https://www.fcc.gov/document/fcc-adds-routers-produced-forei...
https://docs.fcc.gov/public/attachments/DA-26-278A1.pdf
https://www.bbc.com/news/articles/c74787w149zo
https://www.cnet.com/home/internet/fcc-bans-foreign-made-rou...
https://blog.adafruit.com/2026/03/24/fcc-just-banned-the-imp...
The FCC maintains a list of equipment and services (Covered List)
that have been determined to “pose an unacceptable risk to the
national security
Recently, malicious state and non-state sponsored cyber attackers
have increasingly leveraged the vulnerabilities in small and home
office routers produced abroad to carry out direct attacks against
American civilians in their homes.
Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.
Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.
The US has a bazillion devices with crap security because we set ourselves up for this.
The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one.
What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business.
What you need is the ability for consumers to replace the firmware.
That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them.
So, we don't need an electrical code to enforce correct wiring. We just need a kind soul driving by our house to notice the company who built our house wired it up wrong. Then that kind person can inform the company of the bad wiring.
And if the company agrees it's their wiring at fault, we can wait 3 months for a fix. Then the next month another kind soul finds more bad wiring. And we just have to hope there is an army of kind strangers out there checking every building built by every company. And hope in the meantime that the building doesn't burn down.
Meanwhile, people have to live with bad wiring for years, that could have been completely prevented to begin with, by an electrician following the electrical code we all already agree on.
I don't think that's enough. Most people aren't going to replace the firmware on their device with an open source replacement made by someone else. Now if the firmware was required to be open source, and automatic updates could be seamlessly switched over to a non-profit or government agency in the event of the company going out of business, you might have something. But there would be a lot of details to work out.
Which is not a real issue in practice. It's like arguing that warranty doesn't matter because the vendor might go out of business.
> That solves the problem in three ways.
That alleviates the problem, but definitely doesn't solve it. Updates are still required, and most people will never update devices they don't directly interact with.
Enterprise must be able to pay for support for as long as they use devices. Solved.
I can only think of requiring the devices to be serviceable, as you say. The absolute only way I can think of charging the consumers, ie the owners, is to charge a tax on internet connections. Then the government would pay somehow vulnerability hunters working along patchers, who can oversee each other.
Consumers are tricky: if you include support in the sale price, the company will grab the money and run in 3 or 5 years; and some companies will sell cheaper because they know they won't provide support.
The problem is not that people need a free meal. The problem is that people need the ability to eat some other food when the OEM's restaurant is closed or unsatisfactory.
Tough shit. You provide updates for the mandated amount of time, or you lose access to the market. No warnings, you're just done.
> And "require longer support" doesn't fix it because many of the vendors will go out of business.
Source code escrow plus a bond. The bond is set at a level where a third party can pay engineers to maintain the software and distribute updates for the remainder of the mandated support period. And as time passes with documented active support, the bond requirements for that device go down until the end of the support period.
Requiring that the customer be allowed to replace the firmware is essential, I agree, but not for this reason. That requirement, by itself, just externalizes the support costs onto open source communities. Companies that sell this sort of hardware need to put up the resources, up front, irrevocably, to ensure the cost of software maintenance is covered for the entire period.
Personally I don't buy consumer router hardware that I can't immediately flash OpenWRT on, but that option is not suitable for the general public.
How does one ensure the support for the devices is funded?
You managed to say that with a straight face!
Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out.
How on earth is embedded creds in any way: "no known bugs"?
I think we are on the same side (absolutely) but please don't allow the buggers any credibility!
You misunderstand how organizational knowledge works. You see, it doesn't.
Some embeds the credentials, someone else ships the product. The first person doesn't even necessarily still work there at that point.
Remember that time NASA sent a Mars orbiter to Mars and then immediately crashed it because some of them were using pounds and the others newtons? Literally rocket scientists.
The best we know how to do here is to keep the incentives aligned so the people who suffer the consequences of something can do something about it. And in this case the people who suffer the consequences are the consumers, not the company that may have already ceased to exist, so we need to give the consumers a good way to fix it.
