US bans foreign routers - reason enough for a new Airport?

[drrich2]

One would expect that ASUS would have a strong incentive to not include PRC backdoors.

I've had pretty good experience with ASUS routers.

You got me thinking about a tangent, but an important one. Our kid has an ASUS Windows notebook PC. Computers have firmware, too, and most consumer computers probably access Wifi networks. So there are lots of foreign-made personal computers in U.S. consumer households, just as there are routers. And both products often get firmware updates, the contents of which most users are probably oblivious.

So, let's say, hypothetically, some foreign 'bad actor' government (our rivalry with the Chinese Communist Party seems to make them the main concern, as with the TikTok ban) wants to infiltration American consumer households with secret 'back doors' or whatever other nefarious code that could be used to undermine U.S. national security, spy, shut down the energy grid, overwhelm specific sites, etc.

Could our foe simply use its 'influence' with foreign computer manufacturers to have them put that nefarious code in a firmware update to personal computers, instead of putting it in routers?

Maybe not. I have nowhere NEAR the technical understanding to grasp the practical realities involved. I'm just asking. Theoretically, is our kid's ASUS laptop somehow much safer for U.S. national security than our TP-Link router?

PC Magazine has another interesting article: The FCC Router Ban Sends the Wrong Signal: America First, Your Connectivity Second

This bit from that article may be relevant to my question: "Router firmware often shares common roots in Linux-based operating systems. Manufacturers reuse code, modify the UI, and slap their branding on it. So all routers, by their very nature, have huge attack surfaces. They are Wi-Fi radios. They have WAN interfaces, LAN switching, VPNs, firewalls, and cloud management features. Every aspect of these simple-on-the-surface devices is a door that bad actors could force open. There’s no evidence that an American router could have prevented previous cyberattacks any more than a foreign-made one."

Of course...personal computers tend to have WiFi radios and firewalls...

 

[IvyKing]

The FCC regulates all equipment that might cause radio interference, and that includes equipment that doesn’t actually have radios:

Correct - the regs cover both intentional emitters (i.e. transmitters) and unintentional emitters (which includes a lot of electronic and electrical gear). Regulation of personal computers started about 1980, causing, in part, a fair number of the early microcomputer companies to go out of business when they were faced with the costs of testing and re-designing their hardware. The other part was the Volker interest rates. This regulation came about when a lot of users of "the airwaves" were reporting problems from unshielded computer gear.

 

[IvyKing]

Could our foe simply use its 'influence' with foreign computer manufacturers to have them put that nefarious code in a firmware update to personal computers, instead of putting it in routers?

Interesting question.

A key distinction between a router and a PC (PC = any personal comuter) is that the internet has direct access to routers but not to PC's. Routers are typically "always on", where PC's will often be off or sleeping. I suspect that PC's will be updated more frequently than routers - Microsoft and Apple are pretty fast about pushing out security updates.

I've wondered why more router manufacturers haven't built their software under one of the BSD's. The BSD license does not require changes to be made available as is the case for the GPL licenses for Linux. Soekris was in the business of selling single board computers with multiple 100M Ethernet ports and providing support for Packet Filter on OpenBSD.

 

[bapegg]

Correct - the regs cover both intentional emitters (i.e. transmitters) and unintentional emitters (which includes a lot of electronic and electrical gear). Regulation of personal computers started about 1980, causing, in part, a fair number of the early microcomputer companies to go out of business when they were faced with the costs of testing and re-designing their hardware. The other part was the Volker interest rates. This regulation came about when a lot of users of "the airwaves" were reporting problems from unshielded computer gear.

I have my amateur radio license and I have to deal with dirty equipment that causes interference with my radios all of the time. Wall Wort power supplies are some of the worst when it comes to electro magnetic and radio frequency interference.

One of the problems with FCC certifications is that the FCC does not do the actually certification testing. There are some shady testing facilities that will test a prototype to get the FCC certification and then go cheap by not having all of the filters in production models.

I can somewhat understand the drone ban but the router ban is a bit ridiculous to me. Foreign made routers that are already FFC certified can still be sold and can still have spyware built into the firmware. And there are multiple firmwares as the router itself has firmware as does individual network and USB controller ships.

