The FCC maintains a list of equipment and services (Covered List)
that have been determined to “pose an unacceptable risk to the
national security
Recently, malicious state and non-state sponsored cyber attackers
have increasingly leveraged the vulnerabilities in small and home
office routers produced abroad to carry out direct attacks against
American civilians in their homes.
Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices. Security experts have been trying to call attention to this problem for 2 decades.
Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.
Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.
The US has a bazillion devices with crap security because we set ourselves up for this.
> Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware.
The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one.
What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business.
What you need is the ability for consumers to replace the firmware.
That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them.
> What you need is not a government mandate for infallibility, it's updates
So, we don't need an electrical code to enforce correct wiring. We just need a kind soul driving by our house to notice the company who built our house wired it up wrong. Then that kind person can inform the company of the bad wiring.
And if the company agrees it's their wiring at fault, we can wait 3 months for a fix. Then the next month another kind soul finds more bad wiring. And we just have to hope there is an army of kind strangers out there checking every building built by every company. And hope in the meantime that the building doesn't burn down.
Meanwhile, people have to live with bad wiring for years, that could have been completely prevented to begin with, by an electrician following the electrical code we all already agree on.
> So, we don't need an electrical code to enforce correct wiring.
For an analogy to work, its underlying elements should have a relation to the target. Your analogy is not in the same universe. For electrical work, there is a baseline of materials and practices which is known to produce acceptable results if adhered to. For software, there isn't. (Don't tell me about the Space Shuttle. Consumer software doesn't cost tens of millions and isn't written with dedicated teams over the decades.)
The analogy does work. The house is any software provided by any vendor. The kind strangers are white hat security researchers. The people living in the house are the users.
Software absolutely has baseline materials, have you never written software before? Never used a library? Programming language? API? Protocol? Data format or specification? CPU instruction? Sorting algorithm? A standard material is just a material tested to meet a standard. A 10d nail is a 10d nail if it meets the testing specs for 10d nails (ASTM F1667). Software can be tested against a spec. It's not rocket surgery.
No known practices with acceptable results?? Ever heard of OWASP? SBOMs? Artifact management? OIDC? RBAC? Automated security scanning? Version control? Code signing? Provenance? Profiling? Static code analysis? Strict types? Formal proofs? Automated testing? Fuzzing? Strict programming guidelines (ex. NASA/DOD/MISRA/AUTOSAR)? These are things professionals know about and use when they want standard acceptable results.
What are you talking about re: space shuttle and tens of millions? Have you actually read the coding standards for Air Force or NASA? They're simple, common-sense guidelines that any seasoned programmer would agree are good to follow if you want reliability.
I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about, or jaded old fogeys who were on some horrible government project and decided anything done with rigor will be terrible. That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions. I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
AI is going to introduce 100x more security holes than before, so something will have to be done to improve security and reliability. We need to stop screwing around and create the software building code, before the government does it for us.
> What are you talking about re: space shuttle and tens of millions?
GP was almost certainly referring to "They Write the Right Stuff," an old article that is pretty well known in spaces like this. It discusses a process that (a) works extremely well (the engine control software was ~420 kLoC with a total of 17 bugs found in a window of 11 versions) and (b) is extremely expensive (the on-board shuttle software group had a budget of ~35 million per year in mid-90s dollars).
> The analogy does work. The house is any software provided by any vendor.
Even before we start, you immediately have a problem. When a house is built, the thing to be inspected is built in the jurisdiction requiring the inspection.
If you have some code being written in China or India and some US jurisdiction wants to require the sort of programming practices you're suggesting, is the US going to send inspectors to other countries? How do they even validate that the processes are being followed either way? And what are you proposing to do with all the existing code that was written in the past? Requiring the company to have a checklist included in their book of procedures that nobody is actually following doesn't solve anything.
The way this nominally works for building inspections is that the inspector waits until after the work is done and then inspects the work, but that's a validation of the result rather than the procedures. The equivalent for code is an audit, which is dramatically more labor intensive for the government than sending someone to have a quick look to see if the wires appear to be hooked up right, if you expect it to actually do anything.
> I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about
There are too many armchair experts saying "if they can land a man on the moon then surely they can land a man on the sun."
> That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions
First notice that you're listing all the professions where costs are out of control and the incumbents have captured the regulators to limit supply.
On top of that, those regulations are not even effective in solving the analogous problem. For example, the ethical requirements for lawyers nominally require them to do the thing public defenders aren't provided with the ability to do, i.e. spend enough time on the case to give the client adequate representation. Public defenders are given more clients by the state than they have the resources to actually represent. Quite unsurprisingly, this utterly fails to solve the problem of indigent defendants not having adequate representation.
But that's the thing most analogous to what you're proposing. If you nominally require companies to do something they otherwise have no real incentive to do, which you have no efficient way of verifying that they've done, and provide them no additional resources to do it, you can't expect "they will now do it well" to be the result.
> I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
What makes you think the software developers are the ones objecting to it? They, and the incumbent companies trying to raise costs on smaller upstarts, are the ones trying to establish a new racket and exclude newcomers from the industry. The ones objecting are the customers, and anyone who values efficiency and efficacy.
> We need to stop screwing around and create the software building code, before the government does it for us.
"We need to stop screwing around and create the Torment Nexus, before the government does it for us."
I mean this is still a semi-bs response on your case, even if you don't realize it.
Many of these devices have security flaws that are horrific and out of best practices by over a decade.
Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
> Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
It would certainly help, but no economically feasible amount of auditing and best practices could lead to having a warranty on that software. My thesis is that our current understanding of software is fundamentally weaker than that of practical applications of electricity, so it makes no sense to present analogies between the two.
> So, we don't need an electrical code to enforce correct wiring.
Are you familiar with how the actual electrical code works? It's a racket. The code is quite long and most of the inspectors don't know most of it so only a small subset is ever actually checked, and that only in the places where the person doing the work is actually pulling permits and the local inspector isn't corrupt or lax in areas the local tradespeople have learned that they're lax. Then we purposely limit the supply of licensed electricians so that they're expensive enough that ordinary people can't afford one, so that handyman from Craigslist or whatever, who isn't even allowed to pull permits, is the one who ends up doing the work.
It only basically works because no one has the incentive to purposely burn down your house and then it only happens in the cases where the numerous violations turned out to actually matter, which is rare enough for people to not get too upset about it.
But the thing that makes it a racket is the making the official process expensive on purpose to milk wealthy homeowners and corporations who actually use the official process, which is the same thing that drives common people to someone who charges a price they can afford even knowing that then there no inspection.
> Then that kind person can inform the company of the bad wiring.