Do you mean 'out of business so they cannot provide updates'?
Because, if you mean cheap companies won't be able to provide updates and stay in business, surely that's the point. Companies would have to shim to a standardised firmware that was robust, or something, to keep costs down.
Isn't this all to protect USA business interests and ensure the Trump regime can install their own backdoor though?
No it isn't, software formally verified to EAL7 is guaranteed to be secure.
Plenty of consumer-grade devices have had very lax security settings or backdoors baked in for purposes of “troubleshooting” and recovery assistance. It’s never been limited to foreign-made devices.
Security has never been part of the review process. The only time any agency has really cared is when encryption is involved, and that’s just been the FBI wanting it to be neutered so they can have their own backdoors.
The FCC licenses devices to the extent that devices can cause spurious transmissions in the radio spectrum. It’s not a general consumer protection agency. Computer security also is outside the mandate of the FTC, which exists to protect consumers from anticompetitive conduct and unfair business practices, not crappy products.
Sounds like it does to me. Also you're forgetting the part where the FTC under a prior administration either banned DLINK from selling in the US or heavily fined them for selling routers in the US that they knew were running insecure, buggy firmware.
(both quotes were taken verbatim from first, Netgear's US website, and secondly the Bureau of Consumer Protections' section of the FTC's website)
Interestingly, Europe is about to try this: the Cyber Resilience Act is going to become obligatory for all sold digital products (hardware & software) by the end of 2027, with a bunch of strict minimum requirements: no hardcoded default passwords, must check for known vulnerabilities in components/dependencies, encryption for data at rest, automatic security updates by default (which must be separate from functionality updates), etc.
Remains to be seen whether this'll help, but good to see somebody have a go at fixing this.
Not that any consumer router is super nice and safe, honestly, you're better off making your own these days.
Sorry but this is merely a convenient excuse. Source: I have hard evidence of a Chinese IoT device where crap security practices were later leveraged by the same company to inject exploit code. It's called plausible deniability and it's foolish to tell me it's a coincidence.
You're not going to convince me that a foreign state actor pressuring a company to include a backdoor wouldn't disguise it as a "whoopsie, our crap code lol" as opposed to adding in the open with a disclaimer on it.
It's all closed source firmware. Even the GPL packages from most consumer router vendors are loaded with binary blobs. Tell me I should trust it.
(That is not to say that the FCC change will move the needle on the underlying issue of router security; as some of the ancestor comments have said, lax security practices are common industry-wide, irrespective of country of development/manufacture.)
No, I don't have it but you may check with Santa Claus.
Banning foreign-made devices will not stop any of that.
True, but the country of manufacture is related to the risk of back doors.
There is a huge security problem (everywhere, not just the US) with insecure consumer devices (not just routers, everything from Wi-fi enabled lightbulbs to cars). AT least someone seems to be waking up to the problem even if their solution is half-baked.
That depends on how you define "Vulnerability", doesn't it?
For instance, from some standpoints, the absence rather than presence of a backdoor in consumer routers could be considered a "vulnerability", no?
> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.
In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").
In the FAQ (https://www.fcc.gov/faqs-recent-updates-fcc-covered-list-reg...), they even include guidance on how to apply: https://www.fcc.gov/sites/default/files/Guidance-for-Conditi...
If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
That is not what's going to happen. What's going to happen is that anyone coughing up payola to the current executive in chief's people will get approved, and anyone that doesn't will remain blocked. This practice is currently widespread, in the form of tariffs.
Also, the biggest benefactors of payola aren't the politicians, it's the rent seekers, that is the businesses already in place that want to prevent competition. Because of this, they usually directly contribute to the politicians that promise to restrict the path to doing business.
