The FCC maintains a list of equipment and services (Covered List)
that have been determined to “pose an unacceptable risk to the
national security
Recently, malicious state and non-state sponsored cyber attackers
have increasingly leveraged the vulnerabilities in small and home
office routers produced abroad to carry out direct attacks against
American civilians in their homes.
Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices. Security experts have been trying to call attention to this problem for 2 decades.
Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.
Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.
The US has a bazillion devices with crap security because we set ourselves up for this.
> Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware.
The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one.
What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business.
What you need is the ability for consumers to replace the firmware.
That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them.
The concept of community firmware seems like a huge cop-out that allows companies to externalize costs. And it probably won't help security because 99% of devices will never get the third-party firmware installed anyway.
If they were trying to save costs they would ship the community firmware on the device to begin with because then they wouldn't have to write and maintain their own. The community welcomes them to externalize those costs onto the people with better incentives to improve the software.
What they're actually trying to do is obsolete the devices faster because then they won't add new protocols or other software-only features to older devices so you have to buy a new one, or only expose features in more expensive models that the less expensive hardware would also be capable of doing. Which is all the more reason for us to not have that.
And if they were required to allow anyone to replace the firmware then you would get companies reflashing and selling them that way from the store because the free firmware has more advertisable features. There's a reason you can go to major PC OEMs and pick between Windows, Linux and "don't even install one" and the reason is that if you give customers a choice, they generally don't want their software to be made by the OEM.
It could be part of dissolution of the company to mandate community firmware. But it depends on their licenses…
Anyhow, this is a common enough practice. Many companies that provide infrastructure type software and sell to Fortune 500 companies often have a clause whereby they deliver their software to their customers if the shut down.
We don't care about their licenses; that's their problem. If they need firmware with a license that allows them to redistribute it there are plenty of free ones to choose from.
And you can't wait until after they're dead to have them do something. By then they're gone or judgment proof because they're already bankrupt. Especially when you're talking about companies that aren't in the jurisdiction because you can't even make them do anything when they're already not shipping products to you anymore. It has to be from Day 1.
Somebody has to pay for the support. There is no free meal.
Enterprise must be able to pay for support for as long as they use devices. Solved.
I can only think of requiring the devices to be serviceable, as you say. The absolute only way I can think of charging the consumers, ie the owners, is to charge a tax on internet connections. Then the government would pay somehow vulnerability hunters working along patchers, who can oversee each other.
Consumers are tricky: if you include support in the sale price, the company will grab the money and run in 3 or 5 years; and some companies will sell cheaper because they know they won't provide support.
> Somebody has to pay for the support. There is no free meal.
The problem is not that people need a free meal. The problem is that people need the ability to eat some other food when the OEM's restaurant is closed or unsatisfactory.
"You ship something with no known bugs and then someone finds one."
You managed to say that with a straight face!
Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out.
How on earth is embedded creds in any way: "no known bugs"?
I think we are on the same side (absolutely) but please don't allow the buggers any credibility!
> How on earth is embedded creds in any way: "no known bugs"?
You misunderstand how organizational knowledge works. You see, it doesn't.
Some embeds the credentials, someone else ships the product. The first person doesn't even necessarily still work there at that point.
Remember that time NASA sent a Mars orbiter to Mars and then immediately crashed it because some of them were using pounds and the others newtons? Literally rocket scientists.
The best we know how to do here is to keep the incentives aligned so the people who suffer the consequences of something can do something about it. And in this case the people who suffer the consequences are the consumers, not the company that may have already ceased to exist, so we need to give the consumers a good way to fix it.
> What you need is the ability for consumers to replace the firmware.
> That solves the problem in three ways.
That alleviates the problem, but definitely doesn't solve it. Updates are still required, and most people will never update devices they don't directly interact with.
Which introduces new security risks, but more importantly, the consumer has to configure the device to use open source firmware, and set up auto updates, unless the device is being auto updated by the device manufacturer and forces all of their customers to switch to the new firmware, which seems very unlikely.
Plenty of consumer-grade devices have had very lax security settings or backdoors baked in for purposes of “troubleshooting” and recovery assistance. It’s never been limited to foreign-made devices.
Security has never been part of the review process. The only time any agency has really cared is when encryption is involved, and that’s just been the FBI wanting it to be neutered so they can have their own backdoors.
