensure their manufacturing defects do not harm businesses and their customers. Thank you for your attention to my chatter.
As someone who works with networking (consumer prosumer enterprise everything) the problem is far more complex than : make it open.
Manufacturers can support devices for long but it costs money which the consumers / businesses aren’t willing to pay or value. Cybersecurity is a joke and the general consensus is : we will pay for things as and when there is a fire. We don’t put a price on prevention because we can’t really show it to shareholders how we profited from not being attacked since we blocked those. So we create an arbitrary certification and pass things according to it. This certification doesn’t say anything about firmware. But if we do get attacked then we can convince the shareholders to spend money on better equipment this financial year and then not bother until the next time we have a problem.
Some of these certifications focus on what the devices allow you to do (like acls and firewalls) and see if they pass these tests. But actually looking at the firmware and finding vulnerabilities is not in scope.
Yeah, it does sound like this should be focused on verifying firmware, including all future updates. If a Chinese company builds the router at a US Foxconn site, it is still the same situation.
If worried about supply chain and inside jobs, I worry more about the IoT widgets I have. They are already inside the LAN, can access the internet, etc.
Anyway, bribes aside, this is probably just a talking point and not much actually changes.
The FCC seems to count some level of assembly and packaging as qualifying as “Made in the US” so as long as it’s not a complete sham it should count.
Of course, getting a router SOC with firmware from the factory , soldering on the Ethernet ports and adding RAM and storage, installing an OS, throwing it in a case with a power supply into a box isn’t solving the problem of insecure foreign firmware but is meeting the “Made in US” demand.
So what counts and who gets exemptions will be telling.
The escalation path is probably: have some relationship to an entity that doesn't care about you -> make sure that entity becomes your enemy -> the enemy now has an incentive to see you as an enemy -> you must now be afraid of your new enemy.
I preordered one, I got it, and I sold it. They are active on Discord. Why did I sell it? The shortcomings of the platform made me realize I should just go with UI, despite my reservations about the company.
It's hard to tell considering there is absolutely no company/ownership information on the site, but a .si (Slovenia) domain coupled with EUR being an accepted currency has me thinking they're Europe-based, and therefore foreign-made.
... at the same time, I don't think I'd send $100 to a site with no contact/ownership/company info to begin with.
Compared to hardening your network, at least visiting the ZT church once in a while, running your router on a box which You control and which implements proper segmentation, provides DNS (and "DNS firewall") and an adaptive firewall, WAF (if you run web services), isolating your wifi (anything EXCEPT running it in the box provided by the ISP)?
No.
And you have to accept living with / mitigating that e.g. that isolated wifi access point theoretically receives and will need to apply software updates. /s People seem to treat it as some kind of heresy if you simply deny such appliances internet access.
I don't think the hardware matters so much as the firmware, which is solved by installing OpenWRT on anything that supports it.
If wireless security is the concern, maybe other people here know better but I don't believe anything convenient will be "secure" in the strongest sense of the word.
FCC maintains a list of equipment and services (Covered List) that have been determined to “pose an unacceptable risk to the national security.." FCC Updates Covered List to Include Foreign-Made Consumer Routers..
I disagree with the FCC. Banning "China routers" will not meaningfully increase security. Actual security has no correlation with country of manufacture.
my instinct is open source is part of the answer. the market monetizes with differentiation on the open source base, support, hardware, etc. vibrant enough market = the foss is secure (always a relative term) and continues to evolve, partially paid for by the companies who are monetizing
Because of this, I'm going to plan my next network upgrade based on open source hardware like Banana Pi. My setup is based on WiFi 7 so this might not apply for a few years. From my understanding, the hardware from proprietary manufacturers is sufficiently advanced to do some advanced surveillance and spyware, whereas previous generations didn't require advanced processing to achieve fiber optic speeds. Back to the original statement, it's clear that the threat of surveillance exists.
Personally, I don't make the distinction between foreign and domestically produced routers in America. In fact, I trust foreign produced routers more because the likelihood that they can act upon their surveillance is significantly lower than the current American regime's oppressive and malicious tactics. Therefore, open source routers provides enough transparency to effectively eliminate spyware threats from all angles while being compliant.
I'm especially excited about the Banana Pi because of the transparency and potential of modular upgrades. Whenever there's a network issue, I have to consider whether the manufacturer (American or not) is doing something nefarious. With a Pi based router, I have much more peace of mind with network debugging issues.
IMHO an underrated comment. The CCP isn't going to break down my door in the middle of the night, but I'm sure I'm on lists at the FBI and ATF just for my political org memberships alone. I think a foreign actor is more likely to use compromised hardware to create service interruptions and general chaos in the event they are attacked by our government, not come put me in a gulag.
The only thing I'm missing right now that would be a nice to have is a wifi card so I can ditch my access point. My hardware isn't open source by any means, but my reliance on non-free networking code is minimal.
> I'm sure I'm on lists at the FBI and ATF just for my political org memberships alone.
Thanks to whistleblowers like Mark Klein and Ed Snowden we know that we're all being monitored by the government. If there are "lists" at all at this point it's the few people that aren't being watched 24/7.
If the world were to truly come to those stakes, I would just forgo wireless entirely. Running Cat5/6 through the walls is barely an inconvenience, and cell phones are compromised by design, needing to communicate with a cell tower.
There are several vendors of small computers usable as routers/firewalls and who provide complete hardware documentation, including schematics and PCB layout. Some of them also provide an extensive list of accessories, including cases with good passive cooling.
Besides BananaPi, there are e.g. ODROID (Hardkernel from South Korea), FriendlyElec, Radxa.
To clarify (since the headlines of many articles about this aren't clear about it), this states that it prohibits approval of new Models, so any models that already cleared FCC certification can still be sold in the US, even if they're made overseas.
This is for newly released models that still need to get FCC certification.
The Spirit of this law __must__ also now apply to SoCs produced by non-allied nations that feature USFCC-approved RF microelectronics, such as __ESP32__ Here's to hoping USFCC gets around to also reflecting this in the Letters of this law sooner, rather than later.
This is terrible, perhaps the worst thing this administration has done (which is an incredibly high bar.)
Because it provides a pathway to full government control of the internet.
Content that demonizes the current administration's enemies will become easier to find. Evidence of their crimes will vanish.
When they murder someone in the street, fewer people will find out about it, and those that do will be more likely to hear the government's side of the story.
Mobile networks are already owned by the billionaires, and they've shown plenty of willingness to shape traffic for their interests.
Managing this kind of information at scale is an incredible challenge, but one that LLMs are very well suited for.
Even if you are confident the current administration doesn't have the competence or longevity to exploit this (as I mostly am,) we can easily predict future admins of either party will happily make use of these capabilities.
Bad for the US, but also very bad for the world, because it will make it much easier to manufacture consent for or hide future international crimes committed by the government.
We've excused the complete loss of traditional journalism with a reliance on the Internet instead. Not anymore.
Can savvy individuals work around it, of course. But the general public will treat them like conspiracy theorists, because all they will see is content that reinforces the administration.
The technical discussions in here sound like: "silly Caligula, his horse won't be able to sign his name to cast a vote in the Senate."
Device that connects multiple networks? Layer 3 of the OSI model? Consumer ones tend to have more than that, but the more specific definition would work fine.
Yeah conceivably you could use this to ban any network device that is capable of routing between interfaces, so lots of switches with new firmware could do it, often terribly, as well as PCs with multiple interfaces. But its probably going to involve intention.
That is true, but you can also add USB Ethernet interfaces to any PC, which is even simpler.
For example, my router/firewall, which also implements various other network services, e.g. hosting my own e-mail server, is an old Intel NUC with 5 Ethernet ports, 4 of which are made with USB Ethernet interfaces.
If multiple network interfaces defines a router, then every cell phone is one, because every cell phone has a cellular and Wifi interface, and is a router in hotspot mode. Three interfaces if you count USB which can also be a network interface (hotspot works over USB in both Windows and Linux) and four if Bluetooth PAN is still a thing.
will this be like "product of USA" potatoes?, where a canadian truck full of bags of potatoes backs up to a special border facility, and the bagged potatoes are put on a conveyor, dumped out, conveyed........, and then rebagged,thereby becoming american product!
Does the router ban really only pertain to consumer-grade networking devices?
> For the purpose of this determination, the term “Routers” is defined by National Institute of Science and Technology’s Internal Report 8425A to include consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. ¹
> A “consumer-grade router” is a router intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. Throughout this document, the term “router” is used as a shorthand for “consumer-grade router.” ²
There doesn't seem to be a general ban for foreign-made professional routers, just for some Chinese manufacturers, right³?
Oh, and what does "produced by foreign countries" even mean? I couldn't find any definition. Is this meant to be the country of final assembly? Would importing a Chinese router and the flashing the firmware in the USA be sufficient to be exempt? Where is the line drawn usually?
To me, this is a deeply dangerous situation for the state & for the population, where it is nearly impossible for consumers and businesses to purchase gear that they can secure. Where we are at the mercy of what is on the market, and no actual securing of our own can occur.
The FCC claimed in 2015 they were not trying to forbid open source systems, but the additional compliance demands they have made unsupportable unsecurable devices the default state: the FCC mandated companies make sure the users dont have freedom, make sure the wifi performance is locked down, and the most obvious path to that end is to just lock out the user entirely. Open source isn't outlawed, but the FCC turned a good working amazing open source movement into something that is incredibly rare and hard to do. The FCC assurances (https://www.eff.org/deeplinks/2015/11/free-router-software-n...) have not proven true (https://news.ycombinator.com/item?id=11122966): everything has gotten worse for security & availability (https://news.ycombinator.com/item?id=11122966).
If you actually read the notice, it exempts models that have been approved. So this just seems to require approvals by DOH or DHS ,": Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS." I take this to mean it is just adding security approvals for this type of thing to DOw and DHS. It is not a ban of all future models. It's just saying explicitly that instead of having to review models already in the market and determine that they should be removed because of nation state or other security concerns they are reviewing them before they go to market. Would be nice if people actually read it instead of hyperventilating.
It's fine to have a reaction. It just rhat a lot of the comments totally ignored this this caveat. So basically, as I read it by default, they're banned unless approved, which is pretty much what all regulation does anyway, isn't it.
During the last years USA has banned a lot of things by default, but in all cases there were exemptions for things receiving specific approvals.
However, the approvals appear to have not been based on any objective methodology, but sometimes nothing has been approved, while otherwise there may have been some approvals but their randomness was suspicious.
Now this new interdiction continues the trend, so it is normal for people to be wary that any approvals will be based on some kind of bribing and not on any serious security audit.
Especially since the announcement provides no information about how the DoD or DHS will be evaluating what to approve, and it's unlikely that they have the resources to do any meaningful security evaluation on that many products.
The DOH and DOW have a lot of resources. And I would guess the DOW has a lot of intelligence resources and most likely the DOH also I mean it is their job to keep the homeland safe. But I would agree. It probably will involve a lot of marshaling of those resources and reorganization. But who's to say they haven't done that already. My general point is that the conversation in this thread completely ignores that this is an imposition of a different regulatory scheme, not a banning. And actually it's in favor of enforcing more security on routers which everybody has been screaming for for years.
What the fuck?! I did not sign up to live in some third world shithole where I can't get first-world networking equipment. I do not want some piece of shit closed-source proprietary netgear ameritrash. FUCK! Give me back my god damn chinese routers!
Chinese citizens have more computing freedom than American citizens at this point. What the fuck happened to the land of the free?
