The US router ban and its transparent justification

Contents

The USA is only allowing new router models for the consumer market (“consumer-grade”) if they are entirely designed, developed, and produced in the USA. That would be great news for manufacturers of such routers. However, such producers do not exist. This is already evident from the fact that no one is advertising ‘Made in USA Routers for the Consumer Segment’ (MURCS).

Already approved router models may continue to be sold and used, but firmware and software updates are forbidden. There is an exception for security updates until March 1, 2027. What counts as ‘consumer-grade’, and even what counts as a ‘router’, remains open. And to this day, the FCC remains silent on questions from heise online about whether open-source software is classified as domestic or foreign, and what about foreign patents.

An analysis by Daniel AJ Sokolov

Daniel AJ Sokolov has been writing for heise online since 2002, initially from Vienna. Since 2012, as heise online’s North America correspondent, he has been trying to understand Canadians and Americans and to shed light on their nature.

At the same time, the ban is strict: “Production generally includes any major stage of the process through which the device is made, including manufacturing, assembly, design, and development.” Thus, every important step in design, development, production, and assembly must take place in the USA. Simply assembling Asian parts in US prisons would not suffice.

The Republican-led regulatory agency FCC (Federal Communications Commission) justifies the ban with a secret determination by unnamed intelligence agencies, according to which foreign consumer routers pose “an unacceptable risk to the national security.” This determination formally fulfills the legal requirement (47 U.S.C., Section 1601[c]) for the ban. The FCC used the same wording in December for the ban on new foreign drone models.

Typhoon

The published summary of the secret determination by the secret intelligence agencies mentions possible consequences of inadequate security in routers: “From disrupting network connectivity to enabling local networking espionage and intellectual property theft, foreign-produced routers present additional and unacceptable risks to Americans. Additionally, routers produced abroad were directly implicated in the Volt, Flax, and Salt Typhoon cyberattacks which targeted critical American communications, energy, transportation, and water infrastructure.”

This is not entirely false. Routers were indeed involved. And because, by US definition, domestic routers do not exist, they were, by necessity, foreign routers.

Volt

In 2023, Microsoft pointed out that Chinese attackers were spying on operators of critical infrastructure. To disguise their data traffic, they actually used foreign ‘Small Office/Home Office’ (SOHO) routers. The distinction between SOHO and consumer-grade is unclear, but secondary. Because Volt Typhoon's entry points were vulnerabilities in Fortinet firewalls, which consumers do not typically operate.

Flax

Flax Typhoon refers to a large botnet that, at the time of its discovery in 2024, exploited over 260,000 routers and everyday connected devices (IoT) of unsuspecting households. The most affected countries by number were the USA, followed by Vietnam and Germany by a large margin. The botnet is attributed to the People's Republic of China and exploited 66 publicly known security vulnerabilities; the oldest was already known in 2015.

As the official Cybersecurity Advisory shows, 98.5 percent of the processors in the devices misused for Flax Typhoon were developed in the USA. Only 1.5 percent were ARM devices, originating from British designs. Therefore, the processor design, which must henceforth be American, cannot be the issue. The advisory from September 2024 recommends, among other things, installing updates, replacing default passwords with strong custom ones, and disconnecting devices from the network if the manufacturer no longer supports them. It remains unclear how one can reliably know that the manufacturer is no longer securing its products.

Salt

Salt Typhoon was a successful Chinese espionage (and counter-espionage) mission in dozens of countries. In the USA, the attackers infiltrated major network operators, including AT&T, Verizon, and T-Mobile. Ironically, the spies nested in the very systems that the USA uses to eavesdrop on phone calls and copy foreign data transmissions.

The intruders exploited already known vulnerabilities in huge Cisco routers, which no one operates at home. The network operators had failed to change default passwords and install updates for known software flaws. Feared zero days, i.e., previously unknown security vulnerabilities, were not exploited according to official US investigations.

The Cyber Safety Review Board, which dealt with the investigation, was dissolved by Donald Trump. This was so important to him that the order was issued on the first day of his second term as US President.