The point is rather that when the homeowner discovers that their microwave outlet is heating up, they can fix it themselves or hire an independent professional to do it instead of the company that built the house (which may or may not even still exist) being the only one who can feasibly cause it to not stay like that until the house is on fire.
I mean, if you could download an update that would fix the wiring in your house, it would be much less critical that the initial installer got it right. (Still much more important than your router, though; it doesn't stop being an electrocution hazard during the un-updated period.)
Trying to make analogies from software to hardware will always fall down on that point. If you want to argue that there should be stricter security & correctness requirements for routers, maybe look more toward "here is how people actually treat them in practice" with regard to ignoring updates...?
> I mean, if you could download an update that would fix the wiring in your house, it would be much less critical that the initial installer got it right
As in my example, some random stranger needs to first find out your "house" (the vendor's software) is wired wrong. And this needs to happen for every "house" (every piece of software). While waiting for this to be discovered, your house burns down (hackers penetrate millions of devices, or perhaps just Microsoft Sharepoint that the govt is uses).
> What you need is the ability for consumers to replace the firmware.
I don't think that's enough. Most people aren't going to replace the firmware on their device with an open source replacement made by someone else. Now if the firmware was required to be open source, and automatic updates could be seamlessly switched over to a non-profit or government agency in the event of the company going out of business, you might have something. But there would be a lot of details to work out.
I have a PC hooked up to my TV in my living room that has been running the latest version of Kubuntu for over 18 years now. It has had many upgrades in that time but it's still the same basic hardware: A CPU, some memory, USB ports, a video card, and an ethernet port on the back.
That "genericness" is what's missing in the router space. Literally every consumer router that comes out has some super proprietary design that's meant to be replaced in its entirety in 3-4 years. Many can run Linux, sure, but how many have a replaceable/upgradable board? How many are like a PC where you can install whatever OS you want?
Sure, you can forcibly flash a new OS (e.g. OpenWRT) but that is a hack. The company lets you do that because they figure they'll get a bit more market share out of their products if they don't lock the firmware so much. They key point remains, however: They're not just hardware—even though they should be!
The world of consumer routers needs a PC-like architecture change. You can buy routers from companies like Banana Pi and Microtik like this but they're not marketed towards every-day consumers. Mostly because they're considered "too premium" and require too much expertise to setup.
I think there's a huge hole in the market for consumer-minded routers that run hardware like the Banana Pi R4 (which I have). When you buy it, you get the board and nothing else. It's up to you to get a case and install an OS on it (with OpenWRT, Debian, and Ubuntu being the normal options).
We need something like the Framework laptop for routers. Not from a, "it has interchangeable parts" perspective but from a marketing perspective. Normal people are buying Framework laptops because geeky friends and colleagues recommend them and they're not that much more expensive/troublesome than say, a cheap Acer/Asus laptop.
> They key point remains, however: They're not just hardware—even though they should be!
This is the most thoughtful comment I've seen on this topic. I hadn't even considered this approach, but you're right. The hardware needs to be commoditized in a way that makes the software a layer that can be replaced. Someone else said this but in a way that described flashing a third-party package as HN nerds would. That's too much effort and it won't work.
It should be as generic as PC hardware. Every router manufacturer should build devices that can run the OSes of all their competitors' devices and vice versa. Maybe some features won't work with the other company's OS cause it isn't designed for that, but overall it ought to be replaceable. "Normal people" still wouldn't flash a new OS, but making it an option is a step towards making devices more secure.
If every router could get a new OS as easily as your techy friend could install Firefox or an ad-blocker or whatever else, we'd start the long march to a real longterm solution.
You completely missed the point of what I said. I have a Linksys as a cheap backup in case my real router (Netgate / pfsense) dies. The Linksys is running OpenWRT and hopefully I'll never need to plug it in ever again.
I had to verify that OpenWRT was compatible when I bought it _to be a backup_. Re-read what I said about everything being commodity hardware that can run any other device firmware / OS.
It's not so simple. Routers, like most tech emitting and modulating an RF signal by design, are certified products. The radio frequency bands, output power, allowed channels are all tightly controlled. Allowing end-users control without restrictions over such equipment would be unsafe.
It's quite different. The transceiver in your device is mainly a low-power receiver, transmit power is limited to ~100mW at best. Meanwhile a typical AP can go up to 1W per antenna for transmit. Also, the firmware that operates the wifi stack on your network card is not open source or user-modifiable beyond firmware updates issued by the manufacturer. I suggest reading up on wifi and RF before going further.
> I suggest reading up on wifi and RF before going further.
I'd suggest neither matter in the face of how the problem is solved in the consumer cards the OP was talking about. They solve it by locking down the firmware that controls the radios.
The reality is most routers do that too. You can replace the firmware in most of them with OpenWRT or something similar. You still can't exceed regulatory limits because of the signed blobs of firmware in the radios.
Nonetheless, here we are getting comments like yours, which imply all firmware in the device must be behind a proprietary wall because a relatively small blob of firmware in them must be protected. It has its own protections. It doesn't need to be protected by the OS or the application that runs on top of it.
Yet it's in those applications where most of the vulnerabilities show up. Making them consumer replaceable would help in solving the problem. Protecting the firmware is not a good reason to not do it.
I was responding to the original post about open standards. My point is that anything with an RF transceiver will never be as open as a standard PC with replaceable components. The radio portion will always be blocked off. That relatively small blob will always limit how much control you can exert over the device.
We don't have to look far. The embedded space with Arduinos, ESP32s and even RPis is a hacker's paradise. Yet the radio stack is restricted in all of them. For instance, it's not possible to take an ESP32 board and turn it's single antenna into a MIMO configuration, even if you make a custom PCB with trace antennas.
My point is that anything with an RF transceiver will never be as open as a standard PC with replaceable components. The radio portion will always be blocked off.
sure, but again, why would the RF transceiver on my desktop PC or in my laptop be any different than the one in my router?
If you make something internet commected you must provide lifetime warranty for security. no import or sales sor even leases) until you have in escrow the money to pay for them.
i will allow sunsetting and removing ipv4 after 2020 (that is more that 5 years ago)
The concept of community firmware seems like a huge cop-out that allows companies to externalize costs. And it probably won't help security because 99% of devices will never get the third-party firmware installed anyway.
If they were trying to save costs they would ship the community firmware on the device to begin with because then they wouldn't have to write and maintain their own. The community welcomes them to externalize those costs onto the people with better incentives to improve the software.
What they're actually trying to do is obsolete the devices faster because then they won't add new protocols or other software-only features to older devices so you have to buy a new one, or only expose features in more expensive models that the less expensive hardware would also be capable of doing. Which is all the more reason for us to not have that.