I doubt anything will be pulled from the market. This is instead notice to the companies that now is the time for a donation to the administration’s ballroom.
Right now, the way this is currently worded, every single foreign-made consumer router has already been pulled from the market, and has to request permission to be reintroduced. The only consumer routers not currently affected are those that are either already purchased (some good, but won't last forever) or are American-made (overpriced, underpowered dogshit)
From the news release "What does this mean?" section: "This update to the Covered List does not prohibit the import, sale, or use of any existing device models the FCC previously authorized."
So no, this does not pull all existing routers off the market. Anything that already got FCC approval remains approved and new stock may be imported and sold.
Lmao you're an IT guy, right? Get yourself a Raspberry Pi 5, PCIe adapter and a second hand gigabit Intel NIC. Slap a case on that, put OpenWRT on it and bam! High performance, high quality router built from trustworthy parts running open source operating system. Not the prettiest and simplest solution but at least that way you don't have to depend on Realtek chips and Chinese firmware.
There is an entire WORLD that lives in your computer below the operating system (eg, OpenWRT). For example, in your Raspberry Pi 5, there is a chip called the VideoCore GPU and it contains a big blob of code known only to Raspberry Pi Foundation and, perhaps, Five Eyes. The Chinese processors are like that too!
311 comments:
Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.
Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.
The US has a bazillion devices with crap security because we set ourselves up for this.
> Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware.
The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one.
What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business.
What you need is the ability for consumers to replace the firmware.
That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them.
> What you need is not a government mandate for infallibility, it's updates
So, we don't need an electrical code to enforce correct wiring. We just need a kind soul driving by our house to notice the company who built our house wired it up wrong. Then that kind person can inform the company of the bad wiring.
And if the company agrees it's their wiring at fault, we can wait 3 months for a fix. Then the next month another kind soul finds more bad wiring. And we just have to hope there is an army of kind strangers out there checking every building built by every company. And hope in the meantime that the building doesn't burn down.
Meanwhile, people have to live with bad wiring for years, that could have been completely prevented to begin with, by an electrician following the electrical code we all already agree on.
> So, we don't need an electrical code to enforce correct wiring.
For an analogy to work, its underlying elements should have a relation to the target. Your analogy is not in the same universe. For electrical work, there is a baseline of materials and practices which is known to produce acceptable results if adhered to. For software, there isn't. (Don't tell me about the Space Shuttle. Consumer software doesn't cost tens of millions and isn't written with dedicated teams over the decades.)
> Don't tell me about the Space Shuttle
The Space Shuttle sure blew up a lot for something with that much process applied.
Not on account of its control software, which is what I was talking about.
The analogy does work. The house is any software provided by any vendor. The kind strangers are white hat security researchers. The people living in the house are the users.
Software absolutely has baseline materials, have you never written software before? Never used a library? Programming language? API? Protocol? Data format or specification? CPU instruction? Sorting algorithm? A standard material is just a material tested to meet a standard. A 10d nail is a 10d nail if it meets the testing specs for 10d nails (ASTM F1667). Software can be tested against a spec. It's not rocket surgery.
No known practices with acceptable results?? Ever heard of OWASP? SBOMs? Artifact management? OIDC? RBAC? Automated security scanning? Version control? Code signing? Provenance? Profiling? Static code analysis? Strict types? Formal proofs? Automated testing? Fuzzing? Strict programming guidelines (ex. NASA/DOD/MISRA/AUTOSAR)? These are things professionals know about and use when they want standard acceptable results.
What are you talking about re: space shuttle and tens of millions? Have you actually read the coding standards for Air Force or NASA? They're simple, common-sense guidelines that any seasoned programmer would agree are good to follow if you want reliability.
I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about, or jaded old fogeys who were on some horrible government project and decided anything done with rigor will be terrible. That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions. I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
AI is going to introduce 100x more security holes than before, so something will have to be done to improve security and reliability. We need to stop screwing around and create the software building code, before the government does it for us.
I mean this is still a semi-bs response on your case, even if you don't realize it.
Many of these devices have security flaws that are horrific and out of best practices by over a decade.
Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
> Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
It would certainly help, but no economically feasible amount of auditing and best practices could lead to having a warranty on that software. My thesis is that our current understanding of software is fundamentally weaker than that of practical applications of electricity, so it makes no sense to present analogies between the two.
> So, we don't need an electrical code to enforce correct wiring.
Are you familiar with how the actual electrical code works? It's a racket. The code is quite long and most of the inspectors don't know most of it so only a small subset is ever actually checked, and that only in the places where the person doing the work is actually pulling permits and the local inspector isn't corrupt or lax in areas the local tradespeople have learned that they're lax. Then we purposely limit the supply of licensed electricians so that they're expensive enough that ordinary people can't afford one, so that handyman from Craigslist or whatever, who isn't even allowed to pull permits, is the one who ends up doing the work.
It only basically works because no one has the incentive to purposely burn down your house and then it only happens in the cases where the numerous violations turned out to actually matter, which is rare enough for people to not get too upset about it.
But the thing that makes it a racket is the making the official process expensive on purpose to milk wealthy homeowners and corporations who actually use the official process, which is the same thing that drives common people to someone who charges a price they can afford even knowing that then there no inspection.
> Then that kind person can inform the company of the bad wiring.
The point is rather that when the homeowner discovers that their microwave outlet is heating up, they can fix it themselves or hire an independent professional to do it instead of the company that built the house (which may or may not even still exist) being the only one who can feasibly cause it to not stay like that until the house is on fire.
I agree, but in addition the electrical code needs to be open to the public, not paywalled as it is in so many places!
I'd start by not using self-immolating wires (hardcoded default passwords).
Jokes aside, there's so much low-hanging fruit in IoT it's utterly ridiculous. Having any standards at all would be an improvement.
Routers have to follow the same standards as other electrical appliances.
Those standards aren’t related to the functionality or security of the router.
I mean, if you could download an update that would fix the wiring in your house, it would be much less critical that the initial installer got it right. (Still much more important than your router, though; it doesn't stop being an electrocution hazard during the un-updated period.)
Trying to make analogies from software to hardware will always fall down on that point. If you want to argue that there should be stricter security & correctness requirements for routers, maybe look more toward "here is how people actually treat them in practice" with regard to ignoring updates...?
> I mean, if you could download an update that would fix the wiring in your house, it would be much less critical that the initial installer got it right
As in my example, some random stranger needs to first find out your "house" (the vendor's software) is wired wrong. And this needs to happen for every "house" (every piece of software). While waiting for this to be discovered, your house burns down (hackers penetrate millions of devices, or perhaps just Microsoft Sharepoint that the govt is uses).
> What you need is the ability for consumers to replace the firmware.
I don't think that's enough. Most people aren't going to replace the firmware on their device with an open source replacement made by someone else. Now if the firmware was required to be open source, and automatic updates could be seamlessly switched over to a non-profit or government agency in the event of the company going out of business, you might have something. But there would be a lot of details to work out.
I have a PC hooked up to my TV in my living room that has been running the latest version of Kubuntu for over 18 years now. It has had many upgrades in that time but it's still the same basic hardware: A CPU, some memory, USB ports, a video card, and an ethernet port on the back.
That "genericness" is what's missing in the router space. Literally every consumer router that comes out has some super proprietary design that's meant to be replaced in its entirety in 3-4 years. Many can run Linux, sure, but how many have a replaceable/upgradable board? How many are like a PC where you can install whatever OS you want?
Sure, you can forcibly flash a new OS (e.g. OpenWRT) but that is a hack. The company lets you do that because they figure they'll get a bit more market share out of their products if they don't lock the firmware so much. They key point remains, however: They're not just hardware—even though they should be!
The world of consumer routers needs a PC-like architecture change. You can buy routers from companies like Banana Pi and Microtik like this but they're not marketed towards every-day consumers. Mostly because they're considered "too premium" and require too much expertise to setup.
I think there's a huge hole in the market for consumer-minded routers that run hardware like the Banana Pi R4 (which I have). When you buy it, you get the board and nothing else. It's up to you to get a case and install an OS on it (with OpenWRT, Debian, and Ubuntu being the normal options).
We need something like the Framework laptop for routers. Not from a, "it has interchangeable parts" perspective but from a marketing perspective. Normal people are buying Framework laptops because geeky friends and colleagues recommend them and they're not that much more expensive/troublesome than say, a cheap Acer/Asus laptop.
It's not so simple. Routers, like most tech emitting and modulating an RF signal by design, are certified products. The radio frequency bands, output power, allowed channels are all tightly controlled. Allowing end-users control without restrictions over such equipment would be unsafe.
> They key point remains, however: They're not just hardware—even though they should be!
This is the most thoughtful comment I've seen on this topic. I hadn't even considered this approach, but you're right. The hardware needs to be commoditized in a way that makes the software a layer that can be replaced. Someone else said this but in a way that described flashing a third-party package as HN nerds would. That's too much effort and it won't work.
It should be as generic as PC hardware. Every router manufacturer should build devices that can run the OSes of all their competitors' devices and vice versa. Maybe some features won't work with the other company's OS cause it isn't designed for that, but overall it ought to be replaceable. "Normal people" still wouldn't flash a new OS, but making it an option is a step towards making devices more secure.
If every router could get a new OS as easily as your techy friend could install Firefox or an ad-blocker or whatever else, we'd start the long march to a real longterm solution.
> Every router manufacturer should build devices that can run the OSes of all their competitors' devices and vice versa.
Or they could just run an existing open source OS, like openwrt.
If you make something internet commected you must provide lifetime warranty for security. no import or sales sor even leases) until you have in escrow the money to pay for them.
i will allow sunsetting and removing ipv4 after 2020 (that is more that 5 years ago)
The concept of community firmware seems like a huge cop-out that allows companies to externalize costs. And it probably won't help security because 99% of devices will never get the third-party firmware installed anyway.
If they were trying to save costs they would ship the community firmware on the device to begin with because then they wouldn't have to write and maintain their own. The community welcomes them to externalize those costs onto the people with better incentives to improve the software.
What they're actually trying to do is obsolete the devices faster because then they won't add new protocols or other software-only features to older devices so you have to buy a new one, or only expose features in more expensive models that the less expensive hardware would also be capable of doing. Which is all the more reason for us to not have that.
And if they were required to allow anyone to replace the firmware then you would get companies reflashing and selling them that way from the store because the free firmware has more advertisable features. There's a reason you can go to major PC OEMs and pick between Windows, Linux and "don't even install one" and the reason is that if you give customers a choice, they generally don't want their software to be made by the OEM.
> What they're actually trying to do is obsolete the devices faster
This is exactly why. Obsoleting older devices keeps (in their eyes) the purchase treadmill running. Making a device that could be updated forever means never making another sale to that user (unless some physical failure happens, or the user wants a second one).
It could be part of dissolution of the company to mandate community firmware. But it depends on their licenses…
Anyhow, this is a common enough practice. Many companies that provide infrastructure type software and sell to Fortune 500 companies often have a clause whereby they deliver their software to their customers if the shut down.
We don't care about their licenses; that's their problem. If they need firmware with a license that allows them to redistribute it there are plenty of free ones to choose from.
And you can't wait until after they're dead to have them do something. By then they're gone or judgment proof because they're already bankrupt. Especially when you're talking about companies that aren't in the jurisdiction because you can't even make them do anything when they're already not shipping products to you anymore. It has to be from Day 1.
> It has to be from Day 1.