> This includes the FCC which license their devices
The FCC licenses devices to the extent that devices can cause spurious transmissions in the radio spectrum. It’s not a general consumer protection agency. Computer security also is outside the mandate of the FTC, which exists to protect consumers from anticompetitive conduct and unfair business practices, not crappy products.
> Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices.
Sorry but this is merely a convenient excuse. Source: I have hard evidence of a Chinese IoT device where crap security practices were later leveraged by the same company to inject exploit code. It's called plausible deniability and it's foolish to tell me it's a coincidence.
You're not going to convince me that a foreign state actor pressuring a company to include a backdoor wouldn't disguise it as a "whoopsie, our crap code lol" as opposed to adding in the open with a disclaimer on it.
It's all closed source firmware. Even the GPL packages from most consumer router vendors are loaded with binary blobs. Tell me I should trust it.
If US manufacturers (or manufacturers in allied countries) do this, legal avenues exist to hold those manufacturers accountable. Not so with China.
(That is not to say that the FCC change will move the needle on the underlying issue of router security; as some of the ancestor comments have said, lax security practices are common industry-wide, irrespective of country of development/manufacture.)
And who hasn't seen American software companies where crap security practices are later leveraged by the same company to run exploits? It's of course always phrased in Orwellian terms of business practices, terms of service, "security", etc but we can still call a spade a spade.
This part of the press release seems pretty crucial:
> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.
In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").
If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
> foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing
That is not what's going to happen. What's going to happen is that anyone coughing up payola to the current executive in chief's people will get approved, and anyone that doesn't will remain blocked. This practice is currently widespread, in the form of tariffs.
We're going to keep seeing this in all kinds of industries throughout the next three or so years: "Your products are banned or your country is tariffed, but if you pay enough in bribes, er I mean undergo our approval process, then you'll be exempt."
> If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
Wow NGL this sounds great if you ignore the reality that it'll be used as a partisan backdoor to enriching the administration.
> So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
You're assuming a non-partisan technocratic process, which this administration has amply shown is neither capable nor willing to provide. This requirement becomes another opportunity for Pay-to-Play, either in cash or quid pro quo, to the government directly (see, e.g., NVidia and AMD export allowances) or to Trump's inner circle (see, e.g., crypto venture regulation, merger approvals).
This is the problem with erosion of norms. We’ve all known for decades that consumer routers have shit security. We’ve all known about the risk of implants or intentional backdoors in the supply chain. And now when the FCC appears to be finally doing something about it, there’s a massive cloud of mistrust hanging over the whole idea.
The mistrust comes from those doing it, and the clearly corrupt ways they are operating. The maggot movement is basically rooted in a lot of very real frustrations from very real longstanding problems, but the only thing it offers as solutions is performative vice signalling.
People who care about the problems of digital security are not going to lean into the idea of simply banning devices based on where they were manufactured. Rather they would work at general standards and solutions to actually solve the problems - things like untying the markets for hardware/firmware/services, requiring firmware source escrow, mandating LAN protocols and controllers so every single IoT device isn't backhauling to its own mothership, and so on.
Likewise people who care about domestic manufacturing first and foremost are not going to champion applying steep blanket tariffs two decades after all of that industry has already left, or using regulatory agencies to shake down manufacturers for unrelated concessions.
Any router made by a company that "donates" (bribes) to Trump's "ballroom" or other vanity projects will get approved. Irrespective of anything else. This is just another grift.
Considering this is after Loper Bright Enterprises v. Raimondo (2024), it will be interesting to see if this holds up to judicial scrutiny.
The FCC's power just got substantially nerfed, and "we've decided to slow lane all foreign-made routers" feels like that may have been beaten on the old, higher, standard. Let alone the new one that gives the FCC almost no power.
Open to audits doesn't mean free software, it just means visible source. The business model for selling routers with auditable firmware is selling routers.
I'm no fan of imaginary property, but you're going to have to lay out your reasoning here. Firmware security is such crap precisely because most hardware manufacturers see it as nothing but a cost center they wish they could avoid.
The difficulty of installing OpenWRT or Linux in general on hardware comes from that hardware not being documented, or having straightforward APIs like BIOS/EFI.
Or for some devices, community distributions that dubiously remix manufacturer-supplied binaries are available. But we generally see that as soon as the manufacturer stops their updates, the community versions start lagging behind as well.