And if they were required to allow anyone to replace the firmware then you would get companies reflashing and selling them that way from the store because the free firmware has more advertisable features. There's a reason you can go to major PC OEMs and pick between Windows, Linux and "don't even install one" and the reason is that if you give customers a choice, they generally don't want their software to be made by the OEM.
> What they're actually trying to do is obsolete the devices faster
This is exactly why. Obsoleting older devices keeps (in their eyes) the purchase treadmill running. Making a device that could be updated forever means never making another sale to that user (unless some physical failure happens, or the user wants a second one).
It could be part of dissolution of the company to mandate community firmware. But it depends on their licenses…
Anyhow, this is a common enough practice. Many companies that provide infrastructure type software and sell to Fortune 500 companies often have a clause whereby they deliver their software to their customers if the shut down.
We don't care about their licenses; that's their problem. If they need firmware with a license that allows them to redistribute it there are plenty of free ones to choose from.
And you can't wait until after they're dead to have them do something. By then they're gone or judgment proof because they're already bankrupt. Especially when you're talking about companies that aren't in the jurisdiction because you can't even make them do anything when they're already not shipping products to you anymore. It has to be from Day 1.
There was a promising design from Azure Sphere for 10 years of IoT device Linux security updates from Microsoft, even if the IoT vendor went out of business. This required a hardware design to isolate vendor userspace code from device security code, so they could be updated independently. Could be resurrected as open standard with FRAND licensing.
The main thing you need is for the lowest-level code to be open and replaceable/patchable because it's the only part which is actually specific to the device. Windows running on Core Boot is a better place to be than custom Linux running on opaque blob, because in the first case you can pretty easily get to newer Windows, vanilla Linux or anything else you want running on Core Boot after the original version of Windows goes out of support, and you can update Core Boot, whereas the latter often can't even get you to a newer version of Linux.
Modern coreboot depends on opaque blobs on CPU (FSP/ACM on Intel) and auxiliary processors (ME/PSP), but AMD is moving in the right direction with OpenSIL host firmware. Arm devices have their own share of firmware blobs.
A decade of security updates for routers would require stable isolation between low-level device security and IoT vendor userspace. In Sphere, the business model for 10 years of paid updates was backed by hardware isolation. Anyone know why it didn't get market traction? There was a dev board, but no products shipped.
Oh gee. Maybe because no one sane looks at an industrial product adversarially built to confine and prevent the end user from doing anything to it and wants anything to do with it? It isn't rocket science. If I can't buy it and get a damn manual and programming tools to twiddle all the bits, I'm not adopting. Not even at gunpoint, or if you're the last supplier on Earth. I won't be held voluntarily hostage because a bunch of corporate types, and bureaucrats decided to work together to normalize adversarial silicon. Multiply by everyone I know, and anyone with enough braincells to rub together to pattern match "regulatory capture" and "capitalist rent seeking". You can call me a bore if you want. The incentives are completely unaligned, as this place is so fond of saying. End user adoption is built on faith in product. End user capacity to have faith in the product is based on the capability of the technically savvy purchaser to keep the thing running, repair, understand, and explain it to the non-technically savvy. I look at adversarial silicon isolating me from the hardware; I have to sound off-my-rocker to my non tech-savvy friends family to actually explain that yes, there are industrial cabals out to keep you from doing things with the thing you bought.
It doesn't make any business sense, or practical sense whatsoever. Don't bother quoting regulations that demand the isolation (baseband processors and radio emission regulations) at me. Yeah. I know. I've read those too.
Get over business models that require normalized game theory, and we can talk. Until then, enjoy never having nice things catch on. Hint: your definition of "nice" (where I can't control how it works after purchase) is mutually exclusive with things I'm willing to syndicate as "nice". Nice people don't manipulate others.
Why not just put the onus on ISPs? 99% of users lease their router from their ISP. If updates stop after three years, looks like you're getting a complimentary service appointment to get a new router.
> What you need is the ability for consumers to replace the firmware.
> That solves the problem in three ways.
That alleviates the problem, but definitely doesn't solve it. Updates are still required, and most people will never update devices they don't directly interact with.
The government obviously cares less about citizens running firmware China can hack than it does about citizens potentially running firmware the government can't hack.
Somebody has to pay for the support. There is no free meal.
Enterprise must be able to pay for support for as long as they use devices. Solved.
I can only think of requiring the devices to be serviceable, as you say. The absolute only way I can think of charging the consumers, ie the owners, is to charge a tax on internet connections. Then the government would pay somehow vulnerability hunters working along patchers, who can oversee each other.
Consumers are tricky: if you include support in the sale price, the company will grab the money and run in 3 or 5 years; and some companies will sell cheaper because they know they won't provide support.
But then vendors want to stop issuing them after 3 years
Tough shit. You provide updates for the mandated amount of time, or you lose access to the market. No warnings, you're just done.
> And "require longer support" doesn't fix it because many of the vendors will go out of business.
Source code escrow plus a bond. The bond is set at a level where a third party can pay engineers to maintain the software and distribute updates for the remainder of the mandated support period. And as time passes with documented active support, the bond requirements for that device go down until the end of the support period.
Requiring that the customer be allowed to replace the firmware is essential, I agree, but not for this reason. That requirement, by itself, just externalizes the support costs onto open source communities. Companies that sell this sort of hardware need to put up the resources, up front, irrevocably, to ensure the cost of software maintenance is covered for the entire period.
Personally I don't buy consumer router hardware that I can't immediately flash OpenWRT on, but that option is not suitable for the general public.
"You ship something with no known bugs and then someone finds one."
You managed to say that with a straight face!
Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out.
How on earth is embedded creds in any way: "no known bugs"?
I think we are on the same side (absolutely) but please don't allow the buggers any credibility!
>And "require longer support" doesn't fix it because many of the vendors will go out of business.
Do you mean 'out of business so they cannot provide updates'?
Because, if you mean cheap companies won't be able to provide updates and stay in business, surely that's the point. Companies would have to shim to a standardised firmware that was robust, or something, to keep costs down.
Isn't this all to protect USA business interests and ensure the Trump regime can install their own backdoor though?
This part of the press release seems pretty crucial:
> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.
In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").
If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
Does it occurs to someone that in this time of encryption backdoor and such, this is also a good starting point to another mass surveillance system ? Mandate US manufacturers to embed remote access for the use of the government, then as you've made those routers the only ones authorized on the us soil (let's not be foolish about that approval process, it will be a smoke screen) you basically have a backdoor to every citizen home.
Yes china routers are a liability, but free trade and open market ensure at least one thing that's essential : no single state has surveillance capability on its entire population
Seems like now is as good a time as any for people who know how to do this to build their own routers with Pfsense, Opnsense, ClearOS, or one of the many other firewall/router distros out there.
