I have seen a number of videos on YouTube (always suspect) that claim the Trump Admin has banned foreign made computer routers.
And others who claim that they have not, but have set restrictions on them.
What is true?
And, what is the significance of this ban?
To be clear, it’s new routers, you don’t have to replace the one you currently have. As for the significance, I’ll see if I can find an article, but presumably it’s for fear of foreign made routers having built in back doors and/or malware.
From the FCC
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf
Malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft. Foreign-made routers were also involved in the Volt, Flax, and Salt Typhoon cyberattacks targeting vital U.S. infrastructure.
My concern when I heard this is that if, going forward, only US made routers are allowed, it’ll be much easier for the government force manufacturers to include their own back doors.
Also, this doesn’t make sense to me:
The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability
How so? If there’s an issue with foreign made routers that causes a supply chain vulnerability, just get a US made router. It’s like saying you should be required to buy an American made car because Japan might decide to stop selling their cars to us.
ETA, I suppose a less ‘paranoid’ explanation would be that companies like Cisco paid him to do it.
And, now that I’m looking, I’m having a hard time finding any american made routers (including Cisco) except…wait for it…Starlink.
Projection is a typical government spy action. The NSA allegedly rerouted Cisco routers intended for certain overseas destinations to add thier own custom ROMs to allow remote access.
I presume too this prohibition applies to commercial routers, not the home routers that the typical household uses, bought in bulk by your local cable or phone company?
Also, IIRC the connections your PC makes to web sites is almost universally HTTPS or similar encryption, so unlikely that intercepting your communication en route tells them anything, and allegedly cracking that encryption is difficult. What it does do is allow your outside actor to have a seat on your internal network, so they can listen to assorted communication like server broadcasts, and perhaps exploit smartphone, workstation and server vulnerabilities as if they were connected locally - try to insert malicious code, copy databases (like Doge did) etc. .
Plus there’s the same concern as with TikTok - by monitoring traffic from local WiFi, they can build a list of phones - which tells them, for example, who works at - let’s say - the state department building or the FBI headquarters, phone ID and phone number etc. and where they live. The US feels China should not be allowed to collect this data themselves - they should buy it from large American tech companies like everyone else.
There is a lot going on here, and it is all stupid.
The FCC has banned all new non-US made consumer routers. That is essentially everything. Starlink makes routers in the US, and maybe a couple of other companies. Even those are full of foreign made components.
Foreign made routers can apply for an exception. There isn’t lots of information on what needs to be done to get an exception, but you can look at how other businesses have attempted to gain favors from the current regime to get some ideas.
It is not too far of a conspiracy theory to think this is just a shakedown of foreign companies.
There is one user on Reddit who has been posting a long document suggesting much of this is a gift to Netgear.
I read the post, but have not looked at the original sources to see if the conclusions are reasonable. If you get past the pretentious lack of capital letters, it’s an interesting read. The bottom line is Netgear (an American company that relies on foreign manufacturing) seems to be the only company in favor of this, and there may be overlap between top executives at Netgear and government advisors.
A supply chain attack on consumer routers would be a security catastrophe. What’s lacking is any evidence that this is an existing and widespread problem.
Application must be accompanied by associated paperwork including the phrase “Pay to the order of Donald J. Trump”…
I don’t know… I’m on a group-text thread with some college buddies, and when this news came out, me and the other IT guy in the group were rather dumbfounded and questioning the utility of this, and speculating about the disruption that’s going to cause.
Another friend, who works for the DoD commented that there’s actually meat to the action (that involved classified briefings and stuff), but that what happened was that they slept on the warnings, and when the consequences might come due, acted in the panicked, ham-fisted and reactionary way that’s characteristic of the current administration.
I have no reason to doubt him; he’s not one to make stuff up or self-aggrandize.
far more effective would be to require all routers, indeed all communication gear of any sort, to have user-installed firmware. From the government’s POV, it would be enough to require that a plug-in ROM be installed once the device reaches the recipient country. Even better for the end-user able to plug in the firmware. Yes, the manufacturer could design a hidden router on the board, but that could be detectable through expert examination. This way, the recipient simply has to monitor the copy of the firmware when it is first written. We need not worry about the hardware, it is the firmware that matters. Updates would be handled as normal but from within the country. Yes, the uniqueness of each manufacturer is mostly in the firmware, but tough for them. It is better than having to pay Donald for the privilege of importing to the US. And far better for the people buying the hardware.
When it comes to the dark arts of malware the possibilities of embedded exploits is a very deep rabbit hole.
Having control of the software installation isn’t as big an insulation from exploits as one might hope. One only needs to look at the XZ exploit to find how far state based actors will go and how difficult to find exploits are. XZ was almost certainly Russian, and would have laid the internet wide open. I like to point to the Underhanded C Contest. Somewhat dormant, but providing a history of fabulous examples of apparently correct code that contains exploits that fool even careful inspection. Exploits should be expected to be subtle and layered. You won’t see obvious back doors or snooping in the code.
Hardware contains its own possibilities for attack. The amount of firmware inside individual devices quite separate to the main processor of even simple systems is huge. Just an Ethernet NIC could host enough capability to allow remote exploits.
Danger isn’t going to be from random spying. Enough installed devices in a country and you have the potential capability to shut down the entire countries internet at a critical time. Think DDS attacks. Or high-jacking DNS.
The router ban sounds over the top. IMHO it isn’t. It might be more a matter of too little too late. There are a range of products I won’t buy for this reason. And network services I won’t use. Nothing is perfect but you can skew the odds.
A router that claims to have installed user-provided firmware could still be separately running malicious code that overrides what the user firmware is doing, and without using any separate hardware that would be easily detected.
And even if that’s not the case, there could be malicious code in the user firmware itself. Software history is replete with examples of security vulnerabilities in code, some accidental and some deliberately added to open-source code by bad actors, that have eluded detection for years. (This issue is not solved by restricting use of foreign routers of course.) OpenSSL is probably the most critical software underpinning the web from a security standpoint, and the most scrutinized by experts. Last month, 12 previously-unknown vulnerabilities were discovered, some quite serious, and some which had existed in the code for over 30 years. (Incidentally, the vulnerabilities were discovered by AI analysis of the code.)