You will first probably need Congress to legislate away the long standing prohibitions against offering (easily) user-modifiable RF devices on the market.
Self ownership and full 'right to repair' has carve-outs in the FCC's regulations in the name of limiting unintentional broadcasting/radiation. Maybe a challenge to those would survive in the post-Chevron environment. I wouldn't expect any Congress in the last 25 years to pass a law which would go against the incumbent telecom lobbyist interests though, and I'd expect such a hole if it did hit case law, to get 'patched' fairly quickly.
About the only way to really solve that would be to embarrass vendors enough to open their moats.
I dunno, I'm pretty big on FOSS but I don't think you would need that to improve. Requiring that the firmware have its source code available to audit doesn't mean that users can replace it. AFAIK you could, today, with no legal changes, have a vendor release 100% of the code under eg. a MIT license while also making the device refuse to run firmware not signed with their keys. Researchers could poke at it to find bugs, and FCC regulations wouldn't be touched. (Note: IANAL, so feel free to point out if I'm wrong about that)
(To be clear, I don't think that's good enough; at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help, but I think it's useful to point out that auditing code doesn't require being able to install it)
problem is: how do you prove the firmware in the flash chip matches source? And I do not mean me, with a disassembler and a pi pico to read out the flash chip. I mean the 70-yaer-old corner shop owner that buys this router to provide free WiFi for customers?
Yes. But a lot of people still got cars that were not as represented. So if we follow the same pattern, somebody will go to jail, but most routers will not be running verified or safe code.
A trusted website that compiles it from source and a way for you to go to a webpage and flash from there automatically. The FPV community does that all the time with a set of websites for their ESC, flight controllers, radio, all open source. You can add signatures etc but just a trusted website goes a long way vs a random blob preinstalled
That proves that the one they checked, had the correct firmware. It does not prove that the one from the next batch that you bought did. We are all technical people here we and understand that there isn’t really an easy way to do this that a random non-technical person could actually understand and use.
Isn't the person you're replying to suggesting people can update the firmware to the trusted version via a website? So it doesn't matter if you get one from 'the next batch' - provided you're on top of updating the firmware.
If only somebody could make a firmware that claims to have accepted the update, but then proceeds to not actually update itself. Read out the version string from the update and save it. Show that when asked what your version is.
There's no solution to that other than having knowledge and researching the code/device yourself. You can pick apart modern Linux/busybox based IoTs fairly quickly, so effort needed is not really a huge issue.
Maybe trusted community of people could do it for everyone, but there's currently all kinds of potential legal trouble brewing in that approach. Complete and public reverse engineering of every aspect of any device would have to be made completely legal, so that people could freely publish all artifacts extracted from a device and produced during reverse engineering and collaborate on them without any fear of repercussions. Also HW manufacturers would have to be prohibited from NDAing documentation for SoCs, etc.
Side benefit would be that this would also serve as a documentation for freeing the device and developing alternative firmwares with modernized sw/reduced attack surface.
We are in violent agreement. And precisely because there is no simple solution to it, half-measures like what is proposed here do absolutely no good, and often times do harm.
> As outlined below, today’s action does not impact a consumer’s continued use of routers they previously acquired. Nor does it prevent retailers from continuing to sell, import, or market router models approved previously through the FCC’s equipment authorization process. By operation of the FCC’s Covered List rules, the restrictions imposed today apply to new device models.
I’m sure plenty of US factories are capable of importing boxes that look like routers but are actually just switches (because the router firmware is missing) and re-flashing them here…
What exactly does "produced" mean in this context? That the final assembly was done here, software was written here, PCB was assembled here, SoCs and ICs wwre manufactured here, or something else? Regardless, while consumer routers are 9 of 10 times insecure garbage, it's hard to think of any that aren't manufactured outside the US.
I would be more impressed if they would ban all enterprise routers manufactured in China. I have had to continuously patch and meticulously mitigate severe vulnerabilities and bugs in Cisco, Dell, HPE, Extreme, Arista routers, switches, fabrics, and others. These are all manufactured in China, Taiwan, Hong Kong, Vietnam, Malaysia, Thailand, and probably elsewhere in the Greater China region... Actually I take it all back. I wish they would just ban companies from shipping bad code and sanction them for causing millions of hours of required labor to ensure their manufacturing defects do not harm businesses and their customers. Thank you for your attention to my chatter.