You can get an old desktop or laptop that's more than good enough to be a router for basically nothing (or sometimes literally nothing) on Craigslist or Ebay. I suspect pretty much anyone who frequents this forum could probably figure out how to do it with a YouTube tutorial. Routers are pretty dumb computers, so you don't need something top of the line.
Even if you want higher speed than the ethernet port built into the computer, you can buy old dual-port 10GbE PCIe cards for less than $50 on eBay as well.
I've been running my own custom thing with NixOS for a couple years now, and it's been working great, and before that I ran ClearOS for a couple years, and before that I ran OpnSense for a couple years. They all work fine, and they're not too hard to set up. I recommend it to anyone who can figure out how to do it.
Considering this is after Loper Bright Enterprises v. Raimondo (2024), it will be interesting to see if this holds up to judicial scrutiny.
The FCC's power just got substantially nerfed, and "we've decided to slow lane all foreign-made routers" feels like that may have been beaten on the old, higher, standard. Let alone the new one that gives the FCC almost no power.
The FCC is bypassing the public comment period by having the DOD classify this as a national security concern. This is blatant collaboration between agencies to expand their respective authorities into a new amalgamation that stretches far beyond their congressional authorization.
A little rich coming from the administration that supports a strict view of the major questions doctrine. They have no problem kneecapping the EPA. But the communications commission has the right to ban all drones (and not the FAA for example).
I'd say I'm shocked but I am not. Their next order forcing backdoors will be secret.
For the device manufacturers, the obvious solution is to sell them as general-purpose computers. You can already get devices that had started out as Raspberry Pi clones but evolved into excellent DIY network appliances, with multiple high-speed Ethernet and SSD ports that are great for running a NAS, proxy server, firewall, or all three, and more. Rarely do they have good WiFi, but if manufacturers start selling hardware that has been traditionally sold as a locked-down routers or access points, but include a generic Linux installation, it'll compete will well with the aforementioned hardware.
Next they'll come for our OpenWRT-flashable equipment.
I've already done everything the article says to do years ago, but what happens when this equipment dies? Can I get a replacement, and is it flashable? I currently use "routers" as access points because it's the cheapest way to get an AP for OpenWRT.
Because of this, I'm going to plan my next network upgrade based on open source hardware like Banana Pi. My setup is based on WiFi 7 so this might not apply for a few years. From my understanding, the hardware from proprietary manufacturers is sufficiently advanced to do some advanced surveillance and spyware, whereas previous generations didn't require advanced processing to achieve fiber optic speeds. Back to the original statement, it's clear that the threat of surveillance exists.
Personally, I don't make the distinction between foreign and domestically produced routers in America. In fact, I trust foreign produced routers more because the likelihood that they can act upon their surveillance is significantly lower than the current American regime's oppressive and malicious tactics. Therefore, open source routers provides enough transparency to effectively eliminate spyware threats from all angles while being compliant.
I'm especially excited about the Banana Pi because of the transparency and potential of modular upgrades. Whenever there's a network issue, I have to consider whether the manufacturer (American or not) is doing something nefarious. With a Pi based router, I have much more peace of mind with network debugging issues.
This is the same thing they did to drones. It's corruption. It doesn't even make sense from an extreme isolationist point of view, because there's no path to create domestic manufacturing.
I'm guessing the rest of this looks like drones, too: FCC approval is given only to American companies that bribe members of the administration, and they raise prices through the roof. The routers are still manufactured overseas and there's no improvement in security.
I would be more impressed if they would ban all enterprise routers manufactured in China. I have had to continuously patch and meticulously mitigate severe vulnerabilities and bugs in Cisco, Dell, HPE, Extreme, Arista routers, switches, fabrics, and others. These are all manufactured in China, Taiwan, Hong Kong, Vietnam, Malaysia, Thailand, and probably elsewhere in the Greater China region... Actually I take it all back. I wish they would just ban companies from shipping bad code and sanction them for causing millions of hours of required labor to ensure their manufacturing defects do not harm businesses and their customers. Thank you for your attention to my chatter.
This would be so much less of a pain if decent wifi pcie cards were available.
It's all a bunch of very expensive kind of dodgy Compex cards, used for industrial or prototype purposes. Be prepared to spend $300+ for a single 4x4 MIMO card. And then you want to go dual band right?
Thankfully the MediaTek offerings are somewhat available and much much much cheaper, but reports are that driver quality is just absymal.
Meanwhile the openwrt table of hardware for wifi 6 and wifi 7 is a bare trickle already, and inceasingly not consumer routers but SBC. Thanks for the FCC messing things up brutally already, back in 2015, with requirements to make sure users couldn't possibly do anything out of spec, requiring these systems to be locked down. They almost banned open source outright, but in practice it feels like the requirements are high enough that they practically did. https://toh.openwrt.org/?features=wifi_behttps://arstechnica.com/information-technology/2016/03/tp-li...
Frelling FCC! What dastardly deeds done against civilization! We would be so much more secure & protected, the bar would be so much higher if open source / openwrt was allowed to compete. You messed everything up already!!
Can't wait to see the price of the first US made home router. We [USA] really need a formal designation of trusted supply chain partners. Would improve security and make a useful bargaining chip.
What exactly does "produced" mean in this context? That the final assembly was done here, software was written here, PCB was assembled here, SoCs and ICs wwre manufactured here, or something else? Regardless, while consumer routers are 9 of 10 times insecure garbage, it's hard to think of any that aren't manufactured outside the US.
To me, this is a deeply dangerous situation for the state & for the population, where it is nearly impossible for consumers and businesses to purchase gear that they can secure. Where we are at the mercy of what is on the market, and no actual securing of our own can occur.
The FCC claimed in 2015 they were not trying to forbid open source systems, but the additional compliance demands they have made unsupportable unsecurable devices the default state: the FCC mandated companies make sure the users dont have freedom, make sure the wifi performance is locked down, and the most obvious path to that end is to just lock out the user entirely. Open source isn't outlawed, but the FCC turned a good working amazing open source movement into something that is incredibly rare and hard to do. The FCC assurances (https://www.eff.org/deeplinks/2015/11/free-router-software-n...) have not proven true (https://news.ycombinator.com/item?id=11122966): everything has gotten worse for security & availability (https://news.ycombinator.com/item?id=11122966).
Prediction: there will appear new "Made in the USA" routers that differ from some Chinese model only by the label. Already the case in Russia for e.g. powerbanks.
(reposting this comment from the other thread which discusses the same topic, I'm sorry for any trouble that may cause)
From one side, that sure... does have some point. Well, I mean, one could potentially install some kind of a backdoor on the networking hardware they produce, and if it's state-controlled, then it could potentially be a threat.
From the other side, though...
