FCC Bans Imports of New Foreign-Made Routers, Citing Security Concerns (reuters.com) 183
New submitter the_skywise shares a report from Reuters: The U.S. Federal Communications Commission said on Monday it was banning the import of all new foreign-made consumer routers, the latest crackdown on Chinese-made electronic gear over security concerns. China is estimated to control at least 60% of the U.S. market for home routers, boxes that connect computers, phones, and smart devices to the internet. The FCC order does not impact the import or use of existing models, but will ban new ones.
The agency said a White House-convened review deemed imported routers pose "a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure." It said malicious actors had exploited security gaps in foreign-made routers "to attack households, disrupt networks, enable espionage, and facilitate intellectual property theft," citing their role in major hacks like Volt and Salt Typhoon. The determination includes an exemption for routers the Pentagon deems do not pose unacceptable risks.
The agency said a White House-convened review deemed imported routers pose "a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure." It said malicious actors had exploited security gaps in foreign-made routers "to attack households, disrupt networks, enable espionage, and facilitate intellectual property theft," citing their role in major hacks like Volt and Salt Typhoon. The determination includes an exemption for routers the Pentagon deems do not pose unacceptable risks.
$500 (Score:4, Informative)
I didn't know there were routers completely made in the US still. What are they, $500 for a basic router?
Re: (Score:2)
I might have an old IMP [wikipedia.org] lying around somewhere. Anything newer? Not likely.
Re: $500 (Score:2)
It would be fun for US companies to try to start up domestic manufacturing on a short notice.
This restriction might have worked around 1990.
Re: (Score:2)
I think this is mostly a risk to Cisco's organized bribes, err, 'campaign contributions' than anything else.
Re: (Score:3)
That was my reaction as well, given the way the current administration does things did a US router vendor make a $10 million contribution to the Ballroom Fund?
In terms of who qualifies, there is still at least one remaining all-US manufacturer, Adtran in Alabama, however their ESG report says:
We also follow a zero-tolerance policy concerning any forms of discrimination and harassment, and promote equal opportunities and diversity and inclusion
which I doubt would make them any friends in the Trump administration, so they're not doing this for them.
Re:$500 (Score:5, Interesting)
We are moving to an economy where if you aren't in the 1%, then everything will be a few months wage. This is definitely a case where a US administration was doing everything to increase prices, intended or not. Its what happens when you let a monkey and his buffoons run a system that requires understanding of consenquences.
Which ones aren't made in China? (Score:5, Insightful)
And does this include American brands assembled in China, or that use Chinese parts?
Re: (Score:2)
I believe Ubiquiti Unifi gear is made in Vietnam.
Re: (Score:2)
That's a nice plastic box you've got there.
Re: (Score:2)
Re: (Score:3)
When China wants to bypass tariffs, they route their products through client states like Laos and Cambodia. But Vietnam is still a frenemy of China, and is one of the alternatives that companies have been looking at, aside from Singapore and Thailand
Re: (Score:2)
Only problem w/ Unifi is that they do a piss poor job supporting IPv6, which is something like close to 50% of traffic
Re: (Score:2)
Re: (Score:2)
I had heard they were made in China, but never bothered to look into it.
Re: (Score:2)
And Ubiquiti has some of the best most flexible router firmware. It would suck to see them not be able to sell in the US.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Sadly.
Re: (Score:2)
Re: (Score:3)
I have a Protectli vault with OPNSense on it.
Similar. OPNsense on an old, spare PC I had -- HP a6130n: Athlon 64 X2 5000+ 2.6 GHz, 8GB RAM, added a SSD and Intel GB NICs (both also spares), and put in a smaller, simple case. It uses a little more power than a more dedicated device, but I have the PowerD setting at "Adaptive" and that's dialed it down a lot w/o impacting performance for this use. A kill-o-watt meter and some math shows it adds very little to my monthly power bill. The upside is it's all common, off-the-shelf hardware. I'm pretty
Re: (Score:2)
I use a Protectli vault with pfSense. That's the smart move.