There was a promising design from Azure Sphere for 10 years of IoT device Linux security updates from Microsoft, even if the IoT vendor went out of business. This required a hardware design to isolate vendor userspace code from device security code, so they could be updated independently. Could be resurrected as open standard with FRAND licensing.
The main thing you need is for the lowest-level code to be open and replaceable/patchable because it's the only part which is actually specific to the device. Windows running on Core Boot is a better place to be than custom Linux running on opaque blob, because in the first case you can pretty easily get to newer Windows, vanilla Linux or anything else you want running on Core Boot after the original version of Windows goes out of support, and you can update Core Boot, whereas the latter often can't even get you to a newer version of Linux.
Modern coreboot depends on opaque blobs on CPU (FSP/ACM on Intel) and auxiliary processors (ME/PSP), but AMD is moving in the right direction with OpenSIL host firmware. Arm devices have their own share of firmware blobs.
A decade of security updates for routers would require stable isolation between low-level device security and IoT vendor userspace. In Sphere, the business model for 10 years of paid updates was backed by hardware isolation. Anyone know why it didn't get market traction? There was a dev board, but no products shipped.
>Anyone know why it didn't get market traction?
Oh gee. Maybe because no one sane looks at an industrial product adversarially built to confine and prevent the end user from doing anything to it and wants anything to do with it? It isn't rocket science. If I can't buy it and get a damn manual and programming tools to twiddle all the bits, I'm not adopting. Not even at gunpoint, or if you're the last supplier on Earth. I won't be held voluntarily hostage because a bunch of corporate types, and bureaucrats decided to work together to normalize adversarial silicon. Multiply by everyone I know, and anyone with enough braincells to rub together to pattern match "regulatory capture" and "capitalist rent seeking". You can call me a bore if you want. The incentives are completely unaligned, as this place is so fond of saying. End user adoption is built on faith in product. End user capacity to have faith in the product is based on the capability of the technically savvy purchaser to keep the thing running, repair, understand, and explain it to the non-technically savvy. I look at adversarial silicon isolating me from the hardware; I have to sound off-my-rocker to my non tech-savvy friends family to actually explain that yes, there are industrial cabals out to keep you from doing things with the thing you bought.
It doesn't make any business sense, or practical sense whatsoever. Don't bother quoting regulations that demand the isolation (baseband processors and radio emission regulations) at me. Yeah. I know. I've read those too.
Get over business models that require normalized game theory, and we can talk. Until then, enjoy never having nice things catch on. Hint: your definition of "nice" (where I can't control how it works after purchase) is mutually exclusive with things I'm willing to syndicate as "nice". Nice people don't manipulate others.
> If I can't buy it and get a damn manual and programming tools to twiddle all the bits, I'm not adopting.
Hence the isolated device security hardware should be an open standard with FRAND licensing. If devices ship with a prepaid commercial license for 10 years of device security updates from BIG_CO, the default commercial baseline would be raised independent of IoT vendors. Tech-savvy users could then have the option to replace the device security layer with the OSS _or_ competing commercial stack of their choice.
> And "require longer support" doesn't fix it because many of the vendors will go out of business.
Which is not a real issue in practice. It's like arguing that warranty doesn't matter because the vendor might go out of business.
It might also be illegal. Don't know about the US but forcing a bankruptcy to avoid regulations is usually frowned upon by the court system here. So putting a product in a child-dummycorp to go poof when you want and let the parent stay afloat usually puts the parent in the line of fire directly and you are screwed either way.
It is possible to require escrow accounts for cover costs of fixing future security issues) - these survive bankruptcy. They need to be big enough to cover the costs though - insurance can calculate this but it isn't cheap.
The obvious problem with that is the detriment to smaller companies, but it makes a good alternative to releasing the code.
Then if you're a five person shop making routers and you publish the firmware source under a license that allows anyone to make and distribute modifications you're all set. And if you're Apple or Microsoft and you want to make a router without publishing the source code, you post the enormous bond which you have no trouble doing because you're an enormous company and you're all set.
> Which is not a real issue in practice.
Are you serious? The number of IoT companies that make a product for a couple years and then go bust is enormous.
> It's like arguing that warranty doesn't matter because the vendor might go out of business.
How are you going to use a warranty from a company that no longer exists to get a security update for a product a million consumers still have?
Why not just put the onus on ISPs? 99% of users lease their router from their ISP. If updates stop after three years, looks like you're getting a complimentary service appointment to get a new router.
> What you need is the ability for consumers to replace the firmware.
> That solves the problem in three ways.
That alleviates the problem, but definitely doesn't solve it. Updates are still required, and most people will never update devices they don't directly interact with.
Auto-update obviously.
Which introduces new security risks, but more importantly, the consumer has to configure the device to use open source firmware, and set up auto updates, unless the device is being auto updated by the device manufacturer and forces all of their customers to switch to the new firmware, which seems very unlikely.
How? The device phones home to the manufacturer's servers to get new updates. Manufacturer goes out of business, servers get shut down. How does it know where to get updates now?
> Manufacturer goes out of business, servers get shut down.
Continue your chain of reasoning: DNS name becomes unmaintained, gets grabbed by open source / foundation / gov agency, pushes open source firmware update.
Same thing happens today with botnet C&C servers.
The government obviously cares less about citizens running firmware China can hack than it does about citizens potentially running firmware the government can't hack.
> But then vendors want to stop issuing them after 3 years
Tough shit. You provide updates for the mandated amount of time, or you lose access to the market. No warnings, you're just done.
> And "require longer support" doesn't fix it because many of the vendors will go out of business.
Source code escrow plus a bond. The bond is set at a level where a third party can pay engineers to maintain the software and distribute updates for the remainder of the mandated support period. And as time passes with documented active support, the bond requirements for that device go down until the end of the support period.
Requiring that the customer be allowed to replace the firmware is essential, I agree, but not for this reason. That requirement, by itself, just externalizes the support costs onto open source communities. Companies that sell this sort of hardware need to put up the resources, up front, irrevocably, to ensure the cost of software maintenance is covered for the entire period.
Personally I don't buy consumer router hardware that I can't immediately flash OpenWRT on, but that option is not suitable for the general public.
How does this help? 99% of the population aren't technically minded enough. Most people just buy a wifi router, plug it in (maybe having read the instructions) and that's it. They have neither the skills nor the inclination to update firmware.
The real problem is: assuming that firmware can be updated, how do you run a nationwide update programme overcoming a population that doesn't really care or have the skills to do it.
Vehicle safety standards (mandated annual safety checks like the UK MoT test) is the closest analogy I can think of - in the UK you can't insure your car without a valid MoT. If you were serious, then maybe tying ISP access to updated router firmware would be the way to go.
Automatic updates. Now it also applies to cars.
Congratulations, your router now costs $700!
Customers notice higher prices at time of purchase a lot more than they notice a lack of future security updates, so good luck selling them for that price when someone else just puts an existing open source firmware on the existing hardware and sells it for the existing price.
That’s a technical solution to a business and incentives problem.
How does one ensure the support for the devices is funded?
>And "require longer support" doesn't fix it because many of the vendors will go out of business.
Do you mean 'out of business so they cannot provide updates'?
Because, if you mean cheap companies won't be able to provide updates and stay in business, surely that's the point. Companies would have to shim to a standardised firmware that was robust, or something, to keep costs down.
Isn't this all to protect USA business interests and ensure the Trump regime can install their own backdoor though?
"You ship something with no known bugs and then someone finds one."
You managed to say that with a straight face!
Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out.
How on earth is embedded creds in any way: "no known bugs"?
I think we are on the same side (absolutely) but please don't allow the buggers any credibility!
> How on earth is embedded creds in any way: "no known bugs"?
You misunderstand how organizational knowledge works. You see, it doesn't.
Some embeds the credentials, someone else ships the product. The first person doesn't even necessarily still work there at that point.
Remember that time NASA sent a Mars orbiter to Mars and then immediately crashed it because some of them were using pounds and the others newtons? Literally rocket scientists.
The best we know how to do here is to keep the incentives aligned so the people who suffer the consequences of something can do something about it. And in this case the people who suffer the consequences are the consumers, not the company that may have already ceased to exist, so we need to give the consumers a good way to fix it.
>Some embeds the credentials, someone else ships the product.
It doesn't matter. When you are building software, you build a security process, not security individuals or stuff like this happens.
>orbiter to Mars and then immediately crashed
Right, and it cost NASA 1.4 billion+ is direct losses to them. With software writers the losses occur to the end user.
> When you are building software, you build a security process, not security individuals or stuff like this happens.
You can't solve an incentive problem with process because then they lack the incentive to follow the process.
To enforce a law you need to be able to identify a violation at a point in time when you can still impose a penalty for it. When a device is first released, you don't yet know if anyone will find a vulnerability in it or if the company will stay around to update it if they do. By the time you find out if it will happen, you can't punish them for the same reason they can't provide updates: they've ceased operations and no longer exist. So that doesn't work.
> With software writers the losses occur to the end user.
Which is why the end user needs to be empowered to efficiently prevent the losses, since they're the one with the strongest incentive to do it.
Somebody has to pay for the support. There is no free meal.
Enterprise must be able to pay for support for as long as they use devices. Solved.
I can only think of requiring the devices to be serviceable, as you say. The absolute only way I can think of charging the consumers, ie the owners, is to charge a tax on internet connections. Then the government would pay somehow vulnerability hunters working along patchers, who can oversee each other.
Consumers are tricky: if you include support in the sale price, the company will grab the money and run in 3 or 5 years; and some companies will sell cheaper because they know they won't provide support.
> Somebody has to pay for the support. There is no free meal.
The problem is not that people need a free meal. The problem is that people need the ability to eat some other food when the OEM's restaurant is closed or unsatisfactory.
Who creates and regularly keeps the firmware for the dozens and dozens of router models secure and up-to-date?
Who ensures the maintainers for these routers are incentivized to do this competently and in a timely fashion?
You haven’t answered these key questions, which are equally or more important than whether a community firmware can be applied.
> Who creates and regularly keeps the firmware for the dozens and dozens of router models secure and up-to-date?
99% of the firmware is not actually device specific, and more to the point no one has to create it because it already exists and is already maintained. You don't have to write the Linux kernel from scratch for every different device.
The problem looks like this: The vendor creates an opaque blob that runs on part of the device. This is only 1% of the code that runs on the device but it's the device-specific part. Moreover, that code interacts with the kernel, but was written to assume a specific older version of the kernel which is now out of date.
Updating it to use a newer kernel requires very little work if you have the source code -- in that case much of it is just automated refactoring -- but without the code it becomes a much more arduous reverse engineering effort. Likewise, if the device-specific code has a bug and you have the source code, the cause of the problem is easier to identify and the fix is to change two lines and recompile it. But without the code just identifying the problem becomes an intensive reverse engineering task again.
So you have a community which is willing and able to do a finite amount of work. Some subset of the device owners are programmers and if they can spend two hours fixing a problem that they themselves have, it gets fixed for everyone. But if fixing the same problem takes them two months, they don't. Therefore, the solution is to do the thing that allows it to take the shorter amount of time so that it actually happens.
It would be ideal if we could come up with a way to get people paid to maintain a community firmware. However, that's a considerably harder problem than "you absolutely must allow community firmware to be flashed".
I agree. It's a harder problem and it's the more critical problem.
Businesses aren't incentivized to maintain it and hoping that the community can support it by opening it is perhaps necessary, but it's far from sufficient.
Either the business or maintainers need to be sufficiently incentivized--whether it's through funding, reputation, or something else (graduate-student torture).
