96 comments

[ 4.0 ms ] story [ 74.6 ms ] thread
> all consumer-grade routers produced in foreign countries

Are there even consumer-grade routers that are produced in the USA...?

The only one I know of: https://www.islandrouter.com/

> In conjunction with original software development, Island is designed and assembled in the USA to improve security and enable tighter quality control throughout the entire production process. The code for Island routers has only been loaded internally at Island HQ in the U.S; customer support is also managed directly in our U.S. Headquarters.

(comment deleted)

    The FCC maintains a list of equipment and services (Covered List) 
    that have been determined to “pose an unacceptable risk to the
    national security

    Recently, malicious state and non-state sponsored cyber attackers
    have increasingly leveraged the vulnerabilities in small and home
    office routers produced abroad to carry out direct attacks against
    American civilians in their homes.
Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices. Security experts have been trying to call attention to this problem for 2 decades.

Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.

Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.

The US has a bazillion devices with crap security because we set ourselves up for this.

> no Gov agency would ever mandate secure firmware

Interestingly, Europe is about to try this: the Cyber Resilience Act is going to become obligatory for all sold digital products (hardware & software) by the end of 2027, with a bunch of strict minimum requirements: no hardcoded default passwords, must check for known vulnerabilities in components/dependencies, encryption for data at rest, automatic security updates by default (which must be separate from functionality updates), etc.

Remains to be seen whether this'll help, but good to see somebody have a go at fixing this.

If they cared about security they'd mandate time to fix for the found vulnerabilities, or outright requested the source to be available
So after two decades, the FCC finally does something about insecure routers by banning security updates unless you jump through a bunch of extra hoops. That's definitely going to improve the situation.
> Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices.

True, but the country of manufacture is related to the risk of back doors.

There is a huge security problem (everywhere, not just the US) with insecure consumer devices (not just routers, everything from Wi-fi enabled lightbulbs to cars). AT least someone seems to be waking up to the problem even if their solution is half-baked.

>Vulnerabilities have nothing to do with country of manufacture.

That depends on how you define "Vulnerability", doesn't it?

For instance, from some standpoints, the absence rather than presence of a backdoor in consumer routers could be considered a "vulnerability", no?

Considering this is after Loper Bright Enterprises v. Raimondo (2024), it will be interesting to see if this holds up to judicial scrutiny.

The FCC's power just got substantially nerfed, and "we've decided to slow lane all foreign-made routers" feels like that may have been beaten on the old, higher, standard. Let alone the new one that gives the FCC almost no power.

If we wanted secure products, we wouldn't ban devices. We'd mandate they open their firmware to audits.
Not all of the functionality is in the firmware though. You can put stuff in the silicon itself that allows backdoors.

It's very difficult to inspect a laid out chip for nefarious elements - there's too much of it to do manually. Having a secure supply chain is probably the best way to prevent that happening.

Which is not to say that I support this rule - it sounds like another import weapon trump can swing against people who aren't his friends.

And exactly how many consumer routers are not foreign made?
If you actually read the notice, it exempts models that have been approved. So this just seems to require approvals by DOH or DHS ,": Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS." I take this to mean it is just adding security approvals for this type of thing to DOw and DHS. It is not a ban of all future models. It's just saying explicitly that instead of having to review models already in the market and determine that they should be removed because of nation state or other security concerns they are reviewing them before they go to market. Would be nice if people actually read it instead of hyperventilating.
I'd gladly buy an American-made router if one existed!
This part of the press release seems pretty crucial:

> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.

In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").

In the FAQ (https://www.fcc.gov/faqs-recent-updates-fcc-covered-list-reg...), they even include guidance on how to apply: https://www.fcc.gov/sites/default/files/Guidance-for-Conditi...

If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.

So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.

> but they are going to look at them with a fine-tooth comb

This comb likely is designed to extract loose $1M checks from the foreign manufacturers.

> But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").

by giving daddy trump his taste, no doubt.

Does the router ban really only pertain to consumer-grade networking devices?

> For the purpose of this determination, the term “Routers” is defined by National Institute of Science and Technology’s Internal Report 8425A to include consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. ¹

> A “consumer-grade router” is a router intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. Throughout this document, the term “router” is used as a shorthand for “consumer-grade router.” ²

There doesn't seem to be a general ban for foreign-made professional routers, just for some Chinese manufacturers, right³?

