The FCC has banned new foreign-made consumer routers, citing severe cybersecurity and national security risks from state-sponsored threat actors exploiting supply chain vulnerabilities.
The U.S. Federal Communications Commission (FCC) has announced a sweeping ban on new foreign-made consumer routers, citing "unacceptable" risks to both cybersecurity and national security. The move, which takes effect immediately, prohibits the import, marketing, and sale of new router models manufactured outside the United States unless they receive special approval from the Department of War or Department of Homeland Security.
FCC Chairman Brendan Carr emphasized that the action aims to protect American households and critical communications infrastructure from increasingly sophisticated cyber threats. "This decision was made after careful consideration of national security determinations provided by Executive Branch agencies," Carr stated, highlighting the growing exploitation of router vulnerabilities by both state and non-state actors.
The ban specifically targets consumer-grade routers from foreign countries, adding them to the FCC's Covered List. However, certain products have been granted conditional approval, including drone systems and software-defined radios from companies like SiFly Aviation, Mobilicom, ScoutDI, and Verge Aero. Notably, Starlink Wi-Fi routers remain exempt as they are manufactured in Texas.
According to the FCC's national security determination, foreign-produced routers present two critical vulnerabilities: they introduce supply chain weaknesses that could disrupt the U.S. economy, critical infrastructure, and national defense, and they pose severe cybersecurity risks that could be leveraged to immediately and severely disrupt U.S. critical infrastructure while directly harming American citizens.
State-sponsored threat actors have repeatedly exploited security shortcomings in small and home office routers to infiltrate American households, disrupt networks, facilitate cyber espionage, and enable intellectual property theft. These compromised devices can be conscripted into massive botnets for password spraying attacks, unauthorized network access, and acting as proxies for espionage operations.
Chinese-nexus adversaries have been particularly active in this space. Groups like Volt Typhoon, Flax Typhoon, and Salt Typhoon have leveraged botnets comprising foreign-made routers to conduct cyber attacks on critical American infrastructure, including communications, energy, transportation, and water systems. The Salt Typhoon attacks specifically demonstrated how state-sponsored actors used compromised foreign routers to establish long-term network access and pivot to other targeted systems.
The FCC also highlighted a botnet dubbed CovertNetwork-1658 (also known as Quad7), which has been used to orchestrate highly evasive password spray attacks. This activity has been attributed to a Chinese threat actor tracked as Storm-0940, underscoring the persistent and evolving nature of these threats.
It's important to note that the Covered List update does not affect consumers' continued use of routers they have already purchased. Retailers can also continue selling, importing, or marketing router models that were previously approved through the FCC's equipment authorization process.
The national security determination emphasizes that unsecure and foreign-produced routers have become prime targets for attackers and have been used in multiple recent cyber attacks to enable hackers to gain network access and use them as launching pads to compromise critical infrastructure. "The vulnerabilities introduced into American networks and critical infrastructure resulting from foreign-manufactured routers are unacceptable," the determination states.
Routers have become particularly lucrative targets for cyber attacks because they serve as the primary conduit for internet access in homes and small businesses. Once compromised, these devices can allow threat actors to conduct network surveillance, exfiltrate data, and even deliver malware to victims.
This concern about router security isn't new. In 2014, journalist Glenn Greenwald alleged in his book "No Place to Hide" that the U.S. National Security Agency (NSA) routinely intercepts routers before U.S. manufacturers can export them in order to implant backdoors, highlighting the long-standing recognition of routers as critical security vulnerabilities.
The FCC's decision represents a significant shift in how the United States approaches supply chain security for consumer networking devices, prioritizing national security over the availability of potentially cheaper foreign alternatives. As cyber threats continue to evolve and become more sophisticated, this ban reflects growing concerns about the intersection of consumer technology, critical infrastructure, and national security.
For consumers and businesses alike, this development underscores the importance of network security awareness and the need to carefully consider the origins and security features of networking equipment. While the ban may limit options in the short term, it represents a proactive approach to mitigating serious and documented cyber threats that have already demonstrated their potential for widespread disruption and damage.
Comments
Please log in or register to join the discussion