For example, if you want a newest-generation extremely-efficient air conditioner in the US, you won't be able to buy it and even if you could, you wouldn't be able to get anyone to install it. Any given model of air conditioners needs to be on an approved list to be sold in the US, and the installer needs to be on an approved list, too. This means that by the time an air conditioner makes it onto the list, it's already old. Also, installers can require you buy it from them, and almost all do, so by the time time an installer on the list has it for sale, it's even older than that. Ironically this is all enabled by the EPA, on the auspices that they are ensuring that it's energy inefficient, when in reality they are preserving the market for the older, more expensive, and inefficient models.
The old payola model. This new model encompasses the old one and adds a neat layer of outright politician bribery on top.
According to SCOTUS in Snyder v. United States, if the payment occurs after the official act, it's a perfectly legal "gratuity."
Dario (CEO of Anthropic) said the DoW contract violations and threats were direct retaliation for not paying Trump "campaign" money. Later, he was forced to apologize for speaking the truth.
Wow NGL this sounds great if you ignore the reality that it'll be used as a partisan backdoor to enriching the administration.
This comb likely is designed to extract loose $1M checks from the foreign manufacturers.
You're assuming a non-partisan technocratic process, which this administration has amply shown is neither capable nor willing to provide. This requirement becomes another opportunity for Pay-to-Play, either in cash or quid pro quo, to the government directly (see, e.g., NVidia and AMD export allowances) or to Trump's inner circle (see, e.g., crypto venture regulation, merger approvals).
No, of course I'm not assuming that. That's not the administration's pattern of behavior, so it would be a crazy assumption.
I agree it'll be abused. I just didn't feel it necessary to state the obvious.
by giving daddy trump his taste, no doubt.
Yes china routers are a liability, but free trade and open market ensure at least one thing that's essential : no single state has surveillance capability on its entire population
I took a screenshot to share if anyone is interested
I'm assuming you really meant "detect human motion", which I don't think is a solvable problem at this point in time, at least with high accuracy.
This is about full domestic control of the internet. For both ingress and egress.
Remember how Iran likely murdered thousands of protestors a few months ago, but we don't actually know? They want to be able to do that here.
https://www.washingtonpost.com/graphics/2020/world/national-...
The OpenWRT One [1] sponsored by the Software Conservancy [2] and manufactured by Banana Pi [3] works lovely.
[1] https://openwrt.org/toh/openwrt/one
[2] https://sfconservancy.org/activities/openwrt-one.html
[3] https://docs.banana-pi.org/en/OpenWRT-One/BananaPi_OpenWRT-O...
If the software is an important differentiator (arguably, it is for things like Ubiquiti, but clearly it is not for most consumer routers), then release the patches under the Business Source License with a 3-5 year sunset back to BSD / Apache / GPL.
Even if this wasn't done, at the very least they must publish their software testing procedures, the way UL, ETL, and CSA require to certify devices for the US power grid. (https://www.komaspec.com/about-us/blog/ul-etl-csa-certificat...) They can also do black box testing.
But ideally they would actually inspect the software to ensure its design is correct. Otherwise vibe-coded apps with swiss cheese code will be running critical infrastructure and nobody will know until it's too late.
If it was required they would do it.
Self ownership and full 'right to repair' has carve-outs in the FCC's regulations in the name of limiting unintentional broadcasting/radiation. Maybe a challenge to those would survive in the post-Chevron environment. I wouldn't expect any Congress in the last 25 years to pass a law which would go against the incumbent telecom lobbyist interests though, and I'd expect such a hole if it did hit case law, to get 'patched' fairly quickly.
About the only way to really solve that would be to embarrass vendors enough to open their moats.
(To be clear, I don't think that's good enough; at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help, but I think it's useful to point out that auditing code doesn't require being able to install it)
This is already the case today with many embedded devices. They have secure boot enabled so even if the vendor releases the GPL source code (big if), you can't do anything because the device will only boot the vendor's signed firmware.
> at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help
This is already possible. The RF components frequently have a signed firmware blob that is verified on load. There is no reason but planned obsolescence and greed keeping the application processor locked to running the vendor's signed code.