pFsense and OPNsense (Score:3)
pFsense is now owned by NetGate, which makes routers. So now this is a paid project, which ensures regular updates and bug fixes to the firmware. OPNsense is its FOSS equivalent, which was forked after NetGate bought pFsense, but OPNsense still imports the updates that pFsense makes. But it can be installed on routers other than NetGate
One thing I wonder: given OpenBSD's reputation for the best security, why isn't it a firmware of choice on any of the routers? I don't recall seeing one w/ OpenBSD or a
Re: (Score:3)
It may be more. From inside BSD and Linux look a lot alike, and manufacturers may not clearly state what their OS is based on. Last time I ssh'd into my cloudkey or a UGX I did not think to check to see what OS it was. Ubiquity APs seem to run OpenWRT.
Anyhow, pfSense is still also a FOSS project (https://github.com/pfsense/pfsense), NetGate just sells hardware that runs it. It's a little weird when you download it because it all goes through their store, but you end up wit
Re: (Score:2)
Re: (Score:3)
According to CoPilot, Vietnam, Thailand, Indonesia and Taiwan! According to it,
Netgear routers are primarily manufactured in facilities located in Vietnam, Thailand, Indonesia, and Taiwan. While they are designed and built in the United States, many components and parts are sourced from these Asian countries, which are significant hubs for electronics manufacturing
Looks like that's one alternative for you
Re: (Score:2)
> Anyone know any brands that are made outside of China?
Turris Omnia. Probably does use chinese parts.
Re: (Score:2)
Re: (Score:3)
They all use Chinese parts. Worse than that, they all use Chinese developed algorithms too. Key parts of the WiFi and 5G specs are Chinese. If you are really paranoid, you might suspect that they did something like the NSA did back in the day, by deliberately introducing weaknesses into those standards so that they can be hacked by people who know the secret.
Or just be sensible, use defence in depth, as much open source software as you can, and look longingly at the lower prices Europeans pay for hardware.
Re: (Score:2)
"Free" routers included with broadband? (Score:3)
Does this include the "free"/rentable routers included with most ISP broadband? The providers build in the cost of super-cheap routers and finding non- Chinese ones will be hard or more expensive. No doubt the broadband providers will use this as an excuse to raise rates (while still using Chinese equipment).
We'll be left with routers that are backdoored by:
US
China
Broadband provider
What could go wrong?
Re: (Score:2)
Yeah, I know. Hard to believe, but I was talking to one of their techs while testing a mis-programmed gateway.
Re: Which ones aren't made in China? (Score:4, Informative)
Re: (Score:2)
There are these small mini-PCs from companies like Minix (not to be confused w/ Andy Tanenbaum's textbook OS) that could be used. Maybe install something like OpenBSD on them, configure them suitably for firewalls and routing protocols, and one could have a system
Cisco vs. TP-Link (Score:5, Insightful)
The feds don't want you to have a TP-Link router with Chinese backdoors.
The feds want you to have a Cisco router with American backdoors.
Re:Cisco vs. TP-Link (Score:4, Funny)
The joke is on you, the Cisco routers are also mostly made in China so they likely have backdoors for both countries!
With the exception of the proprietary routers that come with a Starlink dish, I can't think of a single major router manufacturer with a US manufacturing presence.
Re: (Score:2, Insightful)
The joke is on you, the Cisco routers are also mostly made in China so they likely have backdoors for both countries!
Yes, but they will certainly give an exemption to Cisco, possibly after a bribe is paid but also possibly just to keep users receiving their state sponsored security holes.
Re:Cisco vs. TP-Link (Score:4, Informative)
Yes
Re:Cisco vs. TP-Link (Score:5, Informative)
I thought the joke was him referring to "the feds". This is the Trump administration, it's not about backdoors, it's about bribes and identity politics.
Re: (Score:3)
This is the Trump administration, it's not about backdoors, it's about bribes and identity politics.