I mean, OEM would make the device upgradeable, government will pay independent bounty hunters and patchers and will push the updates. Then consumers pay for all that.
>The problem is that "secure firmware" is a relativistic statement.
No it isn't, software formally verified to EAL7 is guaranteed to be secure.
I would like to introduce you to Spectre and Rowhammer.
Secure software won't protect you from insecure hardware, which also needs to be formally verified for a secure system.
> Secure software won't protect you from insecure hardware
Then what's KPTI etc.?
> which also needs to be formally verified for a secure system.
Now we just need a correct and complete theory of quantum mechanics and to do something about that Heisenberg thing.
In general formal proofs tell you if something is true given a stipulated set of assumptions. They don't tell you if one of the stipulated assumptions is wrong or can be caused to be wrong on purpose by doing something nobody had previously known to be possible.
Sure, you formally verified that the software confirms to the specification, but how are you going to prove that the specification is correct?
It's guaranteed to have more paperwork. Actually secure, maybe.
You're being sarcastic, right? The entire concept of "guaranteed to be secure" is a fantasy.
Even EAL7 can't guarantee anything. It can only say that the tools used for verification didn't find anything wrong. I'm not saying the tools are garbage, but the tools were made by humans, and humans are fallible.
That’s the ironic part.
Plenty of consumer-grade devices have had very lax security settings or backdoors baked in for purposes of “troubleshooting” and recovery assistance. It’s never been limited to foreign-made devices.
Security has never been part of the review process. The only time any agency has really cared is when encryption is involved, and that’s just been the FBI wanting it to be neutered so they can have their own backdoors.
> no Gov agency would ever mandate secure firmware
Interestingly, Europe is about to try this: the Cyber Resilience Act is going to become obligatory for all sold digital products (hardware & software) by the end of 2027, with a bunch of strict minimum requirements: no hardcoded default passwords, must check for known vulnerabilities in components/dependencies, encryption for data at rest, automatic security updates by default (which must be separate from functionality updates), etc.
Remains to be seen whether this'll help, but good to see somebody have a go at fixing this.
Encrypting data at rest is security theatre right? Unless consumers control the keys (which they generally dont want to), the keys will have to be accessible by the system storing the data. So if the system is compromised so are the keys? Like I cannot see the security benefits from encrypting data at rest in a non E2E system.
It's a whole lot easier to store the keys in a special hardened location than it is to store your whole storage.
Right but access to those keys will be available in an unhardened location then? Otherwise you're serving encrypted data. So if the system accessing the data and using the keys is compromised, which we can assume is the case if the data is compromised, then access to the keys is as well?
Maybe I'm being an idiot but it seems like a lot of extra complexity to protect against really only physical attacks where someone directly steals the data storage.
> This includes the FCC which license their devices
The FCC licenses devices to the extent that devices can cause spurious transmissions in the radio spectrum. It’s not a general consumer protection agency. Computer security also is outside the mandate of the FTC, which exists to protect consumers from anticompetitive conduct and unfair business practices, not crappy products.
I could see why someone might be confused in the Mayer of what the FCC can regulate, considering that it regulates the content of television and radio broadcasts and somehow regulates cable TV providers, despite the use of wired connections to customers, instead of radio transmissions.
> somehow regulates cable TV providers, despite the use of wired connections
They regulate broadcast TV. Those rules leak into cable TV because the originators generally want content that can be sold for broadcast in the future and is advertiser friendly. Cable operators are also often beholden to community standards imposed by municipalities they serve. The FCC isn't responsible for content restrictions on cable.
Where in the Federal Communications Commission's governing legislation does it say that they're only allowed to regulate things sent through the airwaves?
It applies to communications over radio or wire: “The provisions of this act shall apply to all interstate and foreign communication by wire or radio and all interstate and foreign transmission of energy by radio, which originates and/or is received within the United States, and to all persons engaged within the United States in such communication or such transmission of energy by radio, and to the licensing and regulating of all radio stations as hereinafter provided…”
That's from the 1934 Communications Act. You're sure nothing has changed legislatively about the FCC in 92 years?
> despite the use of wired connections to customers, instead of radio transmissions.
The FCC also regulates interstate wire transmissions.
But ultimately, you're not quite getting it right. It's all RF, it's just that we sometimes choose a really shitty wire called "the atmosphere".
So if a company uses as part of its marketing for a product the phrase "advanced security, privacy, and connectivity for homes of every shape and size" and then is later found to have lied about the "advanced security" and "privacy" part of their marketing by shipping firmware with security bugs, does that not now fall under the "deceptive" category of the "unfair, deceptive and fraudulent business practices" part of the FTC's mission?
Sounds like it does to me. Also you're forgetting the part where the FTC under a prior administration either banned DLINK from selling in the US or heavily fined them for selling routers in the US that they knew were running insecure, buggy firmware.
(both quotes were taken verbatim from first, Netgear's US website, and secondly the Bureau of Consumer Protections' section of the FTC's website)
I know it's the norm to criticize the admin, but I don't think its what they're saying. I think they're saying "they know of the vulns they leave in and only fix them after it's been exploited by their states".
Not that any consumer router is super nice and safe, honestly, you're better off making your own these days.
> Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices.
True, but the country of manufacture is related to the risk of back doors.
There is a huge security problem (everywhere, not just the US) with insecure consumer devices (not just routers, everything from Wi-fi enabled lightbulbs to cars). AT least someone seems to be waking up to the problem even if their solution is half-baked.
IMO they should have a choice between open source that can be updated out of band from the manufacturer or assuming direct liability for issues for the product's life.
So after two decades, the FCC finally does something about insecure routers by banning security updates unless you jump through a bunch of extra hoops. That's definitely going to improve the situation.
If they cared about security they'd mandate time to fix for the found vulnerabilities, or outright requested the source to be available
I suppose foreign routers might not have convenient mechanisms for the government to access and control them at will, hence the "unacceptable risk to the national security".
> Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices.
Sorry but this is merely a convenient excuse. Source: I have hard evidence of a Chinese IoT device where crap security practices were later leveraged by the same company to inject exploit code. It's called plausible deniability and it's foolish to tell me it's a coincidence.
You're not going to convince me that a foreign state actor pressuring a company to include a backdoor wouldn't disguise it as a "whoopsie, our crap code lol" as opposed to adding in the open with a disclaimer on it.
It's all closed source firmware. Even the GPL packages from most consumer router vendors are loaded with binary blobs. Tell me I should trust it.
Sure, but this also bans pretty much all routers made by American companies too, since they're not fully assembled in the US. So I'm not sure that explanation fits.
Are you saying that other manufacturers don't do this?
If US manufacturers (or manufacturers in allied countries) do this, legal avenues exist to hold those manufacturers accountable. Not so with China.
(That is not to say that the FCC change will move the needle on the underlying issue of router security; as some of the ancestor comments have said, lax security practices are common industry-wide, irrespective of country of development/manufacture.)
The Snowden leak showed that Cisco routers had been altered to enable surveillance [1]. Whether or not the manufacturer is complicit, or how the alteration is performed is ultimately irrelevant to the end user. Ultimately, the only people that got in legal trouble for this were Snowden and people who provided service to him.
[1]: https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa...
Actually it's entirely relevant how, in the context of this conversation.
Here, we're discussing product as shipped, not product intercepted and modified. We're discussing if products are shipped secure or not.
The Snowden disclosures are important, but not relevant in this case.
It is absolutely relevant. It is completely within the realm of feasibility that a foreign nation state would pressure a manufacturer in their jurisdiction to include a backdoor, or simply insert it themselves. Routers are in every home and office in the country, and can be leveraged for immense attacks. It’s a hugely attractive target, and it’s a reasonable security policy to try to limit our exposure to this threat. And it would absolutely make sense for adversaries to avoid buying U.S. made routers for exactly the same reason. Unfortunately this administration is generating more adversaries by the day.
I think you're responding to the wrong comment, or missing the nuance above.
Having state actors redirecting products after shipping, without telling the company or the client it's happening, and installing backdoors, has nothing at all to do with backdoors from manufacturers.
You seem to have missed this part:
>a foreign nation state would pressure a manufacturer in their jurisdiction to include a backdoor
That absolutely is about jurisdiction and is a much bigger, more scalable attack than intercepting and installing implants. More to the point, it can be done at _any time_ not just the initial ship.
In as I was specifically not talking about that, and even said so, no.. it's not relevant.
> legal avenues exist to hold those manufacturers accountable
Maybe in theory. I think the practical chance of enforcing anything meaningful through those legal avenues against a US manufacturer is not meaningfully higher than the chance of doing so against a Chinese manufacturer, so it doesn't make sense to treat them differently on these grounds.
When was the last time American intelligence agencies were held accountable?
Literally your own Congress is not even allowed to review their budget! Not that any US politician even WANTS to know.
> legal avenues exist to hold those manufacturers accountable
Oh, sweet summer child. Disclaiming these possible avenues of liability is the main goal of clickwrap "terms of service".
Are you asking me if I have the master list of naughty and nice router manufacturers?
No, I don't have it but you may check with Santa Claus.
What was the company, and what did they inject?
TP-Link
https://nvd.nist.gov/vuln/detail/CVE-2023-1389
That's only proof of the vulnerability. Where's the proof of it being misused by the vendor?
And who hasn't seen American software companies where crap security practices are later leveraged by the same company to run exploits? It's of course always phrased in Orwellian terms of business practices, terms of service, "security", etc but we can still call a spade a spade.
One dog's exploit is another's Clippy. I've certainly seen companies downgrade security generally when they deploy (and enable by default) new features. Start with web browsers. Ads in software you paid for. Always on app telemetry. Cloud backups. Cloud-compute assisted "desktop" tools. Sorry, out of time.
>Vulnerabilities have nothing to do with country of manufacture.
That depends on how you define "Vulnerability", doesn't it?
For instance, from some standpoints, the absence rather than presence of a backdoor in consumer routers could be considered a "vulnerability", no?
This part of the press release seems pretty crucial:
> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.
In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").
In the FAQ (https://www.fcc.gov/faqs-recent-updates-fcc-covered-list-reg...), they even include guidance on how to apply: https://www.fcc.gov/sites/default/files/Guidance-for-Conditi...
If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
> foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing
That is not what's going to happen. What's going to happen is that anyone coughing up payola to the current executive in chief's people will get approved, and anyone that doesn't will remain blocked. This practice is currently widespread, in the form of tariffs.
We're going to keep seeing this in all kinds of industries throughout the next three or so years: "Your products are banned or your country is tariffed, but if you pay enough in bribes, er I mean undergo our approval process, then you'll be exempt."
to me the greatest damage the trump admin is doing is bringing out corruption in the open.
if there's really one thing that destroys countries is corruption. being originally from a 3rd world country - I have seen it. now the US is heading towards the same path.
having worked in the IOT industry before - I can tell even domestic manufactures will be forced to pay bribes soon cloaked in 'state secrets' - there's already export laws etc - but now they will be forced to pay for compliance e.g maybe donating the president's vanity project.
Bonus points if the ‘approval’ process exempts them from liability if misused - and there is no actual checking done as part of approval.
You know that's exactly how it's going to be. There are two attributes of this administration that are just as prominent as corruption -- laziness and incompetence.
That descriptions already fits the payola model. It's almost never about directly handing money to a politician. That's illegal, so it's not worth doing when there's legal ways to do it. Instead, payola usually involves regulations requiring using some kind of product or certification, then the organizations that sell the product or perform the certification contribute to the politicians.