That's crazy. Maybe I'm missing something obvious, or maybe I'm just stupid, I don't know; but at this point, with almost no manufacturing in the USA, this feels like shooting yourself in the foot. Or rather, it's like shooting yourself straight up in the head if manufacturing will not be efficiently (so it can satisfy the demand) moved to the USA (which is a big challenge).
This will keep expanding until a lot of radio equipment is locked down. This is an obvious first move, but the fundamental problem is there's nothing stopping your hacked radio equipment from usefully spying on whoever is in range, to a degree that simply isn't appreciated even around here.
It's also a quasi inevitable side effect of the push to encrypt all communication back to the cloud, since now it's too easy for malicious devices to hide what they're sending back.
Back to wearing the tin foil hat in my faraday cage.
As someone who works with networking (consumer prosumer enterprise everything) the problem is far more complex than : make it open.
Manufacturers can support devices for long but it costs money which the consumers / businesses aren’t willing to pay or value. Cybersecurity is a joke and the general consensus is : we will pay for things as and when there is a fire. We don’t put a price on prevention because we can’t really show it to shareholders how we profited from not being attacked since we blocked those. So we create an arbitrary certification and pass things according to it. This certification doesn’t say anything about firmware. But if we do get attacked then we can convince the shareholders to spend money on better equipment this financial year and then not bother until the next time we have a problem.
Some of these certifications focus on what the devices allow you to do (like acls and firewalls) and see if they pass these tests. But actually looking at the firmware and finding vulnerabilities is not in scope.
Yeah, it does sound like this should be focused on verifying firmware, including all future updates. If a Chinese company builds the router at a US Foxconn site, it is still the same situation.
If worried about supply chain and inside jobs, I worry more about the IoT widgets I have. They are already inside the LAN, can access the internet, etc.
Anyway, bribes aside, this is probably just a talking point and not much actually changes.
The Spirit of this law __must__ also now apply to SoCs produced by non-allied nations that feature USFCC-approved RF microelectronics, such as __ESP32__ Here's to hoping USFCC gets around to also reflecting this in the Letters of this law sooner, rather than later.
To clarify (since the headlines of many articles about this aren't clear about it), this states that it prohibits approval of new Models, so any models that already cleared FCC certification can still be sold in the US, even if they're made overseas.
This is for newly released models that still need to get FCC certification.
The escalation path is probably: have some relationship to an entity that doesn't care about you -> make sure that entity becomes your enemy -> the enemy now has an incentive to see you as an enemy -> you must now be afraid of your new enemy.
One purpose for taxes is to shape behavior. If the behavior they wish for is to have more manufacturing in the US, you increase the taxes of outsourcing it. IOW, you make it more desirable to manufacture locally.
Is there any confirmation whether this includes Ubiquiti equipment? I think this blanket affects consuner routers but exempts business routers? And I’m not sure which ubiquiti would fall under!
I just bought a new router 6 months ago to support wifi 7. Hopefully manufacturers will be willing to jump through the hoops for long term support. Don't want to Flash OpenWrt.
431 comments
Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.
Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.
The US has a bazillion devices with crap security because we set ourselves up for this.
> Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware.
The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one.
What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business.
What you need is the ability for consumers to replace the firmware.
That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them.
> What you need is not a government mandate for infallibility, it's updates
So, we don't need an electrical code to enforce correct wiring. We just need a kind soul driving by our house to notice the company who built our house wired it up wrong. Then that kind person can inform the company of the bad wiring.
And if the company agrees it's their wiring at fault, we can wait 3 months for a fix. Then the next month another kind soul finds more bad wiring. And we just have to hope there is an army of kind strangers out there checking every building built by every company. And hope in the meantime that the building doesn't burn down.
Meanwhile, people have to live with bad wiring for years, that could have been completely prevented to begin with, by an electrician following the electrical code we all already agree on.
> So, we don't need an electrical code to enforce correct wiring.
For an analogy to work, its underlying elements should have a relation to the target. Your analogy is not in the same universe. For electrical work, there is a baseline of materials and practices which is known to produce acceptable results if adhered to. For software, there isn't. (Don't tell me about the Space Shuttle. Consumer software doesn't cost tens of millions and isn't written with dedicated teams over the decades.)
Software absolutely has baseline materials, have you never written software before? Never used a library? Programming language? API? Protocol? Data format or specification? CPU instruction? Sorting algorithm? A standard material is just a material tested to meet a standard. A 10d nail is a 10d nail if it meets the testing specs for 10d nails (ASTM F1667). Software can be tested against a spec. It's not rocket surgery.
No known practices with acceptable results?? Ever heard of OWASP? SBOMs? Artifact management? OIDC? RBAC? Automated security scanning? Version control? Code signing? Provenance? Profiling? Static code analysis? Strict types? Formal proofs? Automated testing? Fuzzing? Strict programming guidelines (ex. NASA/DOD/MISRA/AUTOSAR)? These are things professionals know about and use when they want standard acceptable results.
What are you talking about re: space shuttle and tens of millions? Have you actually read the coding standards for Air Force or NASA? They're simple, common-sense guidelines that any seasoned programmer would agree are good to follow if you want reliability.
I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about, or jaded old fogeys who were on some horrible government project and decided anything done with rigor will be terrible. That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions. I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
AI is going to introduce 100x more security holes than before, so something will have to be done to improve security and reliability. We need to stop screwing around and create the software building code, before the government does it for us.
> What are you talking about re: space shuttle and tens of millions?
GP was almost certainly referring to "They Write the Right Stuff," an old article that is pretty well known in spaces like this. It discusses a process that (a) works extremely well (the engine control software was ~420 kLoC with a total of 17 bugs found in a window of 11 versions) and (b) is extremely expensive (the on-board shuttle software group had a budget of ~35 million per year in mid-90s dollars).
> The analogy does work. The house is any software provided by any vendor.
Even before we start, you immediately have a problem. When a house is built, the thing to be inspected is built in the jurisdiction requiring the inspection.
If you have some code being written in China or India and some US jurisdiction wants to require the sort of programming practices you're suggesting, is the US going to send inspectors to other countries? How do they even validate that the processes are being followed either way? And what are you proposing to do with all the existing code that was written in the past? Requiring the company to have a checklist included in their book of procedures that nobody is actually following doesn't solve anything.
The way this nominally works for building inspections is that the inspector waits until after the work is done and then inspects the work, but that's a validation of the result rather than the procedures. The equivalent for code is an audit, which is dramatically more labor intensive for the government than sending someone to have a quick look to see if the wires appear to be hooked up right, if you expect it to actually do anything.
> I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about
There are too many armchair experts saying "if they can land a man on the moon then surely they can land a man on the sun."
