FCC updates covered list to include foreign-made consumer routers

    The FCC maintains a list of equipment and services (Covered List) 
    that have been determined to “pose an unacceptable risk to the
    national security

    Recently, malicious state and non-state sponsored cyber attackers
    have increasingly leveraged the vulnerabilities in small and home
    office routers produced abroad to carry out direct attacks against
    American civilians in their homes.

Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.

Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.

The US has a bazillion devices with crap security because we set ourselves up for this.

This part of the press release seems pretty crucial:

> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.

In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").

In the FAQ (https://www.fcc.gov/faqs-recent-updates-fcc-covered-list-reg...), they even include guidance on how to apply: https://www.fcc.gov/sites/default/files/Guidance-for-Conditi...

If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.

So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.

Does it occurs to someone that in this time of encryption backdoor and such, this is also a good starting point to another mass surveillance system ? Mandate US manufacturers to embed remote access for the use of the government, then as you've made those routers the only ones authorized on the us soil (let's not be foolish about that approval process, it will be a smoke screen) you basically have a backdoor to every citizen home.

Yes china routers are a liability, but free trade and open market ensure at least one thing that's essential : no single state has surveillance capability on its entire population

If we wanted secure products, we wouldn't ban devices. We'd mandate they open their firmware to audits.

Considering this is after Loper Bright Enterprises v. Raimondo (2024), it will be interesting to see if this holds up to judicial scrutiny.

The FCC's power just got substantially nerfed, and "we've decided to slow lane all foreign-made routers" feels like that may have been beaten on the old, higher, standard. Let alone the new one that gives the FCC almost no power.

> all consumer-grade routers produced in foreign countries

Are there even consumer-grade routers that are produced in the USA...?

For the device manufacturers, the obvious solution is to sell them as general-purpose computers. You can already get devices that had started out as Raspberry Pi clones but evolved into excellent DIY network appliances, with multiple high-speed Ethernet and SSD ports that are great for running a NAS, proxy server, firewall, or all three, and more. Rarely do they have good WiFi, but if manufacturers start selling hardware that has been traditionally sold as a locked-down routers or access points, but include a generic Linux installation, it'll compete will well with the aforementioned hardware.

And exactly how many consumer routers are not foreign made?

What exactly does "produced" mean in this context? That the final assembly was done here, software was written here, PCB was assembled here, SoCs and ICs wwre manufactured here, or something else? Regardless, while consumer routers are 9 of 10 times insecure garbage, it's hard to think of any that aren't manufactured outside the US.

As someone who works with networking (consumer prosumer enterprise everything) the problem is far more complex than : make it open.

Manufacturers can support devices for long but it costs money which the consumers / businesses aren’t willing to pay or value. Cybersecurity is a joke and the general consensus is : we will pay for things as and when there is a fire. We don’t put a price on prevention because we can’t really show it to shareholders how we profited from not being attacked since we blocked those. So we create an arbitrary certification and pass things according to it. This certification doesn’t say anything about firmware. But if we do get attacked then we can convince the shareholders to spend money on better equipment this financial year and then not bother until the next time we have a problem.

Some of these certifications focus on what the devices allow you to do (like acls and firewalls) and see if they pass these tests. But actually looking at the firmware and finding vulnerabilities is not in scope.

I'd gladly buy an American-made router if one existed!

If war breaks out you better bet a bunch of equipment will turn off.

Numerous papers showing the ability to easily map indoors areas with WiFi (including occupancy) it’s a liability.

There will be excuses “tariffs” etc but I heard a few have gotten calls from three letter agencies coyly telling you to improve your systems.

It’s a chance to refresh the product line! (of course at the worst time when mem prices are bleed you dry high)

Prediction: there will appear new "Made in the USA" routers that differ from some Chinese model only by the label. Already the case in Russia for e.g. powerbanks.

This is terrible, perhaps the worst thing this administration has done (which is an incredibly high bar.)

Because it provides a pathway to full government control of the internet.

Content that demonizes the current administration's enemies will become easier to find. Evidence of their crimes will vanish.

When they murder someone in the street, fewer people will find out about it, and those that do will be more likely to hear the government's side of the story.

Mobile networks are already owned by the billionaires, and they've shown plenty of willingness to shape traffic for their interests.

Managing this kind of information at scale is an incredible challenge, but one that LLMs are very well suited for.

Even if you are confident the current administration doesn't have the competence or longevity to exploit this (as I mostly am,) we can easily predict future admins of either party will happily make use of these capabilities.

Bad for the US, but also very bad for the world, because it will make it much easier to manufacture consent for or hide future international crimes committed by the government.

We've excused the complete loss of traditional journalism with a reliance on the Internet instead. Not anymore.

Can savvy individuals work around it, of course. But the general public will treat them like conspiracy theorists, because all they will see is content that reinforces the administration.

The technical discussions in here sound like: "silly Caligula, his horse won't be able to sign his name to cast a vote in the Senate."

I would be more impressed if they would ban all enterprise routers manufactured in China. I have had to continuously patch and meticulously mitigate severe vulnerabilities and bugs in Cisco, Dell, HPE, Extreme, Arista routers, switches, fabrics, and others. These are all manufactured in China, Taiwan, Hong Kong, Vietnam, Malaysia, Thailand, and probably elsewhere in the Greater China region... Actually I take it all back. I wish they would just ban companies from shipping bad code and sanction them for causing millions of hours of required labor to ensure their manufacturing defects do not harm businesses and their customers. Thank you for your attention to my chatter.

The escalation path is probably: have some relationship to an entity that doesn't care about you -> make sure that entity becomes your enemy -> the enemy now has an incentive to see you as an enemy -> you must now be afraid of your new enemy.

So... What are the options now for American consumers? What brands are left and available?