Also, the biggest benefactors of payola aren't the politicians, it's the rent seekers, that is the businesses already in place that want to prevent competition. Because of this, they usually directly contribute to the politicians that promise to restrict the path to doing business.
For example, if you want a newest-generation extremely-efficient air conditioner in the US, you won't be able to buy it and even if you could, you wouldn't be able to get anyone to install it. Any given model of air conditioners needs to be on an approved list to be sold in the US, and the installer needs to be on an approved list, too. This means that by the time an air conditioner makes it onto the list, it's already old. Also, installers can require you buy it from them, and almost all do, so by the time time an installer on the list has it for sale, it's even older than that. Ironically this is all enabled by the EPA, on the auspices that they are ensuring that it's energy inefficient, when in reality they are preserving the market for the older, more expensive, and inefficient models.
> That descriptions already fits the payola model.
The old payola model. This new model encompasses the old one and adds a neat layer of outright politician bribery on top.
> It's almost never about directly handing money to a politician. That's illegal
According to SCOTUS in Snyder v. United States, if the payment occurs after the official act, it's a perfectly legal "gratuity."
Trump made $4B last year. It's open and direct bribery at this point. He's said he plans to hide behind qualified immunity and pardons for people he pays (with tax money) to break the law on his behalf.
Dario (CEO of Anthropic) said the DoW contract violations and threats were direct retaliation for not paying Trump "campaign" money. Later, he was forced to apologize for speaking the truth.
> If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
Wow NGL this sounds great if you ignore the reality that it'll be used as a partisan backdoor to enriching the administration.
> but they are going to look at them with a fine-tooth comb
This comb likely is designed to extract loose $1M checks from the foreign manufacturers.
> So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
You're assuming a non-partisan technocratic process, which this administration has amply shown is neither capable nor willing to provide. This requirement becomes another opportunity for Pay-to-Play, either in cash or quid pro quo, to the government directly (see, e.g., NVidia and AMD export allowances) or to Trump's inner circle (see, e.g., crypto venture regulation, merger approvals).
This is the problem with erosion of norms. We’ve all known for decades that consumer routers have shit security. We’ve all known about the risk of implants or intentional backdoors in the supply chain. And now when the FCC appears to be finally doing something about it, there’s a massive cloud of mistrust hanging over the whole idea.
The FCC ain’t doing nothing about it. If anyone thinks they are, then I have an amazing US made router to sell them.
If they cared about security, US-made routers wouldn't be exempt.
The mistrust comes from those doing it, and the clearly corrupt ways they are operating. The maggot movement is basically rooted in a lot of very real frustrations from very real longstanding problems, but the only thing it offers as solutions is performative vice signalling.
People who care about the problems of digital security are not going to lean into the idea of simply banning devices based on where they were manufactured. Rather they would work at general standards and solutions to actually solve the problems - things like untying the markets for hardware/firmware/services, requiring firmware source escrow, mandating LAN protocols and controllers so every single IoT device isn't backhauling to its own mothership, and so on.
Likewise people who care about domestic manufacturing first and foremost are not going to champion applying steep blanket tariffs two decades after all of that industry has already left, or using regulatory agencies to shake down manufacturers for unrelated concessions.
> You're assuming a non-partisan technocratic process
No, of course I'm not assuming that. That's not the administration's pattern of behavior, so it would be a crazy assumption.
I agree it'll be abused. I just didn't feel it necessary to state the obvious.
> But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").
by giving daddy trump his taste, no doubt.
I’m reading this as “tariffs didn’t work, so now we need different pain levers to wield against trading partners to bully them at the expense of consumers”.
Any router made by a company that "donates" (bribes) to Trump's "ballroom" or other vanity projects will get approved. Irrespective of anything else. This is just another grift.
Does it occurs to someone that in this time of encryption backdoor and such, this is also a good starting point to another mass surveillance system ? Mandate US manufacturers to embed remote access for the use of the government, then as you've made those routers the only ones authorized on the us soil (let's not be foolish about that approval process, it will be a smoke screen) you basically have a backdoor to every citizen home.
Yes china routers are a liability, but free trade and open market ensure at least one thing that's essential : no single state has surveillance capability on its entire population
This is why users need to have an american router, chinese router, and russian router, all wired in series. That way no one spy branch has full backdoor access through the chain ;-)
How would that work? Backdoors usually go the other way: malware calls home. How can the first router in the chain differentiate TLS backdoor traffic from the 3rd router (the one with access to your LAN) from legitimate traffic from LAN?
My sister in laws xfinity router / app has a new feature banner for “detecting motion in your house with WiFi for no additional cost”
I took a screenshot to share if anyone is interested
This has been shared on Hacker News before: https://github.com/francescopace/espectre
Questions of mass surveillance aside, I always wonder how useful these things (motion detection when you're not home) actually are given how many American households have dogs and cats.
I wouldn't be surprised if they can't tell the difference between a person and pet. Also wouldn't be surprised if they used that data to push pet food ads at you somewhere or just sold that info to a data broker.
IIRC most motion-sensing home devices are tuned to ignore pets, as best as they are able. They don't get it right 100% of the time though.
The U.S. has done that kind of thing before, and that's probably why it's so paranoid about having the same kind of thing done to it.
https://www.washingtonpost.com/graphics/2020/world/national-...
Yes, that's what is happening here, except it goes beyond surveillance.
This is about full domestic control of the internet. For both ingress and egress.
Remember how Iran likely murdered thousands of protestors a few months ago, but we don't actually know? They want to be able to do that here.
Is there any confirmation whether this includes Ubiquiti equipment? I think this blanket affects consuner routers but exempts business routers? And I’m not sure which ubiquiti would fall under!
The FCC is bypassing the public comment period by having the DOD classify this as a national security concern. This is blatant collaboration between agencies to expand their respective authorities into a new amalgamation that stretches far beyond their congressional authorization.
A little rich coming from the administration that supports a strict view of the major questions doctrine. They have no problem kneecapping the EPA. But the communications commission has the right to ban all drones (and not the FAA for example).
I'd say I'm shocked but I am not. Their next order forcing backdoors will be secret.
If we wanted secure products, we wouldn't ban devices. We'd mandate they open their firmware to audits.
It'd be great if open firmware could be commercially viable. Finding a business model is hard.
The OpenWRT One [1] sponsored by the Software Conservancy [2] and manufactured by Banana Pi [3] works lovely.
[1] https://openwrt.org/toh/openwrt/one
[2] https://sfconservancy.org/activities/openwrt-one.html
[3] https://docs.banana-pi.org/en/OpenWRT-One/BananaPi_OpenWRT-O...
The business model is simple: Sell nice hardware at a premium, then sponsor and upstream improvements to OpenWRT.
If the software is an important differentiator (arguably, it is for things like Ubiquiti, but clearly it is not for most consumer routers), then release the patches under the Business Source License with a 3-5 year sunset back to BSD / Apache / GPL.
Open to audits doesn't mean free software, it just means visible source. The business model for selling routers with auditable firmware is selling routers.
And the public doesn't have to audit it. The govt already audits/inspects/validates plenty of sensitive physical products, typically through 3rd party industry associations. You don't get to peek inside, but people signing NDAs do.
Even if this wasn't done, at the very least they must publish their software testing procedures, the way UL, ETL, and CSA require to certify devices for the US power grid. (https://www.komaspec.com/about-us/blog/ul-etl-csa-certificat...) They can also do black box testing.
But ideally they would actually inspect the software to ensure its design is correct. Otherwise vibe-coded apps with swiss cheese code will be running critical infrastructure and nobody will know until it's too late.
Open firmware for your own devices is commercially viable. That is why hardware vendors create FOSS drivers. not all do, but it is a viable business model.
If it was required they would do it.
There's also Turris from cz.nic [1]. Technically they use a fork of OpenWRT with some convenience features like auto-updates, although it looks like you can run OpenWRT on (some of their routers?) if you wanted to [2].
[1] https://www.turris.com
[2] https://openwrt.org/toh/turris/turris_omnia
Just declare that any router that can be flashed to OpenWRT without loss of functionality is allowed to be imported.
Requiring a one-click option to configure to open source would be a sensible across-the-board law.
I think we all know that's never going to happen.
I don't understand why people with this opinion think it's worth the effort to post it.
There's a whole interesting physiology behind learned helplessness (of which this is a minor variation).
In its defense, there's some practicality to it; we wouldn't say that a "get out of debt" plan that involved spending all available money on lottery tickets is worthwhile because "its not gonna happen". But defeatism is just a shortcut to say "I don't want to talk/think about it" in many cases.
And in this one, if the US Gov't required that all routers purchased by any agency they could influence had the ability to run open source code it would certainly shake up the market.
> we all know that's never going to happen
Why? You'd need to get someone electorally useful involved. That, unfortunately, elimiates a lot of the nihilistic, holier-than-thou tech types. But that's pretty doable nowadays. You just need an electorally-relevant group of people on your side.
Like I said, not going to happen.
Open firmware would become commercially viable when IP is abolished
How do you see firmware becoming more open without copyright exactly?
Not prosecuting people trying to reverse engineer any kind of software would be a great start...
Most of this software is already GPL.
I'm no fan of imaginary property, but you're going to have to lay out your reasoning here. Firmware security is such crap precisely because most hardware manufacturers see it as nothing but a cost center they wish they could avoid.
The difficulty of installing OpenWRT or Linux in general on hardware comes from that hardware not being documented, or not having straightforward APIs like BIOS/EFI.
Or for some devices, community distributions that dubiously remix manufacturer-supplied binaries are available. But we generally see that as soon as the manufacturer stops their updates, the community versions start lagging behind as well.
> not having straightforward APIs like BIOS/EFI.
Oh, no, not this again!
> But we generally see that as soon as the manufacturer stops their updates, the community versions start lagging behind as well.
Care to demonstrate that?
The reason OpenWrt abandoned most routers was
1) insufficient flash space in the kernel partition, or insufficient total flash space in no-USB, no-SPI routers,
2) unwillingness to repartition flash because it breaks compatibility with official firmware (as if anyone installing OpenWrt would care),
3) insufficient RAM to run newer kernels
and, most importantly,
4) unwillingness to support older kernels like DD-WRT does.
> Oh, no, not this again!
What are you referring to? Would you not say there is a difference between OpenWRT having to make a list of supported whole systems, whereas an amd64 Linux distribution making a list of chipsets? I can go buy an off the shelf laptop, stick a generic "Linux install" USB in it, and be reasonably certain most things are going to work. Whereas OpenWrt I have to look at their list of supported machines, and buy exactly that one, even down to the hardware rev. Some of this is due to embedded constraints, but a good chunk is also due to the lack of hardware discoverability.
>> community distributions that dubiously remix manufacturer-supplied binaries are available
> The reason OpenWrt abandoned most routers was
I didn't mean things like OpenWrt, which I'd say is a general Linux distribution that does contortions to fit on specific devices. Rather I was talking about things like Valetudo which are closer to rooting the stock distribution with some tweaks, or the countless "custom ROMs" you see (saw?) in the phone world which are effectively remixing the manufacturer images. I thought DD-WRT was in that camp, especially for many devices (eg where do these "older kernels" come from?), but I'm hazy on that.
(personally I gave on up OpenWrt some 10 years back, and just use generic Linux (NixOS) on amd64. A VM on my server for the router, and lower-power amd64 boards for the additional APs (most of which double as Kodi terminals))
You will first probably need Congress to legislate away the long standing prohibitions against offering (easily) user-modifiable RF devices on the market.
