So a couple of days ago the FCC updated a list of banned telecomunications equipment to include, and I’m quoting here;
Routers produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.
If you want to read it’s all linked on the FCC site linked here.
Now, from what I’m aware there are no domestic manufacturers of routers in the USA. So what they have done is ban the import and sale of any new equipment that does not already have a FCC approval tagged to the device.
If there was a legitimate concern about the security of routers that are deployed in the world why are only new devices being targeted? I would assume that the decision to ban these things is based on some legitimate history of security issues or a history of operating in bad faith on the part of these manufacturers. So if that is the situation why are the existing devices not getting flagged as a problem? Why are we not being told that it’s time to replace those devices?
So if there isn’t a history of bad behavior what is this about? The argument as I understand it is that there are concerns about the security of the devices and their potential to be used as an attack vector rather than any indication that they have been used as such.
Is that legit?
Arguably yes, but without a history of bad behavior this is either the US Government pressuring the hardware vendors to move manufacturing back to the US or it’s a breakdown in the chain of trust that has allowed us to take advantage of offshore manufacturing for as long as we have.
If you look at it every device that you use establishes a chain of trust, regardless of if you realize it or not. Let’s look at your phone, say a iPhone of some generation.
First of all you are trusting Apple, since they built the device and the operating system that it’s running. Implicit in that is that you are also trusting everybody that Apple has trusted as part of their development and supply chain on both the hardware and software side of things. This includes the folks that manufacture the screen, storage, and the developers that write the software that makes up iOS – including any libraries or tools that they use to build the operating system.
You would think that this is fairly simple but the supply chain for software and hardware gets really complicated, really quickly. If you look at the news there have been all sorts of supply chain attacks showing up in the news recently like the one below;
https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/
The general idea is to look at software libraries and service providers that your providers make use of and attack those instead of coming after you directly. The impacted software library that I linked above is downloaded somewhere around 3.4 million times per day, and this attack was live for about three hours. Assuming a even distribution of downloads that would mean that the people that got away with this hit 500k downloads while this was live, and who knows where they were able to get from there.
So obviously we have to draw a line and work on the assumption that Apple is doing what’s right our example and that they have done their due diligence on things further down the chain.
So if we take this new ban at face value the US Government has some trust issues with the router manufacturers and is taking steps to try to address those by forcing manufacturing of the devices into the hands of domestic companies that they can regulate and mandate some level of security. However the cynic in me is wondering what hardware vendors – if any – are already going through the process of greasing palms to get exemptions for their hardware in place under this program.
And to be clear it’s going to have to be some level of exemptions going through here – it’s going to take a long time for someone to gear up to build out routers domestically in the US for consumer use considering the number of these things that are sitting in peoples homes, offices, and in datacenters.