Prediction: there will appear new "Made in the USA" routers that differ from some Chinese model only by the label. Already the case in Russia for e.g. powerbanks.
It's hard to tell considering there is absolutely no company/ownership information on the site, but a .si (Slovenia) domain coupled with EUR being an accepted currency has me thinking they're Europe-based, and therefore foreign-made.
... at the same time, I don't think I'd send $100 to a site with no contact/ownership/company info to begin with.
Because of this, I'm going to plan my next network upgrade based on open source hardware like Banana Pi. My setup is based on WiFi 7 so this might not apply for a few years. From my understanding, the hardware from proprietary manufacturers is sufficiently advanced to do some advanced surveillance and spyware, whereas previous generations didn't require advanced processing to achieve fiber optic speeds. Back to the original statement, it's clear that the threat of surveillance exists.
Personally, I don't make the distinction between foreign and domestically produced routers in America. In fact, I trust foreign produced routers more because the likelihood that they can act upon their surveillance is significantly lower than the current American regime's oppressive and malicious tactics. Therefore, open source routers provides enough transparency to effectively eliminate spyware threats from all angles while being compliant.
I'm especially excited about the Banana Pi because of the transparency and potential of modular upgrades. Whenever there's a network issue, I have to consider whether the manufacturer (American or not) is doing something nefarious. With a Pi based router, I have much more peace of mind with network debugging issues.
IMHO an underrated comment. The CCP isn't going to break down my door in the middle of the night, but I'm sure I'm on lists at the FBI and ATF just for my political org memberships alone. I think a foreign actor is more likely to use compromised hardware to create service interruptions and general chaos in the event they are attacked by our government, not come put me in a gulag.
The only thing I'm missing right now that would be a nice to have is a wifi card so I can ditch my access point. My hardware isn't open source by any means, but my reliance on non-free networking code is minimal.
Does the router ban really only pertain to consumer-grade networking devices?
> For the purpose of this determination, the term “Routers” is defined by National Institute of Science and Technology’s Internal Report 8425A to include consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. ¹
> A “consumer-grade router” is a router intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. Throughout this document, the term “router” is used as a shorthand for “consumer-grade router.” ²
There doesn't seem to be a general ban for foreign-made professional routers, just for some Chinese manufacturers, right³?
Oh, and what does "produced by foreign countries" even mean? I couldn't find any definition. Is this meant to be the country of final assembly? Would importing a Chinese router and the flashing the firmware in the USA be sufficient to be exempt? Where is the line drawn usually?
If multiple network interfaces defines a router, then every cell phone is one, because every cell phone has a cellular and Wifi interface, and is a router in hotspot mode. Three interfaces if you count USB which can also be a network interface (hotspot works over USB in both Windows and Linux) and four if Bluetooth PAN is still a thing.
Device that connects multiple networks? Layer 3 of the OSI model? Consumer ones tend to have more than that, but the more specific definition would work fine.
Yeah conceivably you could use this to ban any network device that is capable of routing between interfaces, so lots of switches with new firmware could do it, often terribly, as well as PCs with multiple interfaces. But its probably going to involve intention.
If you actually read the notice, it exempts models that have been approved. So this just seems to require approvals by DOH or DHS ,": Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS." I take this to mean it is just adding security approvals for this type of thing to DOw and DHS. It is not a ban of all future models. It's just saying explicitly that instead of having to review models already in the market and determine that they should be removed because of nation state or other security concerns they are reviewing them before they go to market. Would be nice if people actually read it instead of hyperventilating.
It's fine to have a reaction. It just rhat a lot of the comments totally ignored this this caveat. So basically, as I read it by default, they're banned unless approved, which is pretty much what all regulation does anyway, isn't it.
Especially since the announcement provides no information about how the DoD or DHS will be evaluating what to approve, and it's unlikely that they have the resources to do any meaningful security evaluation on that many products.
The DOH and DOW have a lot of resources. And I would guess the DOW has a lot of intelligence resources and most likely the DOH also I mean it is their job to keep the homeland safe. But I would agree. It probably will involve a lot of marshaling of those resources and reorganization. But who's to say they haven't done that already. My general point is that the conversation in this thread completely ignores that this is an imposition of a different regulatory scheme, not a banning. And actually it's in favor of enforcing more security on routers which everybody has been screaming for for years.
