The US Federal Communications Commission (FCC) is tasked with regulating both wired and wireless communications, which also includes a national security component. This is how previously the FCC tossed networking gear made by Huawei and foreign-manufactured drones onto its Covered List, effectively banning it from sale in the US. Now foreign-made consumer routers have been added to this list, barring explicit conditional approval on said list that would exempt them during a ‘transition phase’.
As per the FCC fact sheet, this follows after determination by an interagency body that such routers “pose unacceptable risks to the national security of the United States [..]”. This document points us to the National Security Determination PDF, which attempts to lay out the reasoning. In it is noted that routers are an integral part of every day life, and compromised routers are a major risk factor, ergo it follows that only US-manufactured routers are to be trusted.
These – so far fictional – US-manufactured consumer routers would have to feature ‘trusted supply chains’, which would seem to imply onshoring a large industrial base, though without specifying how deep this would have to go it’s hard to say what would be involved. The ‘supporting evidence’ section also only talks about firmware-related vulnerabilities, which would imply that US firmware developers do not produce CVEs.
Currently there do not appear to be any specific details on what router manufacturers are supposed to do about this whole issue, though they can continue to sell previously FCC-approved routers in the US.
Although hardware backdoors are definitely a possibility, this requires a fair bit of effort within the supply chain that should generally also fairly easily to detect. Yet after for example Bloomberg claimed in 2018 that Supermicro gear had been infested with hardware backdoors, this started a years-long controversy.
Meanwhile actually verified issues with Supermicro hardware are boringly due to software CVEs. In that particular issue from 2024 two CVEs were discovered involving a lack of validation of a newly uploaded firmware image.
All of which is reminiscent of an early 2024 White House ‘memory safety appeal’ that smelled very strongly of red herring. Although it’s easy to point at compromised hardware with scary backdoors and sneaky software backdoors hidden deep inside firmware of servers and networking devices, the truth of the matter is that sloppy input validation is still by far the #1 cause of fresh CVEs each year, especially if you look at the CVEs that are actually being actively exploited.
As for this de-facto ban on new routers being sold in the US, this will correspondingly not change much here. The best defense against issues with networking equipment is still to practice network hygiene by keeping tabs on what is being sent on the LAN and WAN sides, while a government could e.g. force consumer routers to pass a strict independent hardware and software audit paid for by the manufacturer.
Speaking as someone who used to run DIY routers for the longest time built around FreeSCO and Smoothwall Linux, there’s also always the option of turning any old PC into a router by putting a bunch of NICs and WNICs into it and run SmoothWall, OpenWRT, etc.. A router is after all just a specialized computer, regardless of what the government feels that it identifies as.
Lel rekt. Let them pay 10x the price for chinese case, chinese board, chinese SoC, chinese connectors, chinese resistors and chinese firmware. It’s going to be expensive, but at least it will be “Made in USA” 😂
Meanwhile Europeans with their Mikrotiks.
ubiquity is US company, and some rumors on net are saying that that iron is fare better then Mikrotik
Ubiquiti routers are manufactured overseas, with production primarily located in
Vietnam and China. While the company is headquartered in the United States (New York/San Jose), its hardware manufacturing, assembly, and supply chain are globally distributed, often falling under the category of foreign-made networking equipment.
Ahh…so sad, to bad, try again.
Looking at them, they seem to be great “point and click” routers, good for the cable-puller and computer rebooter support staff.
I’m sure US Robotics could manufacture a router. Call it Sportster Plus or something.
I still have a pile of 6 LinuxAP/OpenAP (pre-openwrt era) based USR2450 access points from 1999. I am wondering what to do with them, maybe port Arduino to it instead of booting linux:
https://techinfodepot.shoutwiki.com/wiki/USRobotics_USR2450
56k X2 FTW!
The want to make sure it has an NSA backdoor and not a Chinese one.
Considering I have nothing to fear from China. At least that I can think of… Meanwhile the current state of things makes the usa look like a less and less safe place to exist… Maybe I should buy a Chinese router?
In all seriousness, I’d love to see more user friendly guides on openwrt. Last time I tried it was a big pain.
I dunno when was last time you did, but since ca. 8-10 for me it´s as simple as: identify the model, download latest firmware, flash. a 30 minutes job. Well, i choose my hardware according to what is well supported by openwrt AND has all the features i want. there is plenty of choice.