> That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions
First notice that you're listing all the professions where costs are out of control and the incumbents have captured the regulators to limit supply.
On top of that, those regulations are not even effective in solving the analogous problem. For example, the ethical requirements for lawyers nominally require them to do the thing public defenders aren't provided with the ability to do, i.e. spend enough time on the case to give the client adequate representation. Public defenders are given more clients by the state than they have the resources to actually represent. Quite unsurprisingly, this utterly fails to solve the problem of indigent defendants not having adequate representation.
But that's the thing most analogous to what you're proposing. If you nominally require companies to do something they otherwise have no real incentive to do, which you have no efficient way of verifying that they've done, and provide them no additional resources to do it, you can't expect "they will now do it well" to be the result.
> I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
What makes you think the software developers are the ones objecting to it? They, and the incumbent companies trying to raise costs on smaller upstarts, are the ones trying to establish a new racket and exclude newcomers from the industry. The ones objecting are the customers, and anyone who values efficiency and efficacy.
> We need to stop screwing around and create the software building code, before the government does it for us.
"We need to stop screwing around and create the Torment Nexus, before the government does it for us."
> Don't tell me about the Space Shuttle
The Space Shuttle sure blew up a lot for something with that much process applied.
Many of these devices have security flaws that are horrific and out of best practices by over a decade.
Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
> Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
It would certainly help, but no economically feasible amount of auditing and best practices could lead to having a warranty on that software. My thesis is that our current understanding of software is fundamentally weaker than that of practical applications of electricity, so it makes no sense to present analogies between the two.
> So, we don't need an electrical code to enforce correct wiring.
Are you familiar with how the actual electrical code works? It's a racket. The code is quite long and most of the inspectors don't know most of it so only a small subset is ever actually checked, and that only in the places where the person doing the work is actually pulling permits and the local inspector isn't corrupt or lax in areas the local tradespeople have learned that they're lax. Then we purposely limit the supply of licensed electricians so that they're expensive enough that ordinary people can't afford one, so that handyman from Craigslist or whatever, who isn't even allowed to pull permits, is the one who ends up doing the work.
It only basically works because no one has the incentive to purposely burn down your house and then it only happens in the cases where the numerous violations turned out to actually matter, which is rare enough for people to not get too upset about it.
But the thing that makes it a racket is the making the official process expensive on purpose to milk wealthy homeowners and corporations who actually use the official process, which is the same thing that drives common people to someone who charges a price they can afford even knowing that then there no inspection.
> Then that kind person can inform the company of the bad wiring.
The point is rather that when the homeowner discovers that their microwave outlet is heating up, they can fix it themselves or hire an independent professional to do it instead of the company that built the house (which may or may not even still exist) being the only one who can feasibly cause it to not stay like that until the house is on fire.
Trying to make analogies from software to hardware will always fall down on that point. If you want to argue that there should be stricter security & correctness requirements for routers, maybe look more toward "here is how people actually treat them in practice" with regard to ignoring updates...?
> I mean, if you could download an update that would fix the wiring in your house, it would be much less critical that the initial installer got it right
As in my example, some random stranger needs to first find out your "house" (the vendor's software) is wired wrong. And this needs to happen for every "house" (every piece of software). While waiting for this to be discovered, your house burns down (hackers penetrate millions of devices, or perhaps just Microsoft Sharepoint that the govt is uses).
Those standards aren’t related to the functionality or security of the router.
Jokes aside, there's so much low-hanging fruit in IoT it's utterly ridiculous. Having any standards at all would be an improvement.
> What you need is the ability for consumers to replace the firmware.
I don't think that's enough. Most people aren't going to replace the firmware on their device with an open source replacement made by someone else. Now if the firmware was required to be open source, and automatic updates could be seamlessly switched over to a non-profit or government agency in the event of the company going out of business, you might have something. But there would be a lot of details to work out.
That "genericness" is what's missing in the router space. Literally every consumer router that comes out has some super proprietary design that's meant to be replaced in its entirety in 3-4 years. Many can run Linux, sure, but how many have a replaceable/upgradable board? How many are like a PC where you can install whatever OS you want?
Sure, you can forcibly flash a new OS (e.g. OpenWRT) but that is a hack. The company lets you do that because they figure they'll get a bit more market share out of their products if they don't lock the firmware so much. They key point remains, however: They're not just hardware—even though they should be!
The world of consumer routers needs a PC-like architecture change. You can buy routers from companies like Banana Pi and Microtik like this but they're not marketed towards every-day consumers. Mostly because they're considered "too premium" and require too much expertise to setup.
I think there's a huge hole in the market for consumer-minded routers that run hardware like the Banana Pi R4 (which I have). When you buy it, you get the board and nothing else. It's up to you to get a case and install an OS on it (with OpenWRT, Debian, and Ubuntu being the normal options).
We need something like the Framework laptop for routers. Not from a, "it has interchangeable parts" perspective but from a marketing perspective. Normal people are buying Framework laptops because geeky friends and colleagues recommend them and they're not that much more expensive/troublesome than say, a cheap Acer/Asus laptop.
> They key point remains, however: They're not just hardware—even though they should be!
This is the most thoughtful comment I've seen on this topic. I hadn't even considered this approach, but you're right. The hardware needs to be commoditized in a way that makes the software a layer that can be replaced. Someone else said this but in a way that described flashing a third-party package as HN nerds would. That's too much effort and it won't work.
It should be as generic as PC hardware. Every router manufacturer should build devices that can run the OSes of all their competitors' devices and vice versa. Maybe some features won't work with the other company's OS cause it isn't designed for that, but overall it ought to be replaceable. "Normal people" still wouldn't flash a new OS, but making it an option is a step towards making devices more secure.
If every router could get a new OS as easily as your techy friend could install Firefox or an ad-blocker or whatever else, we'd start the long march to a real longterm solution.
> Every router manufacturer should build devices that can run the OSes of all their competitors' devices and vice versa.
Or they could just run an existing open source OS, like openwrt.
I had to verify that OpenWRT was compatible when I bought it _to be a backup_. Re-read what I said about everything being commodity hardware that can run any other device firmware / OS.
> I suggest reading up on wifi and RF before going further.
I'd suggest neither matter in the face of how the problem is solved in the consumer cards the OP was talking about. They solve it by locking down the firmware that controls the radios.
The reality is most routers do that too. You can replace the firmware in most of them with OpenWRT or something similar. You still can't exceed regulatory limits because of the signed blobs of firmware in the radios.
Nonetheless, here we are getting comments like yours, which imply all firmware in the device must be behind a proprietary wall because a relatively small blob of firmware in them must be protected. It has its own protections. It doesn't need to be protected by the OS or the application that runs on top of it.