Please avoid low-substance, self-promotional comments like this on HN. It's OK to mention your own product/service occasionally, but only if it's in context and as a part of a comment that makes a substantive, insightful contribution to the discussion.
Also, we recommend using a username that seems human, rather than being based on a company/brand name, otherwise it seems like you are here primarily for promotional purposes rather than curious conversation. You can email us to change the username if you'd like – hn@ycombinator.com.
Thanks Tom. This whole comment thread is a bit of a dumpster fire of opinions however we have been working on the wifi security problem for a long time and we have a lot to say about it. Router manufacturers competing into involution that ship RCE (much of which is triggerable from a web page) have created a substantial risk to consumers, in this case with a lens on the US market. We tackle hardware & software and prioritized network isolation as the first thing to resolve. We have tons on our blog and page about network security and have open source software.
> however we have been working on the wifi security problem for a long time and we have a lot to say about it
Great, please share it with us! If what you've said is true, the kind of comment you're uniquely qualified to share is the very thing the thread most needs.
What the fuck?! I did not sign up to live in some third world shithole where I can't get first-world networking equipment. I do not want some piece of shit closed-source proprietary netgear ameritrash. FUCK! Give me back my god damn chinese routers!
Chinese citizens have more computing freedom than American citizens at this point. What the fuck happened to the land of the free?
I doubt anything will be pulled from the market. This is instead notice to the companies that now is the time for a donation to the administration’s ballroom.
Right now, the way this is currently worded, every single foreign-made consumer router has already been pulled from the market, and has to request permission to be reintroduced. The only consumer routers not currently affected are those that are either already purchased (some good, but won't last forever) or are American-made (overpriced, underpowered dogshit)
From the news release "What does this mean?" section: "This update to the Covered List does not prohibit the import, sale, or use of any existing device models the FCC previously authorized."
So no, this does not pull all existing routers off the market. Anything that already got FCC approval remains approved and new stock may be imported and sold.
Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.
Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.
The US has a bazillion devices with crap security because we set ourselves up for this.
The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one.
What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business.
What you need is the ability for consumers to replace the firmware.
That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them.
What they're actually trying to do is obsolete the devices faster because then they won't add new protocols or other software-only features to older devices so you have to buy a new one, or only expose features in more expensive models that the less expensive hardware would also be capable of doing. Which is all the more reason for us to not have that.
And if they were required to allow anyone to replace the firmware then you would get companies reflashing and selling them that way from the store because the free firmware has more advertisable features. There's a reason you can go to major PC OEMs and pick between Windows, Linux and "don't even install one" and the reason is that if you give customers a choice, they generally don't want their software to be made by the OEM.
Anyhow, this is a common enough practice. Many companies that provide infrastructure type software and sell to Fortune 500 companies often have a clause whereby they deliver their software to their customers if the shut down.
And you can't wait until after they're dead to have them do something. By then they're gone or judgment proof because they're already bankrupt. Especially when you're talking about companies that aren't in the jurisdiction because you can't even make them do anything when they're already not shipping products to you anymore. It has to be from Day 1.
Enterprise must be able to pay for support for as long as they use devices. Solved.
I can only think of requiring the devices to be serviceable, as you say. The absolute only way I can think of charging the consumers, ie the owners, is to charge a tax on internet connections. Then the government would pay somehow vulnerability hunters working along patchers, who can oversee each other.
Consumers are tricky: if you include support in the sale price, the company will grab the money and run in 3 or 5 years; and some companies will sell cheaper because they know they won't provide support.
The problem is not that people need a free meal. The problem is that people need the ability to eat some other food when the OEM's restaurant is closed or unsatisfactory.
You managed to say that with a straight face!
Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out.
How on earth is embedded creds in any way: "no known bugs"?
I think we are on the same side (absolutely) but please don't allow the buggers any credibility!
You misunderstand how organizational knowledge works. You see, it doesn't.
Some embeds the credentials, someone else ships the product. The first person doesn't even necessarily still work there at that point.
Remember that time NASA sent a Mars orbiter to Mars and then immediately crashed it because some of them were using pounds and the others newtons? Literally rocket scientists.