It's very difficult to inspect a laid out chip for nefarious elements - there's too much of it to do manually. Having a secure supply chain is probably the best way to prevent that happening.
Which is not to say that I support this rule - it sounds like another import weapon trump can swing against people who aren't his friends.
Very few companies make the chips too. It'd be very easy for the government to force them to add backdoors.
Trusted, qualified independent experts: Ala Underwriters Laboratories.
Maybe trusted community of people could do it for everyone, but there's currently all kinds of potential legal trouble brewing in that approach. Complete and public reverse engineering of every aspect of any device would have to be made completely legal, so that people could freely publish all artifacts extracted from a device and produced during reverse engineering and collaborate on them without any fear of repercussions. Also HW manufacturers would have to be prohibited from NDAing documentation for SoCs, etc.
Side benefit would be that this would also serve as a documentation for freeing the device and developing alternative firmwares with modernized sw/reduced attack surface.
You can get an old desktop or laptop that's more than good enough to be a router for basically nothing (or sometimes literally nothing) on Craigslist or Ebay. I suspect pretty much anyone who frequents this forum could probably figure out how to do it with a YouTube tutorial. Routers are pretty dumb computers, so you don't need something top of the line.
Even if you want higher speed than the ethernet port built into the computer, you can buy old dual-port 10GbE PCIe cards for less than $50 on eBay as well.
I've been running my own custom thing with NixOS for a couple years now, and it's been working great, and before that I ran ClearOS for a couple years, and before that I ran OpnSense for a couple years. They all work fine, and they're not too hard to set up. I recommend it to anyone who can figure out how to do it.
Though that said, even with a regular old desktop, which is what I used before, the power consumption actually didn't get that high. Even with a lot of torrent traffic FROM LINUX ISOS, it generally hovered around 35W of power, and considerably less when it wasn't busy. Maybe I just had a decent power supply in there, not sure, it was literally a desktop that I got for free from a neighbor that was moving.
ETA:
I should clarify, even though the computer itself hovers around 10-15 watts, I do have an external switch and an external access point. The switch hovers between 25-30W, and the access point hovers around 15 watts. This is definitely a fair bit more than you'd get with a consumer router, so adjust for your pain tolerance. You might be able to find lower-power switches if nothing else.
Maybe "whitebox" stuff will have a moment here. Buy a ARM based "computer" that just happens to have a built in switch and 802.11 radio, and separately purchase an SD card with the OS on it.
Or, perhaps this will be VyOS's time to shine... https://vyos.io/
Can't really see anything really happening in the consumer space, but maybe business/enterprise will move in one direction or another.
I love my NixOS thing, because I am part of the cult of NixOS, but it's probably something I wouldn't recommend for most people because it was kind of a pain in the ass to get working. The reason I do it now is because it lives on the same box that is my server.
I've looked into Vyos, it sort of reminds me of the Cisco stuff and it looks interesting, but it never seemed sufficiently better than my NixOS thing.
As far as network routing is concerned, I haven't been able to see much of a difference. iperf3 shows that two wired connections I'm getting about 9.4Gbps, which is well within any tolerance I need. The router that Verizon gave me only had 2.5Gbps ports so I can't quite compare apples to apples, but the latency was generally pretty similar.
I mostly just like the level of customization I'm allowed to have. There's no arbitrary limits to port forwards and I can install extensions or write my own if I want.
The FCC's power just got substantially nerfed, and "we've decided to slow lane all foreign-made routers" feels like that may have been beaten on the old, higher, standard. Let alone the new one that gives the FCC almost no power.
Are there even consumer-grade routers that are produced in the USA...?
[1] https://www.heise.de/en/news/USA-bans-all-new-routers-for-co...
> As outlined below, today’s action does not impact a consumer’s continued use of routers they previously acquired. Nor does it prevent retailers from continuing to sell, import, or market router models approved previously through the FCC’s equipment authorization process. By operation of the FCC’s Covered List rules, the restrictions imposed today apply to new device models.