Self ownership and full 'right to repair' has carve-outs in the FCC's regulations in the name of limiting unintentional broadcasting/radiation. Maybe a challenge to those would survive in the post-Chevron environment. I wouldn't expect any Congress in the last 25 years to pass a law which would go against the incumbent telecom lobbyist interests though, and I'd expect such a hole if it did hit case law, to get 'patched' fairly quickly.
About the only way to really solve that would be to embarrass vendors enough to open their moats.
I dunno, I'm pretty big on FOSS but I don't think you would need that to improve. Requiring that the firmware have its source code available to audit doesn't mean that users can replace it. AFAIK you could, today, with no legal changes, have a vendor release 100% of the code under eg. a MIT license while also making the device refuse to run firmware not signed with their keys. Researchers could poke at it to find bugs, and FCC regulations wouldn't be touched. (Note: IANAL, so feel free to point out if I'm wrong about that)
(To be clear, I don't think that's good enough; at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help, but I think it's useful to point out that auditing code doesn't require being able to install it)
> AFAIK you could, today, with no legal changes, have a vendor release 100% of the code under eg. a MIT license while also making the device refuse to run firmware not signed with their keys.
This is already the case today with many embedded devices. They have secure boot enabled so even if the vendor releases the GPL source code (big if), you can't do anything because the device will only boot the vendor's signed firmware.
> at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help
This is already possible. The RF components frequently have a signed firmware blob that is verified on load. There is no reason but planned obsolescence and greed keeping the application processor locked to running the vendor's signed code.
> the device will only boot the vendor's signed firmware
That sounds like what Software Freedom Conservancy would call a GPL violation:
https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...
> That sounds like what Software Freedom Conservancy would call a GPL violation
Sure, it is. So what? Have you got 200k for lawyers and years of your life to spend in court fighting over it?
I have personally contacted the SFC with ample evidence of deliberate and wilful GPL violations, such as providing a written offer for source code and then ignoring or flat out refusing requests for the source code. The SFC has acknowledged the vendors are violating the spirit and letter of the GPL.
Nothing happens. The SFC is one organisation with limited resources, FOSS developers don't want to spend their time in court, they'd rather develop software. Vendors know 9 times out of 10 they will get away with the GPL violation scot-free.
It's fine to put on your rose colored glasses and pretend GPL forces companies to release source code. Reality is, the vendors have a larger marketing budget than the entire SFC endowment and the vendor's legal team is happy to tar-pit requests ad infinitum.
Nothing happens my as, until your company gets sued by the FSF and your reputation online gets to the dustbin.
Not all of the functionality is in the firmware though. You can put stuff in the silicon itself that allows backdoors.
It's very difficult to inspect a laid out chip for nefarious elements - there's too much of it to do manually. Having a secure supply chain is probably the best way to prevent that happening.
Which is not to say that I support this rule - it sounds like another import weapon trump can swing against people who aren't his friends.
> You can put stuff in the silicon itself that allows backdoors.
Very few companies make the chips too. It'd be very easy for the government to force them to add backdoors.
problem is: how do you prove the firmware in the flash chip matches source? And I do not mean me, with a disassembler and a pi pico to read out the flash chip. I mean the 70-yaer-old corner shop owner that buys this router to provide free WiFi for customers?
> how do you prove the firmware in the flash chip matches source?
Trusted, qualified independent experts: Ala Underwriters Laboratories.
One word for you: dieselgate
https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal
A process not working on occasion doesn't mean the entire verification method is garbage.
I get the desire to not have to trust a third party, but realistically, there isn't a way to function without doing so, outside of going out and living in the forest in a cabin you've built yourself, either doing without electricity, or with solar panels you've built yourself from raw materials.
Human processes aren't like computers. They're messy. They fail sometimes. They need checks and balances. Sometimes those checks and balances don't work. Sometimes the checks only work well after the fact, and the people who were harmed aren't all made whole.
That's life. We probably can't do much better.
Someone did go to jail, so there's at least that.
Yes. But a lot of people still got cars that were not as represented. So if we follow the same pattern, somebody will go to jail, but most routers will not be running verified or safe code.
Do you apply the same scrutiny to the food you eat?
Some trust has to be created through testing standards and the law, but generally we do believe what the label says in day to day life.
In so far as I cook myself? Yes
So you personally test your produce to ensure it's safe to eat, has no pesticides embedded in it that could harm you, etc.? You do that after every single trip to the grocery store or farmer's market? Every trip? You don't spot check, and assume/hope/trust that the ones you don't test are safe?
The routers thing? That's probably just a scam to get donations to the Trump Family Bunker/Ballroom in DC or other pet project.
Friendly reminder that _all_ automakers - European, American, and Asian - had been doing this emissions cheating for decades.
Detection of the car being on a rolling road, special button combos that trigger the emissions testing map, etc
A trusted website that compiles it from source and a way for you to go to a webpage and flash from there automatically. The FPV community does that all the time with a set of websites for their ESC, flight controllers, radio, all open source. You can add signatures etc but just a trusted website goes a long way vs a random blob preinstalled
That proves that the one they checked, had the correct firmware. It does not prove that the one from the next batch that you bought did. We are all technical people here we and understand that there isn’t really an easy way to do this that a random non-technical person could actually understand and use.
Isn't the person you're replying to suggesting people can update the firmware to the trusted version via a website? So it doesn't matter if you get one from 'the next batch' - provided you're on top of updating the firmware.
If only somebody could make a firmware that claims to have accepted the update, but then proceeds to not actually update itself. Read out the version string from the update and save it. Show that when asked what your version is.
not to mention even on the bananapi you gotta trust mediatek.
There's no solution to that other than having knowledge and researching the code/device yourself. You can pick apart modern Linux/busybox based IoTs fairly quickly, so effort needed is not really a huge issue.
Maybe trusted community of people could do it for everyone, but there's currently all kinds of potential legal trouble brewing in that approach. Complete and public reverse engineering of every aspect of any device would have to be made completely legal, so that people could freely publish all artifacts extracted from a device and produced during reverse engineering and collaborate on them without any fear of repercussions. Also HW manufacturers would have to be prohibited from NDAing documentation for SoCs, etc.
Side benefit would be that this would also serve as a documentation for freeing the device and developing alternative firmwares with modernized sw/reduced attack surface.
We are in violent agreement. And precisely because there is no simple solution to it, half-measures like what is proposed here do absolutely no good, and often times do harm.
Considering this is after Loper Bright Enterprises v. Raimondo (2024), it will be interesting to see if this holds up to judicial scrutiny.
The FCC's power just got substantially nerfed, and "we've decided to slow lane all foreign-made routers" feels like that may have been beaten on the old, higher, standard. Let alone the new one that gives the FCC almost no power.
Nerfed to do their job. The corrupt republican Supreme Court judges are very happy to give more power to the executive to collect bribes, however.
> all consumer-grade routers produced in foreign countries
Are there even consumer-grade routers that are produced in the USA...?
Guys from heise.de [1] haven't found any.
[1] https://www.heise.de/en/news/USA-bans-all-new-routers-for-co...
But we can still buy old models:
> As outlined below, today’s action does not impact a consumer’s continued use of routers they previously acquired. Nor does it prevent retailers from continuing to sell, import, or market router models approved previously through the FCC’s equipment authorization process. By operation of the FCC’s Covered List rules, the restrictions imposed today apply to new device models.
I’m sure plenty of US factories are capable of importing boxes that look like routers but are actually just switches (because the router firmware is missing) and re-flashing them here…
I suspect "evergreen" model numbering/naming will become even more common in the future.
Right? Even enterprise routers, e.g. Cisco, are not produced in USA.
You can theoretically use any computer as a router. I've used a Raspberry Pi as a router through a single NIC with VLANs.
> consumer-grade routers that are produced in the USA
Starlink?
I believe they make satellite components not consumer hardware in the US
The linked BBC article above says the Starlink terminals are made in Texas.
X-The Everything router, now with 'Mecha Hitler' built in!
Time for the made in USA tin can and a string.
Hey, let's not undersell America's high-tech manufacturing capability. We could easily produce morse code keys and copper wire, for a price of course.
Assembled in the US, the tin comes from Indonesia.
Qualcomm is a US company right? I've worked on a few WiFi router devices and their chips are pretty popular in that segment. But WiFi is not a priority for Qualcomm (in fact they actively sabotage it for their more profitable 5G segment), and software is even less of a priority. So you had "parsing 802.11 TLVs in the kernel with obvious stack overflows" quality code drops.
(Which is why it's a bit ironic I saw the Google Fiber guy post on X about how they always had TPM^TM "security" in their routers; thats cool, but the drivers you used still made them "general purpose computing over the air" devices)
Doesn't matter where they're headquartered if they use foreign-made components. I don't think there's a robust enough supply chain of domestic materials available (nor cheap enough labor) to feasibly stop using foreign-made components.
The only one I know of: https://www.islandrouter.com/
> In conjunction with original software development, Island is designed and assembled in the USA to improve security and enable tighter quality control throughout the entire production process. The code for Island routers has only been loaded internally at Island HQ in the U.S; customer support is also managed directly in our U.S. Headquarters.
Are there any consumer-grade routers that aren't produced in Taiwan?
Even MikroTik routers have a supply chain scattered around the world
But most are still made in Latvia.
Which is still foreign from the USA's perspective. Remember, this new rule is not just against China, but against all foreign-made.
But the fact that a company can manufacture consumer(ish) routers in Latvia means it's very practical that another company could manufacture consumer routers in the US.
Usually the argument is that X can't be made in the US because China's so good at it that the US could never compete, so we shouldn't even try. But if a company with 367 employees in a country with the population of a medium-size metro area can do it, it proves that argument is bunk.
> But the fact that a company can manufacture consumer(ish) routers in Latvia means it's very practical that another company could manufacture consumer routers in the US.
Assembling them in Latvia, or the US, from internationally sourced components isn't a solution to anything.
> Usually the argument is that X can't be made in the US because China's so good at it that the US could never compete, so we shouldn't even try. But if a company with 367 employees in a country with the population of a medium-size metro area can do it, it proves that argument is bunk.
Unless Latvia is a much better environment for this kind of industry than the US is.
> Assembling them in Latvia, or the US, from internationally sourced components isn't a solution to anything.
I disagree. It's the first step. I mean, how did China do it? They started with assembly and low-value manufacturing and worked their way up the value chain. The US still had fabs. Once you get assembly reshored, start pushing to to reshore components (which are mostly chips, and pretty soon the equipment is mostly domestic.
> Unless Latvia is a much better environment for this kind of industry than the US is.
In what way?
Even if the US is utterly terrible for this kind of industry, we're talking about a small-medium sized tech company. It seems extremely doable.
For the device manufacturers, the obvious solution is to sell them as general-purpose computers. You can already get devices that had started out as Raspberry Pi clones but evolved into excellent DIY network appliances, with multiple high-speed Ethernet and SSD ports that are great for running a NAS, proxy server, firewall, or all three, and more. Rarely do they have good WiFi, but if manufacturers start selling hardware that has been traditionally sold as a locked-down routers or access points, but include a generic Linux installation, it'll compete will well with the aforementioned hardware.
Companies want to sell what consumers want to buy. But the average consumer doesn't want a general-purpose computer for this job; they instead want to buy a "router".
If companies market the devices as something other than "routers" then consumers will not buy them for routing duty.
(Meanwhile, the non-average people who want to use general-purpose computers as homespun router/NAS/do-all boxes are already aware of how this all works...and many of us have been doing it this way for decades. (Often, this happens alongside dedicated access points that do have good wifi radios.))