The best we know how to do here is to keep the incentives aligned so the people who suffer the consequences of something can do something about it. And in this case the people who suffer the consequences are the consumers, not the company that may have already ceased to exist, so we need to give the consumers a good way to fix it.
> That solves the problem in three ways.
That alleviates the problem, but definitely doesn't solve it. Updates are still required, and most people will never update devices they don't directly interact with.
Plenty of consumer-grade devices have had very lax security settings or backdoors baked in for purposes of “troubleshooting” and recovery assistance. It’s never been limited to foreign-made devices.
Security has never been part of the review process. The only time any agency has really cared is when encryption is involved, and that’s just been the FBI wanting it to be neutered so they can have their own backdoors.
The FCC licenses devices to the extent that devices can cause spurious transmissions in the radio spectrum. It’s not a general consumer protection agency. Computer security also is outside the mandate of the FTC, which exists to protect consumers from anticompetitive conduct and unfair business practices, not crappy products.
Sorry but this is merely a convenient excuse. Source: I have hard evidence of a Chinese IoT device where crap security practices were later leveraged by the same company to inject exploit code. It's called plausible deniability and it's foolish to tell me it's a coincidence.
You're not going to convince me that a foreign state actor pressuring a company to include a backdoor wouldn't disguise it as a "whoopsie, our crap code lol" as opposed to adding in the open with a disclaimer on it.
It's all closed source firmware. Even the GPL packages from most consumer router vendors are loaded with binary blobs. Tell me I should trust it.
(That is not to say that the FCC change will move the needle on the underlying issue of router security; as some of the ancestor comments have said, lax security practices are common industry-wide, irrespective of country of development/manufacture.)
Oh, sweet summer child. Disclaiming these possible avenues of liability is the main goal of clickwrap "terms of service".
No, I don't have it but you may check with Santa Claus.
https://nvd.nist.gov/vuln/detail/CVE-2023-1389
> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.
In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").
In the FAQ (https://www.fcc.gov/faqs-recent-updates-fcc-covered-list-reg...), they even include guidance on how to apply: https://www.fcc.gov/sites/default/files/Guidance-for-Conditi...
If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
That is not what's going to happen. What's going to happen is that anyone coughing up payola to the current executive in chief's people will get approved, and anyone that doesn't will remain blocked. This practice is currently widespread, in the form of tariffs.
Wow NGL this sounds great if you ignore the reality that it'll be used as a partisan backdoor to enriching the administration.
You're assuming a non-partisan technocratic process, which this administration has amply shown is neither capable nor willing to provide. This requirement becomes another opportunity for Pay-to-Play, either in cash or quid pro quo, to the government directly (see, e.g., NVidia and AMD export allowances) or to Trump's inner circle (see, e.g., crypto venture regulation, merger approvals).
People who care about the problems of digital security are not going to lean into the idea of simply banning devices based on where they were manufactured. Rather they would work at general standards and solutions to actually solve the problems - things like untying the markets for hardware/firmware/services, requiring firmware source escrow, mandating LAN protocols and controllers so every single IoT device isn't backhauling to its own mothership, and so on.
Likewise people who care about domestic manufacturing first and foremost are not going to champion applying steep blanket tariffs two decades after all of that industry has already left, or using regulatory agencies to shake down manufacturers for unrelated concessions.
No, of course I'm not assuming that. That's not the administration's pattern of behavior, so it would be a crazy assumption.
I agree it'll be abused. I just didn't feel it necessary to state the obvious.
The FCC's power just got substantially nerfed, and "we've decided to slow lane all foreign-made routers" feels like that may have been beaten on the old, higher, standard. Let alone the new one that gives the FCC almost no power.
The OpenWRT One [1] sponsored by the Software Conservancy [2] and manufactured by Banana Pi [3] works lovely.
[1] https://openwrt.org/toh/openwrt/one
[2] https://sfconservancy.org/activities/openwrt-one.html
[3] https://docs.banana-pi.org/en/OpenWRT-One/BananaPi_OpenWRT-O...
The difficulty of installing OpenWRT or Linux in general on hardware comes from that hardware not being documented, or having straightforward APIs like BIOS/EFI.
Or for some devices, community distributions that dubiously remix manufacturer-supplied binaries are available. But we generally see that as soon as the manufacturer stops their updates, the community versions start lagging behind as well.