I’m sure plenty of US factories are capable of importing boxes that look like routers but are actually just switches (because the router firmware is missing) and re-flashing them here…
(Which is why it's a bit ironic I saw the Google Fiber guy post on X about how they always had TPM^TM "security" in their routers; thats cool, but the drivers you used still made them "general purpose computing over the air" devices)
> In conjunction with original software development, Island is designed and assembled in the USA to improve security and enable tighter quality control throughout the entire production process. The code for Island routers has only been loaded internally at Island HQ in the U.S; customer support is also managed directly in our U.S. Headquarters.
Starlink?
A little rich coming from the administration that supports a strict view of the major questions doctrine. They have no problem kneecapping the EPA. But the communications commission has the right to ban all drones (and not the FAA for example).
I'd say I'm shocked but I am not. Their next order forcing backdoors will be secret.
If companies market the devices as something other than "routers" then consumers will not buy them for routing duty.
(Meanwhile, the non-average people who want to use general-purpose computers as homespun router/NAS/do-all boxes are already aware of how this all works...and many of us have been doing it this way for decades. (Often, this happens alongside dedicated access points that do have good wifi radios.))
I have roommates who are engineers and I had to explain to them the difference between Wi-fi access point and LAN when I replaces our wireless router with a router + 3 APs.
And I don't mean to suggest, in any way, that this means that most people are stupid or anything like that. They can have ridiculously high intelligence while the nuts and bolts of networking remain completely beyond the scope of their thought processes.
But yet: Every-day consumer-oriented stores (including Wal-Mart) have routers (and mesh systems and...) in stock on the shelf for purchase in Anytown, USA right now. So while they may not be the majority, people are buying them.
So start your own company called usa router co, and sell some random arm board with a preinstalled router image... the end user won't know the difference.
I've already done everything the article says to do years ago, but what happens when this equipment dies? Can I get a replacement, and is it flashable? I currently use "routers" as access points because it's the cheapest way to get an AP for OpenWRT.
Personally, I don't make the distinction between foreign and domestically produced routers in America. In fact, I trust foreign produced routers more because the likelihood that they can act upon their surveillance is significantly lower than the current American regime's oppressive and malicious tactics. Therefore, open source routers provides enough transparency to effectively eliminate spyware threats from all angles while being compliant.
I'm especially excited about the Banana Pi because of the transparency and potential of modular upgrades. Whenever there's a network issue, I have to consider whether the manufacturer (American or not) is doing something nefarious. With a Pi based router, I have much more peace of mind with network debugging issues.
The only thing I'm missing right now that would be a nice to have is a wifi card so I can ditch my access point. My hardware isn't open source by any means, but my reliance on non-free networking code is minimal.
Thanks to whistleblowers like Mark Klein and Ed Snowden we know that we're all being monitored by the government. If there are "lists" at all at this point it's the few people that aren't being watched 24/7.
Besides BananaPi, there are e.g. ODROID (Hardkernel from South Korea), FriendlyElec, Radxa.
I'm guessing the rest of this looks like drones, too: FCC approval is given only to American companies that bribe members of the administration, and they raise prices through the roof. The routers are still manufactured overseas and there's no improvement in security.
Source: My company manages logistics for dozens of US manufacturing companies.
Between "age verification" - ID - laws being rolled out across many countries, rocketing transport costs, ICE at airports, incredible inflation of RAM prices, and now catastrophic restrictions on routers, none of this is making Rest of World easier to access.
Let's not forget Russia and Iran both clamped down hard on general Internet access, and Israel and some of the Gulf states have set up aggressive restrictions on live reporting.
I think we're heading to a balkanised Internet at the absolute best.
There's no router industry here because there's (mostly) no electronics industry, and to make one you'd need to build all the supply chains and subsidiary industries from scratch.
It's all a bunch of very expensive kind of dodgy Compex cards, used for industrial or prototype purposes. Be prepared to spend $300+ for a single 4x4 MIMO card. And then you want to go dual band right?