The average consumer doesn't want a router full stop. Their ISP hands them an all-in-one modem+router+switch+WAP box and they just accept that the internet lives inside of it.
I have roommates who are engineers and I had to explain to them the difference between Wi-fi access point and LAN when I replaces our wireless router with a router + 3 APs.
That's quite true. Most people don't know, and most people don't care. And of those who do care, many elect to rent/buy things like managed wifi mesh systems and/or faster service from their ISP to solve performance or coverage issues when a bit of SQM and another access point might do the trick in a once-and-done fashion.
And I don't mean to suggest, in any way, that this means that most people are stupid or anything like that. They can have ridiculously high intelligence while the nuts and bolts of networking remain completely beyond the scope of their thought processes.
But yet: Every-day consumer-oriented stores (including Wal-Mart) have routers (and mesh systems and...) in stock on the shelf for purchase in Anytown, USA right now. So while they may not be the majority, people are buying them.
> But the average consumer doesn't want a general-purpose computer for this job; they instead want to buy a "router".
So start your own company called usa router co, and sell some random arm board with a preinstalled router image... the end user won't know the difference.
Oh, for sure. That's easy enough; it's what GL.inet does: They sell router-shaped computers that run a skinned openwrt -- out of the box. (There's been some questions about GPL compliance over the years, but that's a separate issue.)
And superficially, it sounds like a straight-forward thing for me or anyone else to do here in the states, but things get murky quickly: What differentiates a foreign-made router from a US-made router?
Can I get some flunky push the button in his studio apartment in Idaho to flash open (but globally-sourced!) firmware onto some boxes from Alibaba (in exchange for startup promises) and call that good enough?
Do I have to spin up the boards here in the States? And the ICs, too? How about the passive jelly-bean parts like the capacitors and resistors and the antennas?
What of the rest of the device? Like, things such as the housing, the packaging, the power supply, and the included ethernet cable: Do I need to source those from domestic US production or is it OK if they're foreign-made components?
Do I have to produce the software in the States? (If so, Linux is right out.)
Where is the line drawn? How is the line shaped?
I have a theory that the FCC bureaucracy desperately wants to extend its remit to regulate the internet, and this is just one more attempt.
Previous example: https://news.ycombinator.com/item?id=37392676
And exactly how many consumer routers are not foreign made?
If war breaks out you better bet a bunch of equipment will turn off.
Numerous papers showing the ability to easily map indoors areas with WiFi (including occupancy) it’s a liability.
There will be excuses “tariffs” etc but I heard a few have gotten calls from three letter agencies coyly telling you to improve your systems.
It’s a chance to refresh the product line! (of course at the worst time when mem prices are bleed you dry high)
Occupancy sensing is a FEATURE on comcast home routers. It notifies you if someone is moving in the house and probably sells the occupancy data also. Makes location data from other sources far more valuable and verifiable.
You mean further war? It doesn't break out, people cause it. Then those people might, for example, lie about peace talks to make $Billions on futures trades.
They're not likely to go to war against people with long-range missiles though. Even they are not demented enough for that.
"Will turn off"... are you claiming that consumer-grade routers have a secret backdoor kill switch that one government or another can use to turn them off? That's a little hard to believe (even when they are security Swiss cheese).
Seeing the operational capability of Mossad in Iran means if desired, one should assume the US and China are equally capable.
The US didn’t make a space force to please the ego, it was likely to occur eventually. They aren’t spending all their time wargaming a moon invasion lol
Logistically, hacking tons of different model routers is not feasible. It would be more useful to yank the power grid.. which can be accomplished with missiles or software.
I'm not sure what you're suggesting, exactly, but we seem to have escalated from "kill the consumer-grade WiFi routers" to "kill the entire US power grid" in one post? If anyone did that, with missiles or software, things are going to escalate very quickly from there.
More likely they have RCE vulnerabilities known to various governments than intentionally made secret backdoors... which is worse since a backdoor would probably at least only be usable by the county that manufactured it (for example see Jia Tan's attempted backdoor).
The DOCSIS (Data Over Cable Service Interface Specification) standard for cable internet end user routers specifies total remote control. Most ISP originated routers are set up this way.
What exactly does "produced" mean in this context? That the final assembly was done here, software was written here, PCB was assembled here, SoCs and ICs wwre manufactured here, or something else? Regardless, while consumer routers are 9 of 10 times insecure garbage, it's hard to think of any that aren't manufactured outside the US.
I'd gladly buy an American-made router if one existed!
Prediction: there will appear new "Made in the USA" routers that differ from some Chinese model only by the label. Already the case in Russia for e.g. powerbanks.
I would be more impressed if they would ban all enterprise routers manufactured in China. I have had to continuously patch and meticulously mitigate severe vulnerabilities and bugs in Cisco, Dell, HPE, Extreme, Arista routers, switches, fabrics, and others. These are all manufactured in China, Taiwan, Hong Kong, Vietnam, Malaysia, Thailand, and probably elsewhere in the Greater China region... Actually I take it all back. I wish they would just ban companies from shipping bad code and sanction them for causing millions of hours of required labor to ensure their manufacturing defects do not harm businesses and their customers. Thank you for your attention to my chatter.
As someone who works with networking (consumer prosumer enterprise everything) the problem is far more complex than : make it open.
Manufacturers can support devices for long but it costs money which the consumers / businesses aren’t willing to pay or value. Cybersecurity is a joke and the general consensus is : we will pay for things as and when there is a fire. We don’t put a price on prevention because we can’t really show it to shareholders how we profited from not being attacked since we blocked those. So we create an arbitrary certification and pass things according to it. This certification doesn’t say anything about firmware. But if we do get attacked then we can convince the shareholders to spend money on better equipment this financial year and then not bother until the next time we have a problem.
Some of these certifications focus on what the devices allow you to do (like acls and firewalls) and see if they pass these tests. But actually looking at the firmware and finding vulnerabilities is not in scope.
Yeah, it does sound like this should be focused on verifying firmware, including all future updates. If a Chinese company builds the router at a US Foxconn site, it is still the same situation.
If worried about supply chain and inside jobs, I worry more about the IoT widgets I have. They are already inside the LAN, can access the internet, etc.
Anyway, bribes aside, this is probably just a talking point and not much actually changes.
Jeff Geerling's reaction: https://www.youtube.com/watch?v=04oL0qVSWJE
Pretty disappointing for someone like Jeff not to make a distinction between routers, and routers which also contain a Wi-Fi transmitter.
I have a small stockpile of wifi 6 routers running openwrt. I'm set for quite a while given that wifi 6 is plenty fast enough for my family.
This is kind of a boneheaded way of handling whatever issues they're claiming.
I am having trouble understaning. First, which routers are actually made in the USA? ASAIK, none of them are.
Wouldn’t you purchase an American made router if you could?
I switched away from Omada to Ubiquiti, because of TP Link’s problems.
So... What are the options now for American consumers? What brands are left and available?
Does anyone even have a list of US produced routers? Like does installing OpenWRT or OPNSense or VyOS matter?
I can’t think of a complete start to finish, OS to mosfets, computer that is 100% manufactured in the United States.
If their "made in america" goal was anything but a sham, system76 would be getting huge government contracts right now.
The FCC seems to count some level of assembly and packaging as qualifying as “Made in the US” so as long as it’s not a complete sham it should count.
Of course, getting a router SOC with firmware from the factory , soldering on the Ethernet ports and adding RAM and storage, installing an OS, throwing it in a case with a power supply into a box isn’t solving the problem of insecure foreign firmware but is meeting the “Made in US” demand.
So what counts and who gets exemptions will be telling.
The escalation path is probably: have some relationship to an entity that doesn't care about you -> make sure that entity becomes your enemy -> the enemy now has an incentive to see you as an enemy -> you must now be afraid of your new enemy.
So router prices in the US will go up a lot, great!
Will this impact the Mono Gateway[0]?
[0] https://mono.si/
It looks like it probably won't matter. The site says you can preorder a DevKit "Shipping between June and September 2025."
The fact that they haven't updated that webpage with new information since October 1st 2025 seems to indicate bad news...
I preordered one, I got it, and I sold it. They are active on Discord. Why did I sell it? The shortcomings of the platform made me realize I should just go with UI, despite my reservations about the company.
The founder puts regular updates on his YouTube channel: https://youtu.be/RS2igvW3DIk
Shortly put, they're going through hardware startup woes but will probably make it out the other end just fine.
It's hard to tell considering there is absolutely no company/ownership information on the site, but a .si (Slovenia) domain coupled with EUR being an accepted currency has me thinking they're Europe-based, and therefore foreign-made.
... at the same time, I don't think I'd send $100 to a site with no contact/ownership/company info to begin with.
Aren’t all routers manufactured in foreign countries? Cisco are assembled in China as far as I know.
Ask HN: Is there a list of preferred routers for security?
Compared to hardening your network, at least visiting the ZT church once in a while, running your router on a box which You control and which implements proper segmentation, provides DNS (and "DNS firewall") and an adaptive firewall, WAF (if you run web services), isolating your wifi (anything EXCEPT running it in the box provided by the ISP)?
No.
And you have to accept living with / mitigating that e.g. that isolated wifi access point theoretically receives and will need to apply software updates. /s People seem to treat it as some kind of heresy if you simply deny such appliances internet access.
I don't think the hardware matters so much as the firmware, which is solved by installing OpenWRT on anything that supports it.
If wireless security is the concern, maybe other people here know better but I don't believe anything convenient will be "secure" in the strongest sense of the word.
A Palo Alto 440 is what I would consider a baseline for 'real' security. Way too expensive and complicated for most if not all home users.
I keep recommending the free version of Sophos firewall for home users. It's still a bit of a bear to configure.
Nest
Probably made in Vietnam, like Amazon Eero.
Where it's manufactured has nothing to do with security.
"national security" and "security" mean very, very different things in this context though.
I disagree with the FCC. Banning "China routers" will not meaningfully increase security. Actual security has no correlation with country of manufacture.
my instinct is open source is part of the answer. the market monetizes with differentiation on the open source base, support, hardware, etc. vibrant enough market = the foss is secure (always a relative term) and continues to evolve, partially paid for by the companies who are monetizing
Are there consumer grade routers made in the US?
Because of this, I'm going to plan my next network upgrade based on open source hardware like Banana Pi. My setup is based on WiFi 7 so this might not apply for a few years. From my understanding, the hardware from proprietary manufacturers is sufficiently advanced to do some advanced surveillance and spyware, whereas previous generations didn't require advanced processing to achieve fiber optic speeds. Back to the original statement, it's clear that the threat of surveillance exists.
Personally, I don't make the distinction between foreign and domestically produced routers in America. In fact, I trust foreign produced routers more because the likelihood that they can act upon their surveillance is significantly lower than the current American regime's oppressive and malicious tactics. Therefore, open source routers provides enough transparency to effectively eliminate spyware threats from all angles while being compliant.
I'm especially excited about the Banana Pi because of the transparency and potential of modular upgrades. Whenever there's a network issue, I have to consider whether the manufacturer (American or not) is doing something nefarious. With a Pi based router, I have much more peace of mind with network debugging issues.
IMHO an underrated comment. The CCP isn't going to break down my door in the middle of the night, but I'm sure I'm on lists at the FBI and ATF just for my political org memberships alone. I think a foreign actor is more likely to use compromised hardware to create service interruptions and general chaos in the event they are attacked by our government, not come put me in a gulag.