Yet it's in those applications where most of the vulnerabilities show up. Making them consumer replaceable would help in solving the problem. Protecting the firmware is not a good reason to not do it.
We don't have to look far. The embedded space with Arduinos, ESP32s and even RPis is a hacker's paradise. Yet the radio stack is restricted in all of them. For instance, it's not possible to take an ESP32 board and turn it's single antenna into a MIMO configuration, even if you make a custom PCB with trace antennas.
sure, but again, why would the RF transceiver on my desktop PC or in my laptop be any different than the one in my router?
i will allow sunsetting and removing ipv4 after 2020 (that is more that 5 years ago)
What they're actually trying to do is obsolete the devices faster because then they won't add new protocols or other software-only features to older devices so you have to buy a new one, or only expose features in more expensive models that the less expensive hardware would also be capable of doing. Which is all the more reason for us to not have that.
And if they were required to allow anyone to replace the firmware then you would get companies reflashing and selling them that way from the store because the free firmware has more advertisable features. There's a reason you can go to major PC OEMs and pick between Windows, Linux and "don't even install one" and the reason is that if you give customers a choice, they generally don't want their software to be made by the OEM.
> What they're actually trying to do is obsolete the devices faster
This is exactly why. Obsoleting older devices keeps (in their eyes) the purchase treadmill running. Making a device that could be updated forever means never making another sale to that user (unless some physical failure happens, or the user wants a second one).
Anyhow, this is a common enough practice. Many companies that provide infrastructure type software and sell to Fortune 500 companies often have a clause whereby they deliver their software to their customers if the shut down.
And you can't wait until after they're dead to have them do something. By then they're gone or judgment proof because they're already bankrupt. Especially when you're talking about companies that aren't in the jurisdiction because you can't even make them do anything when they're already not shipping products to you anymore. It has to be from Day 1.
There was a promising design from Azure Sphere for 10 years of IoT device Linux security updates from Microsoft, even if the IoT vendor went out of business. This required a hardware design to isolate vendor userspace code from device security code, so they could be updated independently. Could be resurrected as open standard with FRAND licensing.
A decade of security updates for routers would require stable isolation between low-level device security and IoT vendor userspace. In Sphere, the business model for 10 years of paid updates was backed by hardware isolation. Anyone know why it didn't get market traction? There was a dev board, but no products shipped.
>Anyone know why it didn't get market traction?
Oh gee. Maybe because no one sane looks at an industrial product adversarially built to confine and prevent the end user from doing anything to it and wants anything to do with it? It isn't rocket science. If I can't buy it and get a damn manual and programming tools to twiddle all the bits, I'm not adopting. Not even at gunpoint, or if you're the last supplier on Earth. I won't be held voluntarily hostage because a bunch of corporate types, and bureaucrats decided to work together to normalize adversarial silicon. Multiply by everyone I know, and anyone with enough braincells to rub together to pattern match "regulatory capture" and "capitalist rent seeking". You can call me a bore if you want. The incentives are completely unaligned, as this place is so fond of saying. End user adoption is built on faith in product. End user capacity to have faith in the product is based on the capability of the technically savvy purchaser to keep the thing running, repair, understand, and explain it to the non-technically savvy. I look at adversarial silicon isolating me from the hardware; I have to sound off-my-rocker to my non tech-savvy friends family to actually explain that yes, there are industrial cabals out to keep you from doing things with the thing you bought.
It doesn't make any business sense, or practical sense whatsoever. Don't bother quoting regulations that demand the isolation (baseband processors and radio emission regulations) at me. Yeah. I know. I've read those too.
Get over business models that require normalized game theory, and we can talk. Until then, enjoy never having nice things catch on. Hint: your definition of "nice" (where I can't control how it works after purchase) is mutually exclusive with things I'm willing to syndicate as "nice". Nice people don't manipulate others.
> And "require longer support" doesn't fix it because many of the vendors will go out of business.
Which is not a real issue in practice. It's like arguing that warranty doesn't matter because the vendor might go out of business.
> What you need is the ability for consumers to replace the firmware.
> That solves the problem in three ways.
That alleviates the problem, but definitely doesn't solve it. Updates are still required, and most people will never update devices they don't directly interact with.
Enterprise must be able to pay for support for as long as they use devices. Solved.
I can only think of requiring the devices to be serviceable, as you say. The absolute only way I can think of charging the consumers, ie the owners, is to charge a tax on internet connections. Then the government would pay somehow vulnerability hunters working along patchers, who can oversee each other.
Consumers are tricky: if you include support in the sale price, the company will grab the money and run in 3 or 5 years; and some companies will sell cheaper because they know they won't provide support.
>
But then vendors want to stop issuing them after 3 yearsTough shit. You provide updates for the mandated amount of time, or you lose access to the market. No warnings, you're just done.
> And "require longer support" doesn't fix it because many of the vendors will go out of business.
Source code escrow plus a bond. The bond is set at a level where a third party can pay engineers to maintain the software and distribute updates for the remainder of the mandated support period. And as time passes with documented active support, the bond requirements for that device go down until the end of the support period.
Requiring that the customer be allowed to replace the firmware is essential, I agree, but not for this reason. That requirement, by itself, just externalizes the support costs onto open source communities. Companies that sell this sort of hardware need to put up the resources, up front, irrevocably, to ensure the cost of software maintenance is covered for the entire period.
Personally I don't buy consumer router hardware that I can't immediately flash OpenWRT on, but that option is not suitable for the general public.
How does one ensure the support for the devices is funded?
You managed to say that with a straight face!
Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out.
How on earth is embedded creds in any way: "no known bugs"?
I think we are on the same side (absolutely) but please don't allow the buggers any credibility!
>And "require longer support" doesn't fix it because many of the vendors will go out of business.
Do you mean 'out of business so they cannot provide updates'?
Because, if you mean cheap companies won't be able to provide updates and stay in business, surely that's the point. Companies would have to shim to a standardised firmware that was robust, or something, to keep costs down.
Isn't this all to protect USA business interests and ensure the Trump regime can install their own backdoor though?
>The problem is that "secure firmware" is a relativistic statement.
No it isn't, software formally verified to EAL7 is guaranteed to be secure.
> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.
In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").
In the FAQ (https://www.fcc.gov/faqs-recent-updates-fcc-covered-list-reg...), they even include guidance on how to apply: https://www.fcc.gov/sites/default/files/Guidance-for-Conditi...
If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
Yes china routers are a liability, but free trade and open market ensure at least one thing that's essential : no single state has surveillance capability on its entire population
You can get an old desktop or laptop that's more than good enough to be a router for basically nothing (or sometimes literally nothing) on Craigslist or Ebay. I suspect pretty much anyone who frequents this forum could probably figure out how to do it with a YouTube tutorial. Routers are pretty dumb computers, so you don't need something top of the line.