Thankfully the MediaTek offerings are somewhat available and much much much cheaper, but reports are that driver quality is just absymal.
Meanwhile the openwrt table of hardware for wifi 6 and wifi 7 is a bare trickle already, and inceasingly not consumer routers but SBC. Thanks for the FCC messing things up brutally already, back in 2015, with requirements to make sure users couldn't possibly do anything out of spec, requiring these systems to be locked down. They almost banned open source outright, but in practice it feels like the requirements are high enough that they practically did. https://toh.openwrt.org/?features=wifi_be https://arstechnica.com/information-technology/2016/03/tp-li...
Frelling FCC! What dastardly deeds done against civilization! We would be so much more secure & protected, the bar would be so much higher if open source / openwrt was allowed to compete. You messed everything up already!!
Previous example: https://news.ycombinator.com/item?id=37392676
Numerous papers showing the ability to easily map indoors areas with WiFi (including occupancy) it’s a liability.
There will be excuses “tariffs” etc but I heard a few have gotten calls from three letter agencies coyly telling you to improve your systems.
It’s a chance to refresh the product line! (of course at the worst time when mem prices are bleed you dry high)
They're not likely to go to war against people with long-range missiles though. Even they are not demented enough for that.
The US didn’t make a space force to please the ego, it was likely to occur eventually. They aren’t spending all their time wargaming a moon invasion lol
Logistically, hacking tons of different model routers is not feasible. It would be more useful to yank the power grid.. which can be accomplished with missiles or software.
But largely thanks to FCC demands, the list of router hardware that can run open source operating systems such as OpenWRT has dwindled to a trickle. There's very precious few wifi 7 / BE systems available, and only a few wifi 6! it's ghastly. https://toh.openwrt.org/?features=wifi_be https://toh.openwrt.org/?features=wifi_ax
To me, this is a deeply dangerous situation for the state & for the population, where it is nearly impossible for consumers and businesses to purchase gear that they can secure. Where we are at the mercy of what is on the market, and no actual securing of our own can occur.
The FCC claimed in 2015 they were not trying to forbid open source systems, but the additional compliance demands they have made unsupportable unsecurable devices the default state: the FCC mandated companies make sure the users dont have freedom, make sure the wifi performance is locked down, and the most obvious path to that end is to just lock out the user entirely. Open source isn't outlawed, but the FCC turned a good working amazing open source movement into something that is incredibly rare and hard to do. The FCC assurances (https://www.eff.org/deeplinks/2015/11/free-router-software-n...) have not proven true (https://news.ycombinator.com/item?id=11122966): everything has gotten worse for security & availability (https://news.ycombinator.com/item?id=11122966).
From one side, that sure... does have some point. Well, I mean, one could potentially install some kind of a backdoor on the networking hardware they produce, and if it's state-controlled, then it could potentially be a threat.
From the other side, though...
That's crazy. Maybe I'm missing something obvious, or maybe I'm just stupid, I don't know; but at this point, with almost no manufacturing in the USA, this feels like shooting yourself in the foot. Or rather, it's like shooting yourself straight up in the head if manufacturing will not be efficiently (so it can satisfy the demand) moved to the USA (which is a big challenge).
There are more than a half dozen fabs in the US which can produce networking chips like ethernet controllers, line drivers, SOC, etc: Intel, TI, Samsung, et al. If US wanted to onshore routers, we could make it happen.
> If US wanted to onshore routers, we could make it happen
https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf
a router produced in the US from foreign-made parts - like controllers, drivers etc. - is not in the "covered list". Although I admit the wording is vague: "produced in the US".
Now, that's not even the main problem. Imagine if someone did something like this with RAM or NAND. Again, maybe I'm stupid, but this sets a precedent. It's not currently possible to move RAM manufacturing (fully satisfying the demand) to the USA, though, so I doubt anyone sane would try to do so.
It's also a quasi inevitable side effect of the push to encrypt all communication back to the cloud, since now it's too easy for malicious devices to hide what they're sending back.