As far as running Open-WRT or DD-WRT, most average home users are not going to go through the trouble of re-flashing their routers with either one. It's hard enough to get people to upgrade the firmware on a regular basis or to change the default admin passwords.

 

[drrich2]

I can somewhat understand the drone ban but the router ban is a bit ridiculous to me.

What do you see as a credible rationale supporting for the drone ban but not a router ban? I'm not challenging your position, I just want to understand it.

I can't imagine China can take over the masses of DJI drones and send them on some organized attack, etc. As for the concern they could be used for surveillance of some sort, transmitting info. to China, etc., seems to me China could send a few tourists over here and easily get the same info.

Given the resources of large technologically advanced national governments, I have to wonder if blocking out routers and drones really prevents them from getting whatever info. they want. It reminds me of the TikTok ban argument that in theory China could collect info. on the American people; I was like, yeah, or they could just hire a marketing consultation company to tell them what they want to know.

It's not the politics I'm asking about, it's the technical practicality of whether these measures really deny foreign rivals access to information they can't just get with workarounds. And I'm talking about a scenario where government agencies are much more selective about what gear they use, but the general public uses, for example, DJI drones, practically all the consumer routers, etc.

 

[ddebacker]

openwrt is the answer

Unless there is malicious code in the chips themselves…

 

[IvyKing]

I have my amateur radio license and I have to deal with dirty equipment that causes interference with my radios all of the time. Wall Wort power supplies are some of the worst when it comes to electro magnetic and radio frequency interference.

[Same here - had Extra Class. My first computer set up did generate some significant RFI, with the strongest signal being the dot clock on the monitor that was radiating from the power cord.]

As far as running Open-WRT or DD-WRT, most average home users are not going to go through the trouble of re-flashing their routers with either one. It's hard enough to get people to upgrade the firmware on a regular basis or to change the default admin passwords.

That's why I think there's much more justification for the FCC to step into regulating routers for security than regulating PC's.

 

[drrich2]

That's why I think there's much more justification for the FCC to step into regulating routers for security than regulating PC's.

A key distinction between a router and a PC (PC = any personal comuter) is that the internet has direct access to routers but not to PC's. Routers are typically "always on", where PC's will often be off or sleeping. I suspect that PC's will be updated more frequently than routers - Microsoft and Apple are pretty fast about pushing out security updates.

Interesting! If I understand correctly, you assert that routers are more vulnerable to 'bad actors' than PCs are on the basis because many router users don't update firmware or change default admin passwords and are 'always on' (though many PCs stay on and can do scheduled background tasks, like Carbon Copy Cloner).

Good points, and PCs often 'auto-update' by default. It seems requiring routers to do the same, and requiring users to set non-default usernames and passwords would make a lot more sense than demanding 'Made In America.'

But are PCs more secure than routers? What % of PC (including Mac) users don't use any commercial anti-virus/security software product? Yes, Windows has Windows Defender built-in. And how many PC users are vulnerable to phishing schemes and other various malware that could, I suspect, be used to cause problems on par with what routers could do?

So my question then is, while acknowledging that router and PC vulnerabilities aren't exactly the same, are PCs really more secure than routers? Is it hypocritical to demand transitioning routers to American manufacture and not PCs?

openwrt is the answer

Heard of it; haven't used it. Some questions about feasibility.

1.) Does it have a slick, intuitive GUE interface the vendor can customize so you get the sense of a distinctive, quality 'brand' experience?

2.) Can it handle paywall access to subscription vendor services for that router? I don't like these, but they seem to be a cash cow for the vendors, so they'll demand it.

3.) If it's 'open,' does that mean the code is more accessible to hackers, etc., and easier to attack, or is it more secure? If you think it's more secure than what, say, Netgear or TP-Link use now, why?

4.) I assume right now it's a bit niche, but let's say ASUS, Netgear and TP-Link all went to openwrt; 5 years later, would this have simply made it a more enticing target for hackers? In fact, if someone writing malware for it could target multiple brands with a large market presence automatically, would this lead to more attacks?

 

[drrich2]

Oh, a somewhat related question. If the concern is poor security in part due to widespread devices in the hands of technically naive, unsophisticated users, devices that tend to stay 'on' much of the time and have a lot of online exposure, and some people don't update often (judging from watching my family), here's a question...