Incredibly obvious domestic surveillance scheme. Quite creepy

Does anyone even have a list of US produced routers? Like does installing OpenWRT or OPNSense or VyOS matter?

I can’t think of a complete start to finish, OS to mosfets, computer that is 100% manufactured in the United States.

The Spirit of this law __must__ also now apply to SoCs produced by non-allied nations that feature USFCC-approved RF microelectronics, such as __ESP32__ Here's to hoping USFCC gets around to also reflecting this in the Letters of this law sooner, rather than later.

[cue https://youtu.be/EnIm71jRb_o]

So router prices in the US will go up a lot, great!

Aren’t all routers manufactured in foreign countries? Cisco are assembled in China as far as I know.

Will this impact the Mono Gateway[0]?

[0] https://mono.si/

my instinct is open source is part of the answer. the market monetizes with differentiation on the open source base, support, hardware, etc. vibrant enough market = the foss is secure (always a relative term) and continues to evolve, partially paid for by the companies who are monetizing

Wouldn’t you purchase an American made router if you could?

I switched away from Omada to Ubiquiti, because of TP Link’s problems.

Ask HN: Is there a list of preferred routers for security?

Are there consumer grade routers made in the US?

Because of this, I'm going to plan my next network upgrade based on open source hardware like Banana Pi. My setup is based on WiFi 7 so this might not apply for a few years. From my understanding, the hardware from proprietary manufacturers is sufficiently advanced to do some advanced surveillance and spyware, whereas previous generations didn't require advanced processing to achieve fiber optic speeds. Back to the original statement, it's clear that the threat of surveillance exists.

Personally, I don't make the distinction between foreign and domestically produced routers in America. In fact, I trust foreign produced routers more because the likelihood that they can act upon their surveillance is significantly lower than the current American regime's oppressive and malicious tactics. Therefore, open source routers provides enough transparency to effectively eliminate spyware threats from all angles while being compliant.

I'm especially excited about the Banana Pi because of the transparency and potential of modular upgrades. Whenever there's a network issue, I have to consider whether the manufacturer (American or not) is doing something nefarious. With a Pi based router, I have much more peace of mind with network debugging issues.

I'm sure people will get right on buying American-made routers.

What is a router?

Really, do they have a definition?

If I were a nation worried about the health and security of routers, I'd be making sure that open source has a place.

But largely thanks to FCC demands, the list of router hardware that can run open source operating systems such as OpenWRT has dwindled to a trickle. There's very precious few wifi 7 / BE systems available, and only a few wifi 6! it's ghastly. https://toh.openwrt.org/?features=wifi_be https://toh.openwrt.org/?features=wifi_ax

To me, this is a deeply dangerous situation for the state & for the population, where it is nearly impossible for consumers and businesses to purchase gear that they can secure. Where we are at the mercy of what is on the market, and no actual securing of our own can occur.

The FCC claimed in 2015 they were not trying to forbid open source systems, but the additional compliance demands they have made unsupportable unsecurable devices the default state: the FCC mandated companies make sure the users dont have freedom, make sure the wifi performance is locked down, and the most obvious path to that end is to just lock out the user entirely. Open source isn't outlawed, but the FCC turned a good working amazing open source movement into something that is incredibly rare and hard to do. The FCC assurances (https://www.eff.org/deeplinks/2015/11/free-router-software-n...) have not proven true (https://news.ycombinator.com/item?id=11122966): everything has gotten worse for security & availability (https://news.ycombinator.com/item?id=11122966).

Does the router ban really only pertain to consumer-grade networking devices?

> For the purpose of this determination, the term “Routers” is defined by National Institute of Science and Technology’s Internal Report 8425A to include consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. ¹

> A “consumer-grade router” is a router intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. Throughout this document, the term “router” is used as a shorthand for “consumer-grade router.” ²

There doesn't seem to be a general ban for foreign-made professional routers, just for some Chinese manufacturers, right³?

Oh, and what does "produced by foreign countries" even mean? I couldn't find any definition. Is this meant to be the country of final assembly? Would importing a Chinese router and the flashing the firmware in the USA be sufficient to be exempt? Where is the line drawn usually?

¹) https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf

²) https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8425A.pdf

³) https://www.fcc.gov/supplychain/coveredlist

If you actually read the notice, it exempts models that have been approved. So this just seems to require approvals by DOH or DHS ,": Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS." I take this to mean it is just adding security approvals for this type of thing to DOw and DHS. It is not a ban of all future models. It's just saying explicitly that instead of having to review models already in the market and determine that they should be removed because of nation state or other security concerns they are reviewing them before they go to market. Would be nice if people actually read it instead of hyperventilating.

Given everything else going on in America right now I'm not sure I'd trust an American made router more than any other.

Is this just another mass surveillance operation?

Long overdue.

This whole comment thread is a bit of a dumpster fire of opinions however we at Supernetworks have been working on the wifi security problem for a long time and we have a lot to say about it.

Router manufacturers competing into involution that ship RCE (much of which is triggerable from a web page) have created a substantial risk to consumers, in this case with a lens on the US market. The events of the FCC are not in isolation and have to do with not being able to boot actors out of many critical infrastructure networks. You can follow along with CISA on the various alerting that they do. https://www.cisa.gov/news-events/cybersecurity-advisories

We tackle hardware & software and prioritized network isolation as the first thing to resolve. We have tons on our blog and page about network security and have open source software.

[flagged]

What the fuck?! I did not sign up to live in some third world shithole where I can't get first-world networking equipment. I do not want some piece of shit closed-source proprietary netgear ameritrash. FUCK! Give me back my god damn chinese routers!

Chinese citizens have more computing freedom than American citizens at this point. What the fuck happened to the land of the free?