No, this is the federal government. It was fucking us over before Trump and it will still be fucking us over when he is dead. Yes, Trump is bad, yes a lot has changed, but most of the basic assumptions are still intact as so is most of the functionality of the federal government. In particular, Trump has not visible tampered with the NSA or CIA, and has only made the FBI more authoritarian. Therefore the same policies and procedures regarding unconstitutional citizen spying programs are in place or have bec
Re: (Score:2)
Probably not. If the Chinese had their own pre-installed backdoors in Cisco gear they could just use those instead of exploiting the Cisco and US government ones in order to install their own.
ObSovietRussia (was: Re:Cisco vs. TP-Link) (Score:3)
Re:Cisco vs. TP-Link (Score:5, Informative)
Re:Cisco vs. TP-Link (Score:5, Informative)
Cisco gear. Chinese backdoors installed at the factory, NSA backdoors installed when they ship it to you.
I'll take my chances with TP-Link. Actually, I really like GL.iNet hardware at the moment. Very solid, and runs a version of OpenWRT. You can flash standard OpenWRT onto most of it too.
Re: (Score:2, Flamebait)
Currently modded flamebait, a sure sign someone with mod points knows it's true.
https://www.tomshardware.com/n... [tomshardware.com]
Re: Cisco vs. TP-Link (Score:2)
Regardless, that is why you should always run a transparent firewall with a deny all by default, and only let return traffic get in if you arenâ(TM)t hosting anything.
That, and accept if you play dumb games, expect to win dumb prizes.
Re: (Score:2)
Aren't a lot of TP-Link routers made in Taiwan?
Re: (Score:2)
Dunno about TP-Link, but some Taiwanese companies are known to have offshored manufacturing to the mainland. Most (in)famously Foxconn
If it does not ban existing models... (Score:4, Insightful)
does that mean they'll continue to manufacture the same old models for the US market, which will possibly become less secure over time due to advanced hacking techniques applied to the same old well known hardware? Will it then result in a net loss in security over time?
It might resemble Cuba with their 1950s automobiles, frozen in time. I do agree that there is concern about backdoors and surreptitious identifying data sent to servers under control of China. Would it be better to allow new models, but require them to be completely torn down and reverse engineered by teams inside the FCC, or for their firmware source code to be handed over for inspection? (there's still room for nefarious business....hand over one set of code and install a slightly different set, or install a backdoor with a firmware update....)
I feel there's a legitimate concern here, and there always has been. What's a better solution, if any? Or is this the right solution for digital sovereignty?
Re:If it does not ban existing models... (Score:5, Insightful)
I'd say a better solution would be to require imported routers support open distros (OpenWRT).
Re: (Score:3)
Given that hardware / firmware level exploits are a thing which exist, will OpenWRT even help? I mean to be clear this FCC ruling is just plain stupid, but if you really have a concern about hardened security then simply throwing a custom OS on a Chinese product isn't enough.
Re: (Score:3)
>What's a better solution, if any?
Open source firmware
Re: (Score:2)
The paranoia runs to China installing secret, microscopic chips in everything that mean anything ever made there is compromised.
Re: (Score:3)
Are they the same ones they put in vaccines?
Business opportunity! (Score:4, Interesting)
Honestly consumer routers are a huge security risk because most people do not know how to configure, or maintain, them. Think that this policy change represents a big business opportunity for someone to create an iPhone of routers. Current versions still feel very Windows Mobile.
Anyone want to join me starting a company? Send a DM.
Re: (Score:2)
Re: Business opportunity! (Score:2)
Re: (Score:2)
I change everything - from the admin password to the SSID. When there is an option of 2 SSIDs, I make the 5GHz for the local network and the 2.4GHz for the guest network. Since then, I've seen videos suggesting that one sets up at least 4-5 VLANs, but I'm not sure whether or not the wireless routers have that capability
Re:Business opportunity! (Score:5, Funny)
the only secure windows is CE/ME/NT
Re: (Score:2)
The trum administration: (Score:2, Troll)
Re: (Score:3)
As though they weren't already proving it in myriad ways every day.
Tech Decision Made by Non-Techies - SMH (Score:2)
A better restriction would be to require imported routers to support open distros (OpenWRT, etc).