Oh, and what does "produced by foreign countries" even mean? I couldn't find any definition. Is this meant to be the country of final assembly? Would importing a Chinese router and the flashing the firmware in the USA be sufficient to be exempt? Where is the line drawn usually?

¹) https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf

²) https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8425A.pdf

³) https://www.fcc.gov/supplychain/coveredlist

So router prices in the US will go up a lot, great!
What the fuck?! I did not sign up to live in some third world shithole where I can't get first-world networking equipment. I do not want some piece of shit closed-source proprietary netgear ameritrash. FUCK! Give me back my god damn chinese routers!

Chinese citizens have more computing freedom than American citizens at this point. What the fuck happened to the land of the free?

Lmao you're an IT guy, right? Get yourself a Raspberry Pi 5, PCIe adapter and a second hand gigabit Intel NIC. Slap a case on that, put OpenWRT on it and bam! High performance, high quality router built from trustworthy parts running open source operating system. Not the prettiest and simplest solution but at least that way you don't have to depend on Realtek chips and Chinese firmware.
What is a router?

Really, do they have a definition?

Because of this, I'm going to plan my next network upgrade based on open source hardware like Banana Pi. My setup is based on WiFi 7 so this might not apply for a few years. From my understanding, the hardware from proprietary manufacturers is sufficiently advanced to do some advanced surveillance and spyware, whereas previous generations didn't require advanced processing to achieve fiber optic speeds. Back to the original statement, it's clear that the threat of surveillance exists.

Personally, I don't make the distinction between foreign and domestically produced routers in America. In fact, I trust foreign produced routers more because the likelihood that they can act upon their surveillance is significantly lower than the current American regime's oppressive and malicious tactics. Therefore, open source routers provides enough transparency to effectively eliminate spyware threats from all angles while being compliant.

I'm especially excited about the Banana Pi because of the transparency and potential of modular upgrades. Whenever there's a network issue, I have to consider whether the manufacturer (American or not) is doing something nefarious. With a Pi based router, I have much more peace of mind with network debugging issues.

So... What are the options now for American consumers? What brands are left and available?
Ask HN: Is there a list of preferred routers for security?
A Palo Alto 440 is what I would consider a baseline for 'real' security. Way too expensive and complicated for most if not all home users.

I keep recommending the free version of Sophos firewall for home users. It's still a bit of a bear to configure.

Compared to hardening your network, at least visiting the ZT church once in a while, running your router on a box which You control and which implements proper segmentation, provides DNS (and "DNS firewall") and an adaptive firewall, WAF (if you run web services), isolating your wifi (anything EXCEPT running it in the box provided by the ISP)?

No.

And you have to accept living with / mitigating that e.g. that isolated wifi access point theoretically receives and will need to apply software updates. /s People seem to treat it as some kind of heresy if you simply deny such appliances internet access.

Does anyone even have a list of US produced routers? Like does installing OpenWRT or OPNSense or VyOS matter?

I can’t think of a complete start to finish, OS to mosfets, computer that is 100% manufactured in the United States.

If their "made in america" goal was anything but a sham, system76 would be getting huge government contracts right now.
I'm sure people will get right on buying American-made routers.
Are there consumer grade routers made in the US?
Aren’t all routers manufactured in foreign countries? Cisco are assembled in China as far as I know.
Prediction: there will appear new "Made in the USA" routers that differ from some Chinese model only by the label. Already the case in Russia for e.g. powerbanks.
I would be more impressed if they would ban all enterprise routers manufactured in China. I have had to continuously patch and meticulously mitigate severe vulnerabilities and bugs in Cisco, Dell, HPE, Extreme, Arista routers, switches, fabrics, and others. These are all manufactured in China, Taiwan, Hong Kong, Vietnam, Malaysia, Thailand, and probably elsewhere in the Greater China region... Actually I take it all back. I wish they would just ban companies from shipping bad code and sanction them for causing millions of hours of required labor to ensure their manufacturing defects do not harm businesses and their customers. Thank you for your attention to my chatter.
What exactly does "produced" mean in this context? That the final assembly was done here, software was written here, PCB was assembled here, SoCs and ICs wwre manufactured here, or something else? Regardless, while consumer routers are 9 of 10 times insecure garbage, it's hard to think of any that aren't manufactured outside the US.