What about Android phones? I ask about Android because at least in the U.S. we mainly get our iPhone software from Apple and/or the App. Store, so there's a measure of security there, but IIRC people using Android phones aren't trapped in the 'walled ecosystem.'

-----------

Here's a thought exercise. Let's say you got hit on the head, brain damage turned you into a sociopath willing to turn traitor, and the Chinese government hired you to head up a division to lay the groundwork for whatever it is the U.S. government fears routers will be used to do. Maybe spying, mass device shutdown in a crisis, whatever.

You must now decide whether to target routers, PCs or smart phones (I'm guessing Android for reasons already covered). I don't care whether you aim to use firmware, default admin username/password combo.s, viruses, trojans, phishing to gain access, whatever.

Which would you target?

 

[bapegg]

What do you see as a credible rationale supporting for the drone ban but not a router ban? I'm not challenging your position, I just want to understand it.

Because drones can be flown into restricted areas and do damage from crashing or even carrying explosives or chemical/biological weapons. They can also be hacked and used to spy.

As far as the router ban goes. It really doesn't do any good to ban future routers when all of the current routers with FCC certifications are going to be allowed to be sold to the public. This doesn't make sense from a security stand point.

I can definitely see the FCC getting tougher on the certification of consumer electronics. And they really should get tougher as too many foreign made products cause EMI and RFI issues.

 

[drrich2]

or even carrying explosives or chemical/biological weapons.

To be fair, this part would require hands-on time with the drone, not remote control via firmware hacks, etc. And somebody could come over here, buy a drone from a different manufacturer and presumably do the same thing.

That said, the Russia/Ukraine war has been a real eye-opener regarding drone use in warfare.

A big question that'll be sensitive since this thread is in Networking, not Political News, is to what extent this ban is bipartisan. If I were a router company CEO, I'd want to know what the odds are the next Presidential administration will continue or expand upon this, particularly the pressure to shift manufacturing to America. The general consensus seems to be 'made in America' would jack up costs, and there's a lot of pressure to bring costs down. I wouldn't want to make the investments to start moving manufacturing to America if the next administration is likely to reverse this.

 

[WarmWinterHat]

To be fair, this part would require hands-on time with the drone, not remote control via firmware hacks, etc. And somebody could come over here, buy a drone from a different manufacturer and presumably do the same thing.

That said, the Russia/Ukraine war has been a real eye-opener regarding drone use in warfare.

A big question that'll be sensitive since this thread is in Networking, not Political News, is to what extent this ban is bipartisan. If I were a router company CEO, I'd want to know what the odds are the next Presidential administration will continue or expand upon this, particularly the pressure to shift manufacturing to America. The general consensus seems to be 'made in America' would jack up costs, and there's a lot of pressure to bring costs down. I wouldn't want to make the investments to start moving manufacturing to America if the next administration is likely to reverse this.

It's not bipartisan, it's a directive from the FCC, and will likely be killed with the next administration, if it makes it that long without being stopped by the courts.

Since all currently available routers can continue to be imported and sold, I except most companies to just wait it out.

 

[bapegg]

o be fair, this part would require hands-on time with the drone, not remote control via firmware hacks, etc. And somebody could come over here, buy a drone from a different manufacturer and presumably do the same thing.

You are correct when it comes to attaching anything to a drone. But that won't stop a hacker from taking control of a drone remotely and crashing it into things.

I can fully understand wanting to have more products made here in the USA but banning future consumer routers stating it is for security reasons while still allowing current FCC certified routers to be sold doesn't make much sense.

I do think that the FCC needs to crack down on some of the bad certification labs. Unfortunately the FCC relies on third party testing labs to do the certifications.

One prime example where the FCC needs to tighten certification standards is LED lights. The cheap ones from Amazon and Walmart are extremely noisy when it comes to EMI and RFI.

And with routers, there are plenty of other devices used by civilians and government agencies that operate on the same frequencies. While routers are very low powered, one does not want them cause interference with other devices.

 

[erihp]

Heard of it; haven't used it. Some questions about feasibility.

1.) Does it have a slick, intuitive GUE interface the vendor can customize so you get the sense of a distinctive, quality 'brand' experience?