“I have nothing to fear from China.”
You might feel that way, but in reality pretty much everything you fear about the US government also applies to the Chinese government.
Not really. The Chinese government can’t imprison me. That’s kind of a big one.
Though they can hijack your home devices and steal your identity and banking credentials to take your money, or more likely, sell the access to other people to add you to a botnet.
See the IPIDEA network that was recently busted.
Chinese government runs secret police stations all over the world.
https://en.wikipedia.org/wiki/Chinese_police_overseas_service_stations
china’s on the other side of the ocean my dude.
the average person doesn’t have much to fear. is it still less than ideal? of course… but like, if i had to pick a government to spy on me id absolutely pick the one that is the furthest and least accessible.
it’s just the nature of the beast.
“everything you fear about the US government also applies to the Chinese government.”
Exactly. China is just much, MUCH further along the tyrannical, total surveillance police state path. In China, you can be disappeared, even if you’re a billionaire. In the US, you can sue the city for millions if the police misbehave. To suggest any equivalency between the two is just evidence of ignorance and why China has been so successful in proving the truth of the old commie adage being the basic message from a much longer Vladimir Lenin quote, “Capitalists will sell you the rope you hang them with.”
Except, in our case it’s “will finance your rope factories, provide or allow the theft of rope manufacturing IP without consequences, and then BUY the rope you hang them with.”
The Chinese only care about what the Chinese citizens say (or former citizens that can influence Chinese society).
The US is the world’s bully and think they own the world and can do anything to anybody, and are supported in that by most western countries.
So yeah non US citizens are infinitely safer from the Chinese authorities than they are from US ones.
The problem though is that the Chinese, many not caring too much and liking to make money, are more likely to put commercial spyware in things, that sells data to US companies (and government entities as we know and they admit).
So the risk with Chinese stuff is actually US spyware, and that has been proven both by 3rd party research and from my own personal experience.
“The Chinese only care about what the Chinese citizens say (or former citizens that can influence Chinese society).”
That is not true. China cares what non-chinese say, also they care how you vote and would dearly like to influence that to their benefit. (just a couple of examples)
https://en.wikipedia.org/wiki/Ipidea
Yea but isn’t that the exact same attack vector as if it was a domestic operation? I’m with Rand on this one. I think the average person has less to fear from a nation state hack on the other side of the globe then one from the country they live in.
Stolen identity is bad, theft is bad, but there would be little to no incentive for the scarier things someone could do.
Why would US manufacturers sabotage US customers?
Why would Chinese manufacturers sabotage US customers?
That’s the point. If a domestic operator goes rogue, you can punish them because they’re within your jurisdiction. When it’s a foreign manufacturer, you can’t touch them directly – all you can do is stop buying their stuff or else they will just continue sabotaging your stuff and taking your money – which is exactly what’s happening.
OpenWRT is nowadays a pain in the ass, due to router manufacturers locking down bootloaders and also relying on security-through-obscurity.
Even though almost all the “give Root please” exploits never touches the bootloader in the first place.
Which is another way of saying: You’re better off slamming a quad port Intel NIC into a recently redundant thin-client and plopping OPNsense on it, and then settings-wise lobotomize the traditional routers into being nothing more than access points with built-in ethernet switch.
Write up a guide
My first thought too. Most likely we’ll have both now.
There’s nothing stopping you from moving to China. In fact, we’d prefer it.
Apologies, that was meant to be to Lightislight.
Don’t worry I will probably get put on a plane to an El salvadorian prison despite or ushered to a concentration camp soon. Migrating to another country means you have to pay taxes in both countries yada yada. I can’t afford it.
You don’t have to pay US taxes while living abroad unless you’re earning over 100k USD. If the place you live suffers from a bad exchange rate but low cost of living, you’ll never have to worry about it. Or move and immediately retire. Then you’d likely only ever pay sales tax and such.
fck that. If I am living abroad and making my money abroad, the US can suck it. Just one more example of how the United States Federal Government has grown well past it’s original intent and why it needs to be dismantled and rebuilt to the original specifications.
This.