Self ownership and full 'right to repair' has carve-outs in the FCC's regulations in the name of limiting unintentional broadcasting/radiation. Maybe a challenge to those would survive in the post-Chevron environment. I wouldn't expect any Congress in the last 25 years to pass a law which would go against the incumbent telecom lobbyist interests though, and I'd expect such a hole if it did hit case law, to get 'patched' fairly quickly.
About the only way to really solve that would be to embarrass vendors enough to open their moats.
(To be clear, I don't think that's good enough; at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help, but I think it's useful to point out that auditing code doesn't require being able to install it)
Trusted, qualified independent experts: Ala Underwriters Laboratories.
https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal
Some trust has to be created through testing standards and the law, but generally we do believe what the label says in day to day life.
Maybe trusted community of people could do it for everyone, but there's currently all kinds of potential legal trouble brewing in that approach. Complete and public reverse engineering of every aspect of any device would have to be made completely legal, so that people could freely publish all artifacts extracted from a device and produced during reverse engineering and collaborate on them without any fear of repercussions. Also HW manufacturers would have to be prohibited from NDAing documentation for SoCs, etc.
Side benefit would be that this would also serve as a documentation for freeing the device and developing alternative firmwares with modernized sw/reduced attack surface.
Are there even consumer-grade routers that are produced in the USA...?
> As outlined below, today’s action does not impact a consumer’s continued use of routers they previously acquired. Nor does it prevent retailers from continuing to sell, import, or market router models approved previously through the FCC’s equipment authorization process. By operation of the FCC’s Covered List rules, the restrictions imposed today apply to new device models.
I’m sure plenty of US factories are capable of importing boxes that look like routers but are actually just switches (because the router firmware is missing) and re-flashing them here…
I can’t think of a complete start to finish, OS to mosfets, computer that is 100% manufactured in the United States.
[0] https://mono.si/
The fact that they haven't updated that webpage with new information since October 1st 2025 seems to indicate bad news...
... at the same time, I don't think I'd send $100 to a site with no contact/ownership/company info to begin with.
Personally, I don't make the distinction between foreign and domestically produced routers in America. In fact, I trust foreign produced routers more because the likelihood that they can act upon their surveillance is significantly lower than the current American regime's oppressive and malicious tactics. Therefore, open source routers provides enough transparency to effectively eliminate spyware threats from all angles while being compliant.
I'm especially excited about the Banana Pi because of the transparency and potential of modular upgrades. Whenever there's a network issue, I have to consider whether the manufacturer (American or not) is doing something nefarious. With a Pi based router, I have much more peace of mind with network debugging issues.
The only thing I'm missing right now that would be a nice to have is a wifi card so I can ditch my access point. My hardware isn't open source by any means, but my reliance on non-free networking code is minimal.
Is this just another mass surveillance operation?
> For the purpose of this determination, the term “Routers” is defined by National Institute of Science and Technology’s Internal Report 8425A to include consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. ¹
> A “consumer-grade router” is a router intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. Throughout this document, the term “router” is used as a shorthand for “consumer-grade router.” ²
There doesn't seem to be a general ban for foreign-made professional routers, just for some Chinese manufacturers, right³?
Oh, and what does "produced by foreign countries" even mean? I couldn't find any definition. Is this meant to be the country of final assembly? Would importing a Chinese router and the flashing the firmware in the USA be sufficient to be exempt? Where is the line drawn usually?
¹) https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf
²) https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8425A.pdf
³) https://www.fcc.gov/supplychain/coveredlist
Really, do they have a definition?
Yeah conceivably you could use this to ban any network device that is capable of routing between interfaces, so lots of switches with new firmware could do it, often terribly, as well as PCs with multiple interfaces. But its probably going to involve intention.
Also, we recommend using a username that seems human, rather than being based on a company/brand name, otherwise it seems like you are here primarily for promotional purposes rather than curious conversation. You can email us to change the username if you'd like – hn@ycombinator.com.
Great, please share it with us! If what you've said is true, the kind of comment you're uniquely qualified to share is the very thing the thread most needs.
Chinese citizens have more computing freedom than American citizens at this point. What the fuck happened to the land of the free?
So no, this does not pull all existing routers off the market. Anything that already got FCC approval remains approved and new stock may be imported and sold.
https://nvd.nist.gov/vuln/detail/CVE-2023-1389