2.) Can it handle paywall access to subscription vendor services for that router? I don't like these, but they seem to be a cash cow for the vendors, so they'll demand it.

3.) If it's 'open,' does that mean the code is more accessible to hackers, etc., and easier to attack, or is it more secure? If you think it's more secure than what, say, Netgear or TP-Link use now, why?

4.) I assume right now it's a bit niche, but let's say ASUS, Netgear and TP-Link all went to openwrt; 5 years later, would this have simply made it a more enticing target for hackers? In fact, if someone writing malware for it could target multiple brands with a large market presence automatically, would this lead to more attacks?

1) Yes. And yes, many companies already use openwrt under the hood and add their own customization on top.

2) Its an extensivle linux-based platform. If the manufacturer has cloud services/subscriptions for features they want to integrate or paywall, they can (and surely do).

3) Depends on your perspective but it is generally considered more secure because people have their eyes on the software and is not a 'black box'. The software can be inspected and commits can be reviewed when features change. With closed sourced code from a manufacturer, the user relies more on security through obscurity and blind 'trust'.

4) Sure, but that can be said about anything. I would argue that with a common codebase, it would be easier to secure and implement best practices across the board, and the more user adopting the base software, the more attention can be focused on any remediation and patching when an issue does arise, versus hoping a manufacturer still supports your device, scans for the vulnerability and releases an update on their time. Many manufacturers already use openwrt. This is also why the upgrade path to a vanilla build, or the latest and greatest version can be flashed directly through the existing branded UI, like a normal firmware update.

Another thing to note, openwrt can run on many different platforms, including x86 PCs. Someone earlier in the thread was concerned about flaws/backdoors in chips, and while this is a valid concern, you can choose to run openwrt on almost any hardware platform, and avoid those designed/produced by entities you dont trust. However due to manufacturing or supply chain attacks, this could still affect anyone.

 

[IvyKing]

But are PCs more secure than routers?

One important difference is that an external host can initiate an IP connection with a router, but most home routers are set up to block external hosts from initiating an IP connections with PCs on the LAN side. In other words, the external attack surface for PCs are much smaller than for routers.

 

[drrich2]

One prime example where the FCC needs to tighten certification standards is LED lights. The cheap ones from Amazon and Walmart are extremely noisy when it comes to EMI and RFI.

I had no idea. Roughly what is the range on that 'noise' interfering with other devices? Is this mainly devices in your home messing with something (what gear is most sensitive?), or something the next door neighbor does (I guess in multi-unit apartments they're pretty close, but what about suburbia?) or farther?

Is this mainly an issue with 'Brand X' LED lights, or also the brands we'd recognize?

Finally, is there a reasonably affordable gadget to detect this noise? Sort of like an EMI/RFI 'geiger counter' or WiFi sniffer type thing?

 

[bapegg]

I had no idea. Roughly what is the range on that 'noise' interfering with other devices? Is this mainly devices in your home messing with something (what gear is most sensitive?), or something the next door neighbor does (I guess in multi-unit apartments they're pretty close, but what about suburbia?) or farther?

Is this mainly an issue with 'Brand X' LED lights, or also the brands we'd recognize?

Finally, is there a reasonably affordable gadget to detect this noise? Sort of like an EMI/RFI 'geiger counter' or WiFi sniffer type thing?

I don't remember the brands from Amazon. The noisy LEDs from Walmart are their Great Value brand.

These cheap and noisy LED lights will cause static noise on my VHF and HF radios. The offending LED lights have to be fairly close before they mess with VHF radios. But a neighbors lights will definitely interfere with HF frequencies.

The worst time of the year for interference is Christmas time when everyone hangs up those cheap LED Christmas lights.

Solar panels and solar charging controls are another common source of EMI/RFI noise.

Most people won't really notice the EMI/RFI issues unless they run scanners or two way radios in the house. A lot of consumer devices are noisy. Phone chargers are another major source for EMI/RFI noise. The cheap ones from Amazon and gas stations are the worst.

 

[bapegg]

I also had to swap all of my network cables out with shielded CAT6 and shielded RJ45 connectors. The unshielded cables were causing RF noise on my HF radios.

And you definitely want to use shielded CAT6 cables if you are using POE devices.