Re:Tech Decision Made by Non-Techies - SMH (Score:4, Informative)
Certainly an improvement but chip level backdoors still exist...and are even more likely built in China
Re: (Score:2)
....and manufactured using FPGAs, so that any devices discovered w/ backdoors can be re-programmed
Security concerns my butthole (Score:5, Informative)
The fact that they reference a bunch of past breaches and supply chain attacks - but give absolutely zero explanation about how said attacks would be prevented by US manufacturers, nor any explanation of additional cybersecurity controls they will mandate on them - tells you everything you need to know about this.
This is about protectionism, not cybersecurity.
If it had to do with cybersecurity, then a set of objective evaluation criteria could be applied to ANY router, regardless of origin.
Re:Security concerns my butthole (Score:5, Interesting)
This is about graft and giving "US Companies" a way to submit a bribe through on of numerous already established cahnnels (crypto, library, truth social stock, etc) for exemptions.
Thank You! (Score:3)
It will be interesting to see (Score:2)
It will be interesting to see if there are ANY routers that can "pass". Seems to be before enacting rules like this they "should" be working with partners in the US to make sure the need can be met though. I do believe that a LOT of our supply chains need a lot better resilience, which fly's 100% in the face of the "profit motive". Unregulated capitalism tends to centralize everything, control the market, and then jack up the prices. We'll probably be better off in the long run with a few more pr
Re: (Score:2)
quite a few will pa$$ the test.
Let's think this through (because they didn't) (Score:4, Informative)
2. Some amount of gear is about to undergo a US-washing in order to evade this: "Yeah, it was designed in China and built in Vietnam, but final assembly was done in Lubbock, soooooo....it's US-made".
3. If the challenge in (1) is unsuccessful, the price of a US-made router will double. That's what happens competition is removed from markets.
4. Also, the US vendors will do their best to kill open-source firmware/software -- say, by introducing undocumented components or issuing firmware updates that break software or by labeling it a national security risk.
5. Everyone trying to cope with the mess will be faced with fewer choices and those choices will cost more...so as various devices hit EOL, folks may decide to keep running them (in spite of the security risks) rather than buy pricey new stuff. Or maybe they'll buy gray market gear.
6. Bottom line: everyone trying to run operations while aiming for the balance of cost and security now has a worse set of choices than they had yesterday.
7. The only thing left for the administration to do is to declare "MISSION ACCOMPLISHED" in huge letters and move on to tampering with the next delicate piece of machinery; perhaps someone who doesn't know the difference between fission and fusion could craft nuclear policy, or someone who doesn't know the difference between bacteria and viruses could run th....oh. Wait. My bad, already happened.
Re: (Score:3)
2. Some amount of gear is about to undergo a US-washing in order to evade this: "Yeah, it was designed in China and built in Vietnam, but final assembly was done in Lubbock, soooooo....it's US-made".
Final assembly is inadequate for the law as written. You'd have to manufacture the PCBs in the U.S., which is likely to be completely infeasible for at least a decade.
3. If the challenge in (1) is unsuccessful, the price of a US-made router will double. That's what happens competition is removed from markets.
I think you're underestimating the potential for retaliatory tariffs on component exports from China. There's not a cap for how much the prices could increase.
4. Also, the US vendors will do their best to kill open-source firmware/software -- say, by introducing undocumented components or issuing firmware updates that break software or by labeling it a national security risk.
At some point, the right answer is to buy NICs and compute boards and built your own router like we used to do.
When consumer routers are outlawed, only geeks and their friends will hav
Re: (Score:2)
When consumer routers are outlawed
oh Comcast and friends will entirely pay the bribe to continue using shitty routers.
But the option to have a 'separate' router from the modem will certainly disappear.
Re: (Score:2)
I'm still doing it for a lot of applications. Same for firewalls. The cost is a fraction of commercial offerings, the performance is more than adequate, maintenance is in-house and easy (because I keep a stash of spare parts), and there's no bloat in the software stack because anything I don't need isn't there.
Please tell me (Score:2)
Mikrotik isn't on the list
Re: (Score:2)
Last I checked, Latvia is a foreign country!