Even if you want higher speed than the ethernet port built into the computer, you can buy old dual-port 10GbE PCIe cards for less than $50 on eBay as well.
I've been running my own custom thing with NixOS for a couple years now, and it's been working great, and before that I ran ClearOS for a couple years, and before that I ran OpnSense for a couple years. They all work fine, and they're not too hard to set up. I recommend it to anyone who can figure out how to do it.
The FCC's power just got substantially nerfed, and "we've decided to slow lane all foreign-made routers" feels like that may have been beaten on the old, higher, standard. Let alone the new one that gives the FCC almost no power.
> all consumer-grade routers produced in foreign countries
Are there even consumer-grade routers that are produced in the USA...?
A little rich coming from the administration that supports a strict view of the major questions doctrine. They have no problem kneecapping the EPA. But the communications commission has the right to ban all drones (and not the FAA for example).
I'd say I'm shocked but I am not. Their next order forcing backdoors will be secret.
I've already done everything the article says to do years ago, but what happens when this equipment dies? Can I get a replacement, and is it flashable? I currently use "routers" as access points because it's the cheapest way to get an AP for OpenWRT.
Personally, I don't make the distinction between foreign and domestically produced routers in America. In fact, I trust foreign produced routers more because the likelihood that they can act upon their surveillance is significantly lower than the current American regime's oppressive and malicious tactics. Therefore, open source routers provides enough transparency to effectively eliminate spyware threats from all angles while being compliant.
I'm especially excited about the Banana Pi because of the transparency and potential of modular upgrades. Whenever there's a network issue, I have to consider whether the manufacturer (American or not) is doing something nefarious. With a Pi based router, I have much more peace of mind with network debugging issues.
I'm guessing the rest of this looks like drones, too: FCC approval is given only to American companies that bribe members of the administration, and they raise prices through the roof. The routers are still manufactured overseas and there's no improvement in security.
It's all a bunch of very expensive kind of dodgy Compex cards, used for industrial or prototype purposes. Be prepared to spend $300+ for a single 4x4 MIMO card. And then you want to go dual band right?
Thankfully the MediaTek offerings are somewhat available and much much much cheaper, but reports are that driver quality is just absymal.
Meanwhile the openwrt table of hardware for wifi 6 and wifi 7 is a bare trickle already, and inceasingly not consumer routers but SBC. Thanks for the FCC messing things up brutally already, back in 2015, with requirements to make sure users couldn't possibly do anything out of spec, requiring these systems to be locked down. They almost banned open source outright, but in practice it feels like the requirements are high enough that they practically did. https://toh.openwrt.org/?features=wifi_be https://arstechnica.com/information-technology/2016/03/tp-li...
Frelling FCC! What dastardly deeds done against civilization! We would be so much more secure & protected, the bar would be so much higher if open source / openwrt was allowed to compete. You messed everything up already!!
Previous example: https://news.ycombinator.com/item?id=37392676
Numerous papers showing the ability to easily map indoors areas with WiFi (including occupancy) it’s a liability.
There will be excuses “tariffs” etc but I heard a few have gotten calls from three letter agencies coyly telling you to improve your systems.
It’s a chance to refresh the product line! (of course at the worst time when mem prices are bleed you dry high)
But largely thanks to FCC demands, the list of router hardware that can run open source operating systems such as OpenWRT has dwindled to a trickle. There's very precious few wifi 7 / BE systems available, and only a few wifi 6! it's ghastly. https://toh.openwrt.org/?features=wifi_be https://toh.openwrt.org/?features=wifi_ax
To me, this is a deeply dangerous situation for the state & for the population, where it is nearly impossible for consumers and businesses to purchase gear that they can secure. Where we are at the mercy of what is on the market, and no actual securing of our own can occur.
The FCC claimed in 2015 they were not trying to forbid open source systems, but the additional compliance demands they have made unsupportable unsecurable devices the default state: the FCC mandated companies make sure the users dont have freedom, make sure the wifi performance is locked down, and the most obvious path to that end is to just lock out the user entirely. Open source isn't outlawed, but the FCC turned a good working amazing open source movement into something that is incredibly rare and hard to do. The FCC assurances (https://www.eff.org/deeplinks/2015/11/free-router-software-n...) have not proven true (https://news.ycombinator.com/item?id=11122966): everything has gotten worse for security & availability (https://news.ycombinator.com/item?id=11122966).
From one side, that sure... does have some point. Well, I mean, one could potentially install some kind of a backdoor on the networking hardware they produce, and if it's state-controlled, then it could potentially be a threat.
From the other side, though...
That's crazy. Maybe I'm missing something obvious, or maybe I'm just stupid, I don't know; but at this point, with almost no manufacturing in the USA, this feels like shooting yourself in the foot. Or rather, it's like shooting yourself straight up in the head if manufacturing will not be efficiently (so it can satisfy the demand) moved to the USA (which is a big challenge).
It's also a quasi inevitable side effect of the push to encrypt all communication back to the cloud, since now it's too easy for malicious devices to hide what they're sending back.
Back to wearing the tin foil hat in my faraday cage.
Effectively banning all consumer routers.
Manufacturers can support devices for long but it costs money which the consumers / businesses aren’t willing to pay or value. Cybersecurity is a joke and the general consensus is : we will pay for things as and when there is a fire. We don’t put a price on prevention because we can’t really show it to shareholders how we profited from not being attacked since we blocked those. So we create an arbitrary certification and pass things according to it. This certification doesn’t say anything about firmware. But if we do get attacked then we can convince the shareholders to spend money on better equipment this financial year and then not bother until the next time we have a problem.
Some of these certifications focus on what the devices allow you to do (like acls and firewalls) and see if they pass these tests. But actually looking at the firmware and finding vulnerabilities is not in scope.
I switched away from Omada to Ubiquiti, because of TP Link’s problems.
I can’t think of a complete start to finish, OS to mosfets, computer that is 100% manufactured in the United States.
If worried about supply chain and inside jobs, I worry more about the IoT widgets I have. They are already inside the LAN, can access the internet, etc.
Anyway, bribes aside, this is probably just a talking point and not much actually changes.
[cue https://youtu.be/EnIm71jRb_o]
Thats what this is all about: government level blackmail.
This is for newly released models that still need to get FCC certification.
[0] https://mono.si/
One purpose for taxes is to shape behavior. If the behavior they wish for is to have more manufacturing in the US, you increase the taxes of outsourcing it. IOW, you make it more desirable to manufacture locally.
This is kind of a boneheaded way of handling whatever issues they're claiming.
Is this just another mass surveillance operation?