USA expands router ban

Contents

Since March, the USA has been banning new router models not manufactured domestically for the consumer market. Since there would be none, there are exceptions. Some were granted so quickly that it is hard to imagine that the official requirements were met. Meanwhile, the regulatory authority FCC (Federal Communications Commission) is expanding the scope of the ban, but creating new ambiguities.

At the center of the US ban is a secret finding by unnamed US intelligence agencies that “consumer-grade routers” pose an unacceptable risk to the national security of the United States or the safety of US persons. In a published summary, IT attacks that were carried out via routers are referenced -- all of them via foreign routers, as there are none domestically by definition. Models already approved may continue to be used and sold. Their software and firmware may only be updated until March 1, and only for security or compatibility purposes.

The devil is in the details, and the FCC has left key questions unanswered. Last week, the authority published answers to certain frequently asked questions (FAQ). The core issue is repeatedly addressed: What exactly is a “consumer-grade router”, and what is not? Because there is explicitly no list.

Expansion to routers for SMEs

A small table in the 24th of 25 FAQs is surprising with the statement that both “consumer” and “small and medium-sized business routers” are covered. This is new and contradicts the answer to question 8 “How are routers defined?”. Because there, the authority refers, as before, to security recommendations from the standardization institute NIST (National Institute of Standards and Technology’s Internal Report 8425A), which refer to “consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer” -- thus “networking devices for the consumer market that are primarily intended for use in households and can be installed by the consumer.”

Such devices are also used by small businesses; however, “business routers” are something different from “consumer” routers, which are also used by non-consumers. Or so one might think.

At least the table clarifies that mobile phones with Wi-Fi hotspots are not covered by the ban – but pure data modems for mobile communications are, whether stationary or mobile (e.g., with Wi-Fi hotspot). There is no technical reason for this differentiation. Cable modems with routers are also covered by the ban, as are routers installed in households by the ISP or a professional. However, tiny mobile cells (femtocells), fiber optic terminals, and analog telephone adapters with Ethernet sockets are excluded.

What is covered?

The author of the 25th question has probably desperately sought a guideline: Is there a list of indicators, a test of all circumstances, or layer-based criteria independent of NIST IR 8425A that define whether a device is a “consumer-grade router”? Answer: “No.” Again, the FCC refers to NIST IR 8425A, this time to its Appendix C. This clears up all ambiguities.

Because Appendix C deals primarily with how routers come into circulation (Spoiler: purchase or rental!). Otherwise, it tells little new when it states that “consumer-grade” devices can be found in households, and that their primary purpose is use there, not for “enterprise, industrial, etc.”, but that small businesses could also use consumer-grade devices. In addition, it notes that manufacturers of consumer-grade devices cannot assume that the user has expertise in IT security or can take significant measures to secure the product.

References are then made to four third-party documents: two from industry associations and one each from the regulatory authority of Singapore and the German Federal Office for Information Security (BSI TR-03148). Of these four, only Singapore excludes routers rented from the Internet Provider from the security recommendations. However, the security recommendations of these four bodies play no role for the FCC or the exceptions.