Re: (Score:2)
Mikrotik has manufacturing in Europe and China, as well as Vietnam and Malaysia. Their higher-end stuff seems to be made in Europe, but that doesn't necessarily mean that parts of those aren't made in China.
There aren't any NOT foreign-made routers (Score:5, Insightful)
We're a little early for April 1, but to me, I just read "When your router dies, no more Internet for you." When I read more about this, it only applies to future products that haven't been approved yet, but that's only a reprieve of a couple of years before some forced redesign obsoletes the current products.
The current reality is that ~100% of all network routers currently manufactured (consumer-grade or otherwise) are made overseas. Except one. Starlink.
Donald Trump's FCC and Trump's national security goons just gave Elon Musk a monopoly on consumer Internet. This is what corruption looks like.
Worse, because every iPhone and Android phone is a router, Donald Trump's FCC just banned every future smartphone. And Mac. And PC.
There's an exception that companies can apply for, but whether anyone will get an exception or not is entirely at the whims of the FCC, which in the current administration likely means "companies that sucked up to / bribed Donald Trump adequately".
But critically, there aren't manufacturing facilities in the United States that can accommodate even a tiny fraction of the smartphone or network router manufacturing that the United States requires. It would take a decade for those facilities to be built even if they literally started building them today. So what this means is that for companies that don't get exceptions, they will be unable to improve their products for a decade or more.
And when individual components (even something as minor as a ) stop being manufactured, which they inevitably will, those products will require a sufficient design change to require a new import authorization, and it will no longer be possible to import them at all. If they don't have a U.S. factory lined up by then — which is almost impossible, statistically speaking — then their ability to stay in business will be at the whims of the current administration, whoever is in power at the time.
This, right here. is what corruption looks like. Pure, unvarnished corruption.
The excuse given is that building these products overseas poses a risk of supply chain disruption. But if the products are built in the U.S., the parts that go into them will all still be built overseas. It will take at least a decade before that problem can be solved. Building the final products in the U.S. does nothing to reduce supply chain disruption. In fact, it makes it worse, because the countries that make the parts can refuse to ship the components, allowing export of only finished products, and then your U.S. manufacturing dries up. And there's a strong incentive for them to play games like that, hoping that you will relent and start allowing their cheaper finished products into the country.
This is why countries whose leaders are not complete and utter morons don't pass laws like this, instead passing laws that require a certain percentage of COMPONENTS to be made in their country. That number increases over time. Eventually, once a suitable percentage of components are made in their country, they can start insisting on local manufacturing of the finished products, confident that there is a robust supply chain capable of backing local manufacturing. And even that can backfire, causing manufacturers to stop selling in a country rather than comply with their laws, but at least it starts moving them in the right direction, assuming that local manufacturing (as opposed to just "not China") is the right direction (which is highly dubious, but that's a much longer discussion).
What our current administration is doing shows that they do not understand technology, that they do not understand manufacturing, and that they do not understand the realities of import-export laws. In short, they are lunatics operating in an ivory tower with complete blinders on that prevent them from seeing the real world.
How quickly can we get ALL of these clowns out of office?
Re: (Score:2)
How quickly can we get ALL of these clowns out of office?
Not quickly enough.
Re: (Score:2)
How quickly can we get ALL of these clowns out of office?
ask yourself how much pain red state MAGA needs to feel before we see a Nixonian level shift towards Democrats...for a generation.
That's a high high bar and we aren't anywhere close to it yet.
Re: (Score:3, Insightful)
A shift towards Democrats won't solve anything. States with majority Democrat leadership still have big problems caused by a lack of diversity of ideas, as does the federal government when Democrats are in charge. They're different problems, but they're still kind of a mess. They still spend themselves into the ground and take on huge amounts of debt. They still don't reap ineffectual programs when they add new ones. They still throw money at contractors that don't do a good job, just not defense cont
Re: (Score:2)
MOST of today's Democrats are not like they were a century ago... not as bad as Republicans, who've turned full Fascist and practically confederate. Go listen to the Lincoln Douglas debates, often still performed and don't watch, but listen without knowing who is Lincoln. Well, one I listened to left all that out on purpose. You certainly figure it out but you can hear a huge difference and which party he'd be in today.
