The FCC issued a ban on March 23 on all consumer-grade routers made in foreign countries. A router is the device in your home that connects your ISP broadband to the WiFi that almost everybody uses to connect devices in the home. Businesses use routers to direct ISP broadband around the business on fiber or copper networks. The ban covers all new brands and models of routers except those that have been granted a Conditional Approval by the Department of Defense or the Department of Homeland Security.
The ban comes after the White House convened an interagency group comprised of government security experts, which collectively decided that new routers made overseas “pose unacceptable risks to national security of the United States and the safety and security of United States persons”. There have been previous technology bans for security reasons, such as a ban on using software from Kaspersky Lab, and telecommunications services provided by China Telecom and China Mobile International USA. It’s worth noting that the FCC cannot decide to ban any equipment or service and can only do so if directed by national security agencies.
The ban noted that malicious actors have exploited security gaps in foreign-made routers to attack households, disrupt networks, engage in espionage, and steal intellectual property. The notice says that foreign-made routers were involved in cyberattacks from Volt, Flax, and Salt Typhoon.
The ban does not stop consumers from using existing routers. It doesn’t stop retailers from selling existing stocks of routers or from continuing to buy routers that previously have been approved by the FCC’s equipment authorization process. All that is blocked is any new models or generations of routers.
Router manufacturers can petition the DoD or DHS for conditional approval, which would allow them to apply to the FCC for equipment authorization for new routers. There are no manufacturers today that have this conditional approval.
It’s hard to know where this ban will lead, but this could become a big concern for ISPs, since most ISPs provide a WiFi router for new customers. Many cable companies and fiber builders build the router into the modem. Any ISP that is currently using a router that has not been approved by the FCC is in trouble, because according to this ban, they can’t give an unauthorized router to a new customer. Every ISP should be checking this week to make sure the routers they are providing have been blessed by the FCC.
This has longer-term implications since virtually all routers are made overseas, including those made by American companies like TP-Link, which manufactures its routers in Vietnam. Manufacturers routinely upgrade and improve routers every few years, and American ISPs will be stuck with older routers if the government doesn’t approve any new brands or models of routers.
One unspoken intent of the order is probably to promote the manufacture of routers in the U.S. I have to wonder if an American-made router would be any less susceptible to hacking than a foreign-made one. If not, I’m not sure what this ban will accomplish, other than making it more expensive to get routers. It will be interesting to see if any router companies move manufacturing to the U.S. due to this ruling. A more likely outcome might be that American consumers won’t be able to get some of the newest routers that are available to the rest of the world.
This is an interesting development. FCC certification of WiFi equipment is based on compliance with RF regulations, and this appears to have nothing to do with the RF portion of the router or access point. It, instead, seems to be more of a “network protection” regulation similar to the part 68 requirements for certification of equipment for connection to the POTS network. A router that generates traffic in a distributed denial of service attack might be compared to a fax machine that continuously redials a number (see https://share.google/aimode/aN35XUobHGZuhgOWN ).
The hardware manufacture of the device seems to have little to do with its security. Instead, the firmware determines how secure it is. Can a US manufacturer make the hardware here and use firmware developed in China? Another possible concern is that the hardware may allow operation outside the RF limits for the US (power limits, frequency limits, etc.). Should the FCC only certify equipment with specified firmware, prohibiting updates that are not approved, or prohibiting the use of open source software (such as WRT)? Also, the FCC requires the use of antennas certified for use with the device, and this requirement is widely ignored.
It’s the wild west out there!
The hardware manufacturer has everything to do with the security. Every packet that leaves the software stack passes through the hardware. That hardware can extract data from those packets and it can modify those packets to include data. Not to mention that it can quite easily ‘masquerade’ as the software stack, sourcing new packets out the interface. The software sees none of this, so only a security monitoring system upstream could even detect it.
as far as the FCC is concerned, it doesn’t really seem that the FCC has direct authority to do this. I believe the appropriate path is FCC recommends to executive, which then directs the FTC… Not that ‘rules’ are really anything to count on these days.