Skip to content
Chimera readability score 0.5653 out of 100, reading level.

The US Federal Communications Commission (FCC) is tasked with regulating both wired and wireless communications, which also includes a national security component. This is how previously the FCC tossed networking gear made by Huawei and foreign-manufactured drones onto its Covered List, effectively banning it from sale in the US. Now foreign-made consumer routers have been added to this list, barring explicit conditional approval on said list that would exempt them during a ‘transition phase’.
As per the FCC fact sheet, this follows after determination by an interagency body that such routers “pose unacceptable risks to the national security of the United States [..]”. This document points us to the National Security Determination PDF, which attempts to lay out the reasoning. In it is noted that routers are an integral part of every day life, and compromised routers are a major risk factor, ergo it follows that only US-manufactured routers are to be trusted.
These – so far fictional – US-manufactured consumer routers would have to feature ‘trusted supply chains’, which would seem to imply onshoring a large industrial base, though without specifying how deep this would have to go it’s hard to say what would be involved. The ‘supporting evidence’ section also only talks about firmware-related vulnerabilities, which would imply that US firmware developers do not produce CVEs.
Currently there do not appear to be any specific details on what router manufacturers are supposed to do about this whole issue, though they can continue to sell previously FCC-approved routers in the US.
Although hardware backdoors are definitely a possibility, this requires a fair bit of effort within the supply chain that should generally also fairly easily to detect. Yet after for example Bloomberg claimed in 2018 that Supermicro gear had been infested with hardware backdoors, this started a years-long controversy.
Meanwhile actually verified issues with Supermicro hardware are boringly due to software CVEs. In that particular issue from 2024 two CVEs were discovered involving a lack of validation of a newly uploaded firmware image.
All of which is reminiscent of an early 2024 White House ‘memory safety appeal’ that smelled very strongly of red herring. Although it’s easy to point at compromised hardware with scary backdoors and sneaky software backdoors hidden deep inside firmware of servers and networking devices, the truth of the matter is that sloppy input validation is still by far the #1 cause of fresh CVEs each year, especially if you look at the CVEs that are actually being actively exploited.
As for this de-facto ban on new routers being sold in the US, this will correspondingly not change much here. The best defense against issues with networking equipment is still to practice network hygiene by keeping tabs on what is being sent on the LAN and WAN sides, while a government could e.g. force consumer routers to pass a strict independent hardware and software audit paid for by the manufacturer.
Speaking as someone who used to run DIY routers for the longest time built around FreeSCO and Smoothwall Linux, there’s also always the option of turning any old PC into a router by putting a bunch of NICs and WNICs into it and run SmoothWall, OpenWRT, etc.. A router is after all just a specialized computer, regardless of what the government feels that it identifies as.
Lel rekt. Let them pay 10x the price for chinese case, chinese board, chinese SoC, chinese connectors, chinese resistors and chinese firmware. It’s going to be expensive, but at least it will be “Made in USA” 😂
Meanwhile Europeans with their Mikrotiks.
I’m sure US Robotics could manufacture a router. Call it Sportster Plus or something.
The want to make sure it has an NSA backdoor and not a Chinese one.
Considering I have nothing to fear from China. At least that I can think of… Meanwhile the current state of things makes the usa look like a less and less safe place to exist… Maybe I should buy a Chinese router?
In all seriousness, I’d love to see more user friendly guides on openwrt. Last time I tried it was a big pain.
My first thought too. Most likely we’ll have both now.
There is a reasonable probability that this is another cash grab (“pay a consulting fee and rent a border warehouse to do final assembly, and we’ll make sure you can call it US made”) for one or another political crony.
Thank goodness enterprise routers are exempt. Shame they’ll have to update the labelling though

Facts Only

The FCC has added foreign-made consumer routers to its Covered List, barring their sale unless they receive explicit conditional approval during a transition phase
An interagency body determined that these routers pose unacceptable risks to US national security
US-manufactured routers with trusted supply chains are being pushed as a solution
Specific details about what manufacturers should do are currently unclear
There has been controversy over compromised hardware and backdoors in networking equipment, such as the 2018 Bloomberg report claiming Supermicro gear was infested with hardware backdoors
Verified issues with Supermicro hardware have been due to software CVEs rather than hardware backdoors

Executive Summary

The United States Federal Communications Commission (FCC) has added foreign-made consumer routers to its Covered List, effectively barring their sale in the US unless they receive explicit conditional approval during a transition phase. This decision follows an interagency body's determination that these routers pose unacceptable risks to US national security. The FCC is pushing for US-manufactured routers with trusted supply chains as a solution, although specific details about what manufacturers should do are currently unclear.
There has been controversy over compromised hardware and backdoors in networking equipment, such as the 2018 Bloomberg report claiming Supermicro gear was infested with hardware backdoors. However, verified issues with Supermicro hardware have been due to software CVEs rather than hardware backdoors. The de-facto ban on new routers being sold in the US is not expected to significantly impact the current situation.

Full Take

The FCC's decision to add foreign-made consumer routers to its Covered List raises questions about the motivations behind this move and the effectiveness of US-manufactured routers as a solution. While there have been concerns about compromised hardware in networking equipment, verified issues have been due to software CVEs rather than hardware backdoors. The push for US-manufactured routers with trusted supply chains could potentially lead to onshoring a large industrial base, but the depth of this requirement is unclear.
It's worth considering the potential political and economic implications of such a move. On one hand, it could be seen as an attempt to protect national security by ensuring the integrity of networking equipment. On the other hand, it could be interpreted as protectionism that benefits domestic manufacturers at the expense of foreign competition.
As for the controversial claim about Supermicro gear being infested with hardware backdoors, it's important to note that while such backdoors would indeed pose a significant security risk, there has been no verifiable evidence to support this claim. The continued debate around this issue underscores the need for transparency and independent verification when making claims about compromised hardware.
Finally, it's worth considering the broader implications of this move for consumer choice and competition in the router market. If US-manufactured routers become the only viable option due to the de-facto ban on foreign-made routers, consumers could face higher prices and fewer options. On the other hand, if domestic manufacturers are able to meet the requirements for trusted supply chains, they may be well-positioned to capitalize on this opportunity.

US FCC Prohibits Approval of New Foreign — Arc Codex