Re: (Score:2)
Maybe instead of banning all foreign made routers, they should have listed which countries' routers are banned. China would be obvious, but any one else makes them who are Beijing stooges and therefore worth banning? Such as Laos or Cambodia? Or Russia - do they make any routers?
They'll never be voted out (Score:2)
They will try to get things like the save act passed. If the save act fails to pass, watch out, because things will get scary during and after the midterms. If they lose the midterms, they'll just seize power with a physical coup.
Why now? (Score:2)
Even if they did start to ban new routers, bad actors still have all the old ones they can exploit. Is it coming down to making sure people play by the rules of router security (like not having a default password).
Not just Routers (Score:2)
Unfortunately, their definition of "Router" is so amazingly broad as to be useless
Which basically means any consumer com
Re: (Score:2)
Basically every computer, phone or tablet not only runs some OS that can act as a powerful stateful router/firewall but also has the UI and some workflows specifically designed for that (connection sharing, tethering both wired and wireless, etc.).
README FFS (Score:2)
The FCC order does not impact the import or use of existing models
So, no new models from any foreign source. But old models are still OK?
This is not a security matter. This is a trade negotiation tactic.
We'll have t wait for the other shoe to drop, but expect something sensible like Huawei has to give up 51% ownership to a U.S. entity. Someone like Larry Ellison and some Trump Jr.
"Critical Infrastructure" (Score:2)
Well nothing we think of as "critical infrastructure" is using consumer routers - and if it were that could and should be remedied quickly without a ban on consumer routers.
So ... this leaves us with an open question for this to make legal sense.
The best fit is probably an Internet Drivers License and mandatory packet signing for a surveillance control grid and CBDC coming down the pike rapidly.
When in the course of Human Events....
its in the fine print (Score:2)
Time to ban everything involved in golf balls (Score:2)
How about we starve the makers of golf ball so Trump won't be able to play golf every weekend once the supply runs out?
Re: (Score:2)
Better yet, ban foreign wives.
Or could it be that... (Score:2)
..with only US-made gear, the NSA can get their hooks and backdoors in everywhere?
Not even Cisco (Score:2)
Security is so Funny (Score:2)
Actually the joke I was looking for was a surrender joke. America no longer has the technical capability to figure out if a piece of hardware is secure. But we can blame it on the complexity of the software?
Hmm... Surrendering to the inevitable? Is that some kind of invitation for a joke about routers made in France?
The story does still have some potential for Funny, but don't look at me for the joke. I mostly think it's sad. Banning based on the location of manufacture is just a bandage. Color it stupid.
Raspberry Pi routers (Score:2)
Re: (Score:2)
Re: (Score:2)
How about Layer 3 switches built around either Raspberry Pi's, or even ones built around Intel N100s or N150s? At least w/ those, one could have choices like OPNsense: I don't believe OPNsense and pFsense have been ported to Arm, even if FreeBSD has
Although if somebody is willing to use OpenBSD as the firmware for the router, then I guess Raspberry Pi could be used. Better Firewalls/Security, although I'm not sure about their BGP implementation, or their other routing protocols
Barn door and horse (Score:3)
How many years has it been since we figured out that Chinese computing and internet software can spy on users and report back to Beijing? And Washington is just now banning imports, without having first found and vetted alternative sources?
Even the routers that aren't actually made in China may use Chinese silicon which could have its own backdoors. The way to fix this is to have other manufacturers lined up, ready to deploy with tested designs and audited supply chains. The time to do it was - at the very latest - five years ago.
Given that, it's still better late than never. But doing it without having alternate suppliers lined up, and with no plan for carefully staged infrastructure replacement, seems rather lame.
FCC has no such authority (Score:2)
The FCC lacks the authority to ban imports and can only compel providers of telecommunications services not end users.
What they seem to be trying to do is prevent FCC certification testing of new devices and strong arm independent testing outfits which is an abuse of their authority and not something enabled via secure communications act.
Lobbying Industry (Score:2)