Back to wearing the tin foil hat in my faraday cage.
Effectively banning all consumer routers.
Manufacturers can support devices for long but it costs money which the consumers / businesses aren’t willing to pay or value. Cybersecurity is a joke and the general consensus is : we will pay for things as and when there is a fire. We don’t put a price on prevention because we can’t really show it to shareholders how we profited from not being attacked since we blocked those. So we create an arbitrary certification and pass things according to it. This certification doesn’t say anything about firmware. But if we do get attacked then we can convince the shareholders to spend money on better equipment this financial year and then not bother until the next time we have a problem.
Some of these certifications focus on what the devices allow you to do (like acls and firewalls) and see if they pass these tests. But actually looking at the firmware and finding vulnerabilities is not in scope.
I switched away from Omada to Ubiquiti, because of TP Link’s problems.
I can’t think of a complete start to finish, OS to mosfets, computer that is 100% manufactured in the United States.
Of course, getting a router SOC with firmware from the factory , soldering on the Ethernet ports and adding RAM and storage, installing an OS, throwing it in a case with a power supply into a box isn’t solving the problem of insecure foreign firmware but is meeting the “Made in US” demand.
So what counts and who gets exemptions will be telling.
If worried about supply chain and inside jobs, I worry more about the IoT widgets I have. They are already inside the LAN, can access the internet, etc.
Anyway, bribes aside, this is probably just a talking point and not much actually changes.
Thats what this is all about: government level blackmail.
This is for newly released models that still need to get FCC certification.
[0] https://mono.si/
The fact that they haven't updated that webpage with new information since October 1st 2025 seems to indicate bad news...
Shortly put, they're going through hardware startup woes but will probably make it out the other end just fine.
... at the same time, I don't think I'd send $100 to a site with no contact/ownership/company info to begin with.
One purpose for taxes is to shape behavior. If the behavior they wish for is to have more manufacturing in the US, you increase the taxes of outsourcing it. IOW, you make it more desirable to manufacture locally.
This is kind of a boneheaded way of handling whatever issues they're claiming.
Is this just another mass surveillance operation?
Very enlightened and useful comment, thank you for your participation.
If wireless security is the concern, maybe other people here know better but I don't believe anything convenient will be "secure" in the strongest sense of the word.
No.
And you have to accept living with / mitigating that e.g. that isolated wifi access point theoretically receives and will need to apply software updates. /s People seem to treat it as some kind of heresy if you simply deny such appliances internet access.
I keep recommending the free version of Sophos firewall for home users. It's still a bit of a bear to configure.
Really, do they have a definition?
Yeah conceivably you could use this to ban any network device that is capable of routing between interfaces, so lots of switches with new firmware could do it, often terribly, as well as PCs with multiple interfaces. But its probably going to involve intention.
...which in turn refers to https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8425A.pdf
(edit: and RAM!)
(edit: and NOT multiple video outputs!!)
> Firmware updates for existing covered devices are allowed, but only through March 1, 2027.
Good luck enforcing that with libre firmware without being sued with some amendment until oblivion and the FCC -the irony- gets sued like crazy.
Bloomberg Editorial Board: The US Must Not Become a Nation of Emigrants - https://www.bloomberg.com/opinion/articles/2026-03-20/immigr... | https://archive.today/a9DbM - March 20th, 2026
> A recent analysis found that US emigration has reached unprecedented levels. Much of this exodus is due to the administration’s deportation efforts, but by no means all. Last year, at least 180,000 American citizens left the Land of Opportunity to find a better life elsewhere.
> During the recession of 2008, a Gallup poll found that about 1 in 10 Americans wanted to permanently leave the country. That figure is now 1 in 5. Among women ages 15 to 44, it’s a whopping 40%. Some of that sentiment is tied to politics, of course, but the emigration trend predates the current administration.
