The U.S. Federal Communications Commission (FCC) said on Monday that it was banning the import of new, foreign-made consumer routers, citing “unacceptable” risks to cyber and national security.
The action was designed to safeguard Americans and the underlying communications networks the country relies on, FCC Chairman Brendan Carr said in a post on X. The development means that new models of foreign-produced routers will no longer be eligible for marketing or sale in the U.S. The move comes in the wake of a national security determination provided by Executive Branch Agencies, Carr added.
To that end, all consumer-grade routers manufactured in foreign countries have been added to the Covered List, unless they have been granted a Conditional Approval by the Department of War (DoW) or the Department of Homeland Security (DHS) after determining that they do not pose any risks.
As of writing, the approved list only includes drone systems and software-defined radios (SDRs) from SiFly Aviation, Mobilicom, ScoutDI, and Verge Aero. Producers of consumer-grade routers can submit an application for Conditional Approval. According to BBC News, Starlink Wi-Fi routers are exempt from the policy, as they are made in the U.S. state of Texas.
“The Executive Branch determination noted that foreign-produced routers (1) introduce ‘a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense’ and (2) pose ‘a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons,'” the FCC said.
The agency said both state and non-state sponsored threat actors have exploited security shortcomings in small and home office routers to break into American households, disrupt networks, facilitate cyber espionage, and enable intellectual property theft. Furthermore, these devices could be conscripted into massive networks with the goal of carrying out password spraying and unauthorized network access, as well as acting as proxies for espionage.
China-nexus adversaries such as Volt Typhoon, Flax Typhoon, and Salt Typhoon have also been observed leveraging botnets comprising foreign-made routers to conduct cyber attacks on critical American communications, energy, transportation, and water infrastructure.
“In Salt Typhoon attacks, state-sponsored cyber threat actors leveraged compromised and foreign-produced routers to jump to embed and gain long-term access to certain networks and pivot to others depending on their target,” according to the National Security Determination (NSD).
Also highlighted by the U.S. government is a botnet dubbed CovertNetwork-1658 (aka Quad7), which has been used to orchestrate highly evasive password spray attacks. The activity is assessed to be the work of a Chinese threat actor tracked as Storm-0940.
It’s worth noting that the Covered List update does not affect a customer’s continued use of routers that were already purchased. Nor does it impact retailers, who can continue to sell, import, or market router models that were approved previously through the FCC’s equipment authorization process.
“Unsecure and foreign-produced routers are prime targets for attackers and have been used in multiple recent cyber attacks to enable hackers to gain access to networks and use them as launching pads to compromise critical infrastructure,” the NSD said. “The vulnerabilities introduced into American networks and critical infrastructure resulting from foreign-manufactured routers are unacceptable.”
Routers have been a lucrative target for cyber attacks, as they serve as the primary conduit for internet access. Compromised routers could allow threat actors to conduct network surveillance, exfiltrate data, and even deliver malware to victims. In 2014, journalist Glenn Greenwald alleged in his book No Place to Hide how the U.S. National Security Agency (NSA) routinely intercepts routers before U.S. manufacturers can export them in order to implant backdoors.