The only thing I'm missing right now that would be a nice to have is a wifi card so I can ditch my access point. My hardware isn't open source by any means, but my reliance on non-free networking code is minimal.
> I'm sure I'm on lists at the FBI and ATF just for my political org memberships alone.
Thanks to whistleblowers like Mark Klein and Ed Snowden we know that we're all being monitored by the government. If there are "lists" at all at this point it's the few people that aren't being watched 24/7.
If the world were to truly come to those stakes, I would just forgo wireless entirely. Running Cat5/6 through the walls is barely an inconvenience, and cell phones are compromised by design, needing to communicate with a cell tower.
There are several vendors of small computers usable as routers/firewalls and who provide complete hardware documentation, including schematics and PCB layout. Some of them also provide an extensive list of accessories, including cases with good passive cooling.
Besides BananaPi, there are e.g. ODROID (Hardkernel from South Korea), FriendlyElec, Radxa.
Incredibly obvious domestic surveillance scheme. Quite creepy
To clarify (since the headlines of many articles about this aren't clear about it), this states that it prohibits approval of new Models, so any models that already cleared FCC certification can still be sold in the US, even if they're made overseas.
This is for newly released models that still need to get FCC certification.
The Spirit of this law __must__ also now apply to SoCs produced by non-allied nations that feature USFCC-approved RF microelectronics, such as __ESP32__ Here's to hoping USFCC gets around to also reflecting this in the Letters of this law sooner, rather than later.
[cue https://youtu.be/EnIm71jRb_o]
This is terrible, perhaps the worst thing this administration has done (which is an incredibly high bar.)
Because it provides a pathway to full government control of the internet.
Content that demonizes the current administration's enemies will become easier to find. Evidence of their crimes will vanish.
When they murder someone in the street, fewer people will find out about it, and those that do will be more likely to hear the government's side of the story.
Mobile networks are already owned by the billionaires, and they've shown plenty of willingness to shape traffic for their interests.
Managing this kind of information at scale is an incredible challenge, but one that LLMs are very well suited for.
Even if you are confident the current administration doesn't have the competence or longevity to exploit this (as I mostly am,) we can easily predict future admins of either party will happily make use of these capabilities.
Bad for the US, but also very bad for the world, because it will make it much easier to manufacture consent for or hide future international crimes committed by the government.
We've excused the complete loss of traditional journalism with a reliance on the Internet instead. Not anymore.
Can savvy individuals work around it, of course. But the general public will treat them like conspiracy theorists, because all they will see is content that reinforces the administration.
The technical discussions in here sound like: "silly Caligula, his horse won't be able to sign his name to cast a vote in the Senate."
What is a router?
Really, do they have a definition?
Device that connects multiple networks? Layer 3 of the OSI model? Consumer ones tend to have more than that, but the more specific definition would work fine.
Yeah conceivably you could use this to ban any network device that is capable of routing between interfaces, so lots of switches with new firmware could do it, often terribly, as well as PCs with multiple interfaces. But its probably going to involve intention.
Any PC with a NIC is one VLAN and masquerade rule away from being a router
That is true, but you can also add USB Ethernet interfaces to any PC, which is even simpler.
For example, my router/firewall, which also implements various other network services, e.g. hosting my own e-mail server, is an old Intel NUC with 5 Ethernet ports, 4 of which are made with USB Ethernet interfaces.
The definition is at the bottom of this document https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf
...which in turn refers to https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8425A.pdf
Good question for devices that ship with multiple network interfaces, multiple video outputs, no RAM and no software.
If multiple network interfaces defines a router, then every cell phone is one, because every cell phone has a cellular and Wifi interface, and is a router in hotspot mode. Three interfaces if you count USB which can also be a network interface (hotspot works over USB in both Windows and Linux) and four if Bluetooth PAN is still a thing.
Speaking of phone companies, Apple will be manufacturing Mac Mini in USA.
If Apple can make a Neo laptop out of phone parts, they could make a US Airport router out of US mini PC parts.
All routers ship with software.
(edit: and RAM!)
(edit: and NOT multiple video outputs!!)
x86 multi NIC barebone fanless PC is not for routing, nope.
It definitely could be! And some people do use it for that!
(edit: but it's not considered a consumer grade router, that's for sure!)
Who said anything about multiple NICs? Ethernet port and Wifi modem in AP mode are more than enough
will this be like "product of USA" potatoes?, where a canadian truck full of bags of potatoes backs up to a special border facility, and the bagged potatoes are put on a conveyor, dumped out, conveyed........, and then rebagged,thereby becoming american product!
Does the router ban really only pertain to consumer-grade networking devices?
> For the purpose of this determination, the term “Routers” is defined by National Institute of Science and Technology’s Internal Report 8425A to include consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. ¹
> A “consumer-grade router” is a router intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. Throughout this document, the term “router” is used as a shorthand for “consumer-grade router.” ²
There doesn't seem to be a general ban for foreign-made professional routers, just for some Chinese manufacturers, right³?
Oh, and what does "produced by foreign countries" even mean? I couldn't find any definition. Is this meant to be the country of final assembly? Would importing a Chinese router and the flashing the firmware in the USA be sufficient to be exempt? Where is the line drawn usually?
¹) https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf
²) https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8425A.pdf
³) https://www.fcc.gov/supplychain/coveredlist
Given everything else going on in America right now I'm not sure I'd trust an American made router more than any other.
Is this just another mass surveillance operation?
If I were a nation worried about the health and security of routers, I'd be making sure that open source has a place.
But largely thanks to FCC demands, the list of router hardware that can run open source operating systems such as OpenWRT has dwindled to a trickle. There's very precious few wifi 7 / BE systems available, and only a few wifi 6! it's ghastly. https://toh.openwrt.org/?features=wifi_be https://toh.openwrt.org/?features=wifi_ax
To me, this is a deeply dangerous situation for the state & for the population, where it is nearly impossible for consumers and businesses to purchase gear that they can secure. Where we are at the mercy of what is on the market, and no actual securing of our own can occur.
The FCC claimed in 2015 they were not trying to forbid open source systems, but the additional compliance demands they have made unsupportable unsecurable devices the default state: the FCC mandated companies make sure the users dont have freedom, make sure the wifi performance is locked down, and the most obvious path to that end is to just lock out the user entirely. Open source isn't outlawed, but the FCC turned a good working amazing open source movement into something that is incredibly rare and hard to do. The FCC assurances (https://www.eff.org/deeplinks/2015/11/free-router-software-n...) have not proven true (https://news.ycombinator.com/item?id=11122966): everything has gotten worse for security & availability (https://news.ycombinator.com/item?id=11122966).
If you actually read the notice, it exempts models that have been approved. So this just seems to require approvals by DOH or DHS ,": Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS." I take this to mean it is just adding security approvals for this type of thing to DOw and DHS. It is not a ban of all future models. It's just saying explicitly that instead of having to review models already in the market and determine that they should be removed because of nation state or other security concerns they are reviewing them before they go to market. Would be nice if people actually read it instead of hyperventilating.
Why shouldn’t people have a reaction to a policy that mandates a new approval process on a large class of consumer products?
It's fine to have a reaction. It just rhat a lot of the comments totally ignored this this caveat. So basically, as I read it by default, they're banned unless approved, which is pretty much what all regulation does anyway, isn't it.
During the last years USA has banned a lot of things by default, but in all cases there were exemptions for things receiving specific approvals.
However, the approvals appear to have not been based on any objective methodology, but sometimes nothing has been approved, while otherwise there may have been some approvals but their randomness was suspicious.
Now this new interdiction continues the trend, so it is normal for people to be wary that any approvals will be based on some kind of bribing and not on any serious security audit.
Especially since the announcement provides no information about how the DoD or DHS will be evaluating what to approve, and it's unlikely that they have the resources to do any meaningful security evaluation on that many products.
The DOH and DOW have a lot of resources. And I would guess the DOW has a lot of intelligence resources and most likely the DOH also I mean it is their job to keep the homeland safe. But I would agree. It probably will involve a lot of marshaling of those resources and reorganization. But who's to say they haven't done that already. My general point is that the conversation in this thread completely ignores that this is an imposition of a different regulatory scheme, not a banning. And actually it's in favor of enforcing more security on routers which everybody has been screaming for for years.
What the fuck?! I did not sign up to live in some third world shithole where I can't get first-world networking equipment. I do not want some piece of shit closed-source proprietary netgear ameritrash. FUCK! Give me back my god damn chinese routers!
Chinese citizens have more computing freedom than American citizens at this point. What the fuck happened to the land of the free?
I doubt anything will be pulled from the market. This is instead notice to the companies that now is the time for a donation to the administration’s ballroom.
Right now, the way this is currently worded, every single foreign-made consumer router has already been pulled from the market, and has to request permission to be reintroduced. The only consumer routers not currently affected are those that are either already purchased (some good, but won't last forever) or are American-made (overpriced, underpowered dogshit)
From the news release "What does this mean?" section: "This update to the Covered List does not prohibit the import, sale, or use of any existing device models the FCC previously authorized."
So no, this does not pull all existing routers off the market. Anything that already got FCC approval remains approved and new stock may be imported and sold.
> I do not want some piece of shit closed-source proprietary netgear ameritrash.
So much different than the piece of shit closed-source proprietary netgear chinesium.
Consumer routers are shit full stop.
Plenty of Chinese routers offer better performance at lower prices with factory support for OpenWRT, unlike Ameritrash.
Only Glinet. With all the rest is hit and miss and some are with locked bootloaders.
I understand the anger but I wouldn't go as far as that last part... the GFW is the ultimate censorship tool. For the record I run tp-link aps
Lmao you're an IT guy, right? Get yourself a Raspberry Pi 5, PCIe adapter and a second hand gigabit Intel NIC. Slap a case on that, put OpenWRT on it and bam! High performance, high quality router built from trustworthy parts running open source operating system. Not the prettiest and simplest solution but at least that way you don't have to depend on Realtek chips and Chinese firmware.
Pi 5 can't come close to handling gigabit wireguard tunnels. I can do an x86 build that will, but still, incredibly aggravating.
You'll probably see better performance with a non-wireguard VPN with the RP5 since it has hardware accelerated AES instructions.
There is an entire WORLD that lives in your computer below the operating system (eg, OpenWRT). For example, in your Raspberry Pi 5, there is a chip called the VideoCore GPU and it contains a big blob of code known only to Raspberry Pi Foundation and, perhaps, Five Eyes. The Chinese processors are like that too!
Even if you have the source and build system to recreate the exact binary blob and can reload it with Jedec or whatever, there is another world below the firmware...called microcode. Some of the microcode comes from the FAB preloaded! Even if you can get the source code for the microcode and somehow read it out and verify it is the same, you guessed it...there is another world below that [1 https://www.researchgate.net/publication/380555600_Trustwort... ] [2 https://dl.acm.org/doi/fullHtml/10.1145/3579856.3582837 ] [3 https://ieeexplore.ieee.org/document/7546493 also https://www.semanticscholar.org/paper/A2%3A-Analog-Malicious... ]
The computing freedom = a plausibly deniable backdoor.
https://nvd.nist.gov/vuln/detail/CVE-2023-1389
Another favorite, https://www.synacktiv.com/publications/cool-vulns-dont-live-...
the router sniffed plaintext http to grab HTTP User agents to put them into a curl bash command line string. Nice RCE from the browser.
Why wasn't anyone notified about this being in the works? What bulletins did I fail to notice. WHAT THE HELL IS GOING ON HERE
Long overdue.
I'm sure people will get right on buying American-made routers.