The FCC’s own “Fact Sheet” FAQ’s seem to note just how worried they are about these dangerous foreign monstrosities. (\s)
“Does this affect government purchases or use of routers?”
“No, the Covered List does not restrict the import or sale of routers for the exclusive use by the federal government.”
There is a reasonable probability that this is another cash grab (“pay a consulting fee and rent a border warehouse to do final assembly, and we’ll make sure you can call it US made”) for one or another political crony.
My first thought as well.
But I suspect that most routers are provided by comcast or att these days. If that is true, then who gets to make buck? Looks like a non market.
What if you can only rent approved/ USA made routers from your ISP?
I speculate that there will be an exception for Israeli-made routers.
Thank goodness enterprise routers are exempt. Shame they’ll have to update the labelling though
Is that true? Reading the regulation, it is extremely unclear whether this only applies to home equipment. (If so, I would gladly switch to using enterprise hardware at home.)
All I can find is “For purposes of inclusion of routers, we incorporate the definitions included in the associated National Security Determination.” https://www.fcc.gov/supplychain/coveredlist
And the linked National Security Determination does not define a router as a consumer or enterprise product.
https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf
At the bottom of that NSD it says
“Routers: For the purpose of this determination, the term “Routers” is defined by National
Institute of Science and Technology’s Internal Report 8425A to include consumer-grade
networking devices that are primarily intended for residential use and can be installed by the
customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between
networked systems.”
That might cover some of the cheap ‘edge’/’branch office’ stuff that the various big name vendors sell at $250-500 that’s basically just a normal consumer router in a branded metal box with some commonality in terms of management tools; but they appear to be deliberately carving out ‘enterprise’ networking gear; despite how dire that situation has been lately.
So corporations are exempt as usual while us plebs are doubly screwed unless we use a cracked or diy router? Sounds about right!
I’m suspicious of the “to include” wording.
With IT equipment, the flashier the box is, the crappier the product and firmware for the product inside the box. ASUS routers are my favorite example. Crappy HW, Crappy outdated SW, and crappy support.
I went with Mikrotik. A simple brown cardboard box. Excellent FW, SW, and support.
ASUS, flashy box, and that’s about the best thing it has going for it.
So if a US company wanted to make routers, they would have to sell them for $400 or more. Marketing departments will determine that there would be minimal demand for such routers, so every potential manufacturer will decline to build them. So they won’t be available at any price. Therefore, no new routers in the US.
In the meantime, last weeks botnet was based on compromised TVs. What self respecting government supply chain spook needs home routers….
FYI those TVs were running UNHACKABLE linux kernel 😛 that’s full of holes and even worse mess than Windows NT core.
Sure, it’s swiss cheese. But the same swiss cheese serves like 99% of Internet traffic, so…
Now that’s a strawman for sure. Who ever said Linux isn’t hackable? It typically doesn’t suffer from viruses, but hacking? I think the main target for hacking is probably linux. Get your blackhats straight.
Unlikely that a they hacked the kernel to get in. Probably something on application level used a fixed password or didn’t validate inputs data correctly.
Y’mean shitty compilation options and hilariously out-of-date kernel, due to the SoC most likely being something like Allwinner’s “finest”?
That ain’t a kernel issue, that’s a manufacturer issue, due to the SoC landscape being full of “tainted” kernels that nobody but the manufacturer can legally update, due to the source-code for the special bits that makes the SoC work in the first place are proprietary.
That issue, apart from locked down bootloaders, are also the reason OpenWRT ain’t compatible with most modern (relatively speaking) routers.
TVs should not be networked. I managed to buy a ‘non-smart’ TV and have been happily running it off a Lenovo Tiny for ~8 years.
I can’t remember a time.when the FBI didn’t have vpn hijacking of Cisco routers.
Interesting that a “USA” company that sources overseas is considered secure.
I guess the same could be said of Dell and HP wid3ly used by the goverment at every level.
US government alphabet soup agencies still hire overseas contractors on regular basis.
That’s all one needs to know how the security holes the size of the Moon are opened. Oh, and hiring all kinds of buddies as “managers” managing those overseas contractors hired for $10/hr while charging US taxpayers $100/hr. Ask me how how I know (hint: I’ve been fixing those high schoolers’ code for the last 20+ years, and now it is AI-generated high schoolers’ code that has gotten noticeably worse).
i ordered a wifi access point that wasn’t even the band / standard it was advertised as, wonder if its fcc sticker was genuine? hopefully this regulation is a nothingburger in my life.