Combine that with a general inability to understand or empathize with what's going on outside what they can directly see. How many Trump supporters have we seen who loved him cracking down on illegal immigrants until the crackdown came for someone they cared about, then suddenly it was an outrage (but only an outrage in that specific case)? How many have cheered tariffs until they had to pay a bunch more money for something? How many said "no more wars!" and thought it was great how Trump didn't invade anyone in his first term, and now are saying that attacking Iran is great because they've been an existential threat for half a century? This will be the same way. It'll be, yeah, stick it to those foreign bastards. America First! Then in a few months or years, "The store doesn't have any routers, what the hell?"
> This law requires the U.S. Federal Communications Commission (FCC) to issue rules stating that it will no longer review or approve any authorization application for equipment that poses an unacceptable risk to national security.
The Secure Equipment Act itself was passed in 2021, but the law itself doesn't proscribe any particular equipment or manufacturers. Instead, tells the FCC to create a list and delegates listing duties to various parts of the executive branch (national security agencies, Commerce, the Federal Acquisition Security Council). That's what changed yesterday and it was in fact done by the current administration.
> For the purpose of this determination, the term “Routers” is defined by National Institute of Science and Technology’s Internal Report 8425A to include consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. ¹
> A “consumer-grade router” is a router intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems. Throughout this document, the term “router” is used as a shorthand for “consumer-grade router.” ²
There doesn't seem to be a general ban for foreign-made professional routers, just for some Chinese manufacturers, right³?
Oh, and what does "produced by foreign countries" even mean? I couldn't find any definition. Is this meant to be the country of final assembly? Would importing a Chinese router and the flashing the firmware in the USA be sufficient to be exempt? Where is the line drawn usually?
¹) https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf
²) https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8425A.pdf
However, the approvals appear to have not been based on any objective methodology, but sometimes nothing has been approved, while otherwise there may have been some approvals but their randomness was suspicious.
Now this new interdiction continues the trend, so it is normal for people to be wary that any approvals will be based on some kind of bribing and not on any serious security audit.
Because it provides a pathway to full government control of the internet.
Content that demonizes the current administration's enemies will become easier to find. Evidence of their crimes will vanish.
When they murder someone in the street, fewer people will find out about it, and those that do will be more likely to hear the government's side of the story.
Mobile networks are already owned by the billionaires, and they've shown plenty of willingness to shape traffic for their interests.
Managing this kind of information at scale is an incredible challenge, but one that LLMs are very well suited for.
Even if you are confident the current administration doesn't have the competence or longevity to exploit this (as I mostly am,) we can easily predict future admins of either party will happily make use of these capabilities.
Bad for the US, but also very bad for the world, because it will make it much easier to manufacture consent for or hide future international crimes committed by the government.
We've excused the complete loss of traditional journalism with a reliance on the Internet instead. Not anymore.
Can savvy individuals work around it, of course. But the general public will treat them like conspiracy theorists, because all they will see is content that reinforces the administration.
The technical discussions in here sound like: "silly Caligula, his horse won't be able to sign his name to cast a vote in the Senate."
Chinese citizens have more computing freedom than American citizens at this point. What the fuck happened to the land of the free?
So no, this does not pull all existing routers off the market. Anything that already got FCC approval remains approved and new stock may be imported and sold.
So much different than the piece of shit closed-source proprietary netgear chinesium.
Consumer routers are shit full stop.
the router sniffed plaintext http to grab HTTP User agents to put them into a curl bash command line string. Nice RCE from the browser.
Even if you have the source and build system to recreate the exact binary blob and can reload it with Jedec or whatever, there is another world below the firmware...called microcode. Some of the microcode comes from the FAB preloaded! Even if you can get the source code for the microcode and somehow read it out and verify it is the same, you guessed it...there is another world below that [1 https://www.researchgate.net/publication/380555600_Trustwort... ] [2 https://dl.acm.org/doi/fullHtml/10.1145/3579856.3582837 ] [3 https://ieeexplore.ieee.org/document/7546493 also https://www.semanticscholar.org/paper/A2%3A-Analog-Malicious... ]