“Linux, there’s also always the option of turning any old PC into a router by putting a bunch of NICs and WNICs into it and run SmoothWall, OpenWRT, etc.. A router is after all just a specialized computer, regardless of what the government feels that it identifies as.”
Sounds like a plan. Doesn’t sound that bad really. A small computer with a couple 2.5G hardwire ports and a wifi interface … and software which sounds like is readily available. That said…. I just bought a NetGear NightHawk RS300 for a new ISP fiber connection that was installed. Works fine. The older NetGear router was in operation for 13 years (and was still working good). I’ve ordered a couple 2.5Gb switches to round out the external network upgrade.
With all the unbelievable jigabucks made in profits, sure as hell there is no shortage of capital to invest into 100% US-made routers using 100% US-procured materials with 100% US citizens paid living wages.
Or not, and we’ll just resort back to importing things through Canada until November elections and final cancellation of all the tariffs. (though, in the hindsight, there is no guarantee new politicians won’t just continue pursuing the same jigabucks in profits).
Yeah… with the billions spent on the AI garbage…. There is evidently plenty of capital money out there for a ‘simple’ router project!
Let me know how those rare earth materials are working out for you.
With CEOs paid millions in stock options those are the ones paid to think for us, not us thinking for them for free AND splitting hairs over matters out of our control.
I recall there are technologies R&D-ed into (perovskite) for the sole reason so as to wean off the rather few cobalt/lithium/etc miners/refiners. That it hasn’t materialized yet is not the sign that it is not possible, it is the sign that people who should be R&D into that are stuck working menial wages doing unimportant things, like redesigning the GM truck door handle shape to please the CEO’s wife’s wants. That about describes our (US) horrendous disuse of the potential we have. What would I do? Hire all the homeless in Detroit, train them to work as technicians and then pry open Kettering University to allow underclassed US citizens to study for free, just how most developed countries (like Finland or Norway or Sweden) are doing. Fire 3/4 of the GM managers and replace with those graduates. Easy. One generation would get rid of all kinds of parasites riding the system for free.
That’s exactly what soviets did in 1917. Resut is at least 60M of their own citizens dead and stagnant economy based on corruption where in 2026 they’re still making T-62 tanks to fight against much weaker Ukraine.
UNsure why USSR was brought up, as hiring homeless and training them to do work is not that complicated, and it has to do with common sense, ie, thinning the outcast class lest it grows past critical mass and becomes power on its own.
Let’s put it this way, you can tell how advanced/developed the country is by the way it treats its lower classes. Simple. If it treats them as trash, then sooner or later they’ll flip the fortunes around. I doesn’t take Marx to understand that kind of dynamics.
GD you are a stupid commie gee.
You hire and ‘train’ some bums.
The effort will teach you something.
I am crowdsourcing an answer: the local Tibetan Center thrift store (supporting the nation of Tibet as it tries to get out from under Chinese domination) has the best thrift store loot in the Hudson Valley. They frequently have routers there, most of which can be reflashed with OpenWRT, and the price is usually like $2 each. Should I be buying these now? Will they be scarce?
I expect there will be a plateau. As the law is enacted, people will panic and start buying whatever they can get. This is when you want to sell. Then when there is nothing left, they’ll repeal the law/regulation, and then those routers will be back to $2.
Most users will just use the router supplied (or loaned at a monthly cost) from their ISP. I wouldn’t speculate on the value of underpowered net hardware unless you personally have a project in mind for them.
If you want something to sell for a profit, think about getting any of the wireless hotspots that are supported by the RayHunter project and sell them pre-flashed to journalists and concerned citizens to help detect warrant-less stingray spying on protests in the US and abroad. https://efforg.github.io/rayhunter/supported-devices.html
Yep, and the poor little trashcan shaped object with its pathetic fan burning 4x the power of my old TP-Link while delivering less in the way of coverage, signal quality and number of ports is a legitimate abomination.
The ISP modem is terrible. Hopefully somewhat functional, and you can reset the thing weekly/nightly to deal with memory leaks and other programming bugs
My ISP here in Australia supplied a TP-Link router and it has never given me any problems.
I have never heard of a Cisco router that can’t be exploited, especially remote vpn connections. The FBI has used this for many years, and Cisco won’t fix the isaue(s).
Conumer grade devices an issue? How about all the Dell and HP syatems used by every level of goverment? Even firmware in drives is suspect. The whole scenario is like putting a bandaid on a gunshot wound.
Tesla router..
So it bursts into flames?
Or microsoft router. Stops every 5 minutes to charge your credit card for the hardware-as-service.
there’s no evidence…
this is just after a quick google search. but I remeber that china refuses to buy cisco routers because they claim the us has backdoors in them.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a
I don’t understand why the average HaD author nor reader can understand the LIABILITY aspect of this. Instead trying to pretend like its about backdoors (it may be, I’m not denying that – but the NSA cannot do anything in criminal or civil proceedings, just counter terrorism operations, unless a FISA judge steps in and grants requests). Or act like the FCC is pretending USA programmers don’t write bugs. Its about what can the government/companies/individuals damaged by said bugs DO ABOUT THEM.
Disengage politics, engage logic. They are usually mutually exclusive. We used to understand this. What happened?
Criminality has to be proven. And in the not distant past criminality was shown and it still happened zero consequences. It’s not about politics. It’s about understanding the threat topology. It wasn’t long ago they infected people with stds, drugs, or even radioactive materials as test subjects. Imagine what they are doing now…
“for those of you saying ‘But the government woudln’t do that!’, Oh yes they would. And worse”
Criminality has to be proven for jail time/fines. Liability needs to be proven for damages (lower threshold). Just the threat will eliminate the gross negligence we see from chinese vendors.
Again, disengage politics, reengage logic, think the whole thing through.
I’m not saying its perfect. Far from it, but its closer to good than 0 accountability chinese products with what anyone with a functioning brain would call gross negligence.
Also, while i may hate this idea, as it gets abused too much, have you ever heard, the process is the punishment? Just a criminal case with any merit, even if found not guilty, may ruin a company with negligent practices.
So again, disengage politics, use reason. You can hate the current administration, and most of their decisions, but understand the merits, or attempted merits (they are trying to do the right thing in this case – and its probably a career civil servent that came up with the idea, not the current administration) when they do come up.
First thought… There is someone in the US building consumer routers?
Second thought… Given the current regime I don’t trust the US any more than China anyway.
Third thought… I’m glad I am running OPNSense on an old Dell my workplace gave away rather than pay to recycle.
Fourth thought… That Dell has Intel’s IME so it’s probably already hardware back-doored.
If anyone is on the fence… I would definitely recommend OPNSense or a similar solution to anyone who wants to do more than just consume content via their wifi devices.
I spent so much time in the past trying to get various open source routing OSs running on that consumer hardware. I only ever once managed to get what I considered to be the holy grail going that way… a functioning VPN server. And then the router bricked itself about a day later! Probably wore out the nand or something.
It’s still a PITA with OPNSense but once it works… it just works!
“First thought… There is someone in the US building consumer routers?”
Apple springs to mind. They did build them in the past. But not sure if they still do.
Of course there is the question if Apple routers could be considered “US-made”. Surely they are “Designed in the US”, but not “Made in the US”.
The thing that makes you a partisan fool, is that you trusted the previous regime, likely still do.
“barring explicit conditional approval on said list that would exempt them during a ‘transition phase’.”
Calling it now. This list will just become a regulatory approval step for the sale of routers in the US. Everything else will stay the same. Just with a $25 per unit ‘Supply Chain Approval Fee™’ tacked on for consumers.
“Speaking as someone who used to run DIY routers for the longest time built around FreeSCO and Smoothwall Linux, there’s also always the option of turning any old PC into a router by putting a bunch of NICs and WNICs into it and run SmoothWall, OpenWRT, etc.. A router is after all just a specialized computer, regardless of what the government feels that it identifies as.”
If you do that, and it gets hacked, could you be held liable?
I used to watch Nortel and HuaWei engineers mingle… The production lines were right next to each other. We saw what happened to Nortel.
HuaWei is part owned by govt. With military links.
Doh! I wonder if they ……