 

[IvyKing]

Finally, is there a reasonably affordable gadget to detect this noise? Sort of like an EMI/RFI 'geiger counter' or WiFi sniffer type thing?

While not reasonably affordable, the go to instrument is called a spectrum analyzer. A more affordable option is a multi-band radio receiver with some sort of indication of signal strength, e.g. a shortwave radio receiver.

LED light strings can be a nuisance as the "D" in LED stands for diode. Diodes often send a pulse of "reverse recovery current" that produce interference over a wide band of frequencies and the long wires use in LED strings makes for a good antenna.

 

[bapegg]

LED light strings can be a nuisance as the "D" in LED stands for diode. Diodes often send a pulse of "reverse recovery current" that produce interference over a wide band of frequencies and the long wires use in LED strings makes for a good antenna.

I've seen people use LED Christmas lights as a HF antenna. I saw a video where a guy was using his Christmas lights as an antenna and kept bumping up the power output on his amplifier to see how many watts it would take before the lights blew.

On topic.

Like I said, I can see the FCC getting stricter on the certifications of consumer devices to help eliminate EMI/RFI interference issues. But I still can't see an outright ban, especially for security reasons.

 

[tonmischa]

Is it really security or unrealistic bring back manufacturing?

Think about which company is the only one that is already assembling in the US.
It's StarLink.
Do you know what this is now?
It's not about security, it's not about bring back manufacturing. It's about a rich man putting money in another's rich man's pocket.

 

[bapegg]

Starlink has their routers locked down to the point that residential account owners can't even open up ports or make very many changes to their router configurations. Starlink makes you upgrade to a commercial account to unlock those features.

Several people I know have Starlink residential service and can't open up the needed TCP/UDP ports to use their Allstar nodes. Starlink makes you upgrade to a commercial account in order open up ports.

Allstar nodes are basically VOIP devices that allows one to use two way radios over the internet.

 

[drrich2]

Starlink has their routers locked down to the point that residential account owners can't even open up ports or make very many changes to their router configurations. Starlink makes you upgrade to a commercial account to unlock those features.

There's not a lot of high quality competition in their demographic from what I've seen - rural users without access to good cable or fiber optic service. My parents use StarLink; they previously had DSL (CenturyLink), and it wasn't just slow, it was painfully slow when we visited them. Their switch to StarLink made casual web browsing for us while Dad watched YouTube videos 'normal' instead of 'let's watch paint dry.'

So if they want to restrict features only a small minority use to wring more money out, pay up or do without, what're you gonna do?

The consumer router market for suburbia and urban areas is way different. TP-Link, ASUS, NetGear and Eero, plus more. This difference even shows up in reviews; StarLink - better than your other options. Mainstream routers - they break down how many ethernet ports and what their speeds are in each spectrum, is it tri-band, etc.

So if this ban narrows the market to fewer players able to release new models, we could get inferior feature sets.

Like I said, I can see the FCC getting stricter on the certifications of consumer devices to help eliminate EMI/RFI interference issues.

I assume it probably involves a wild guess, but any opinion on how much doing that is apt to add to the cost of a router? Say I buy a new $200 WiFi 7 router today, and next year buy another one but with less EMI/RFI noise. We talking a couple of bucks, 10 bucks, 20, what? If we end up paying 'Made in America' manufacturing prices on top of that, it could add up.

On a positive note, I suspect we're years away from WiFi 8, and online articles suggest WiFi 8 is mainly about improving reliability/quality of WiFi rather than speed. So, if Wifi 7 (and for that matter, 6E, which I use) handily does the job, we may not need newer model routers anytime soon.

 

[elvisimprsntr]

Glad I switched to open source enterprise class firewall software https://www.pfsense.org in 2017 and enterprise class access points https://www.engeniustech.com

 

[xraydoc]

I have a TP-Link Deco BE11000 wifi 7 system. For me, it's working amazingly well. Literally 100% uptime for over a year. Fast, with wifi 7 MLO-compatible devices getting 950+ Mbit to/from the internet (maxing out my 1Gbit ISP and main switch). No issues with device dropping or dead zones in the house or yard. It's as bullet-proof as any wifi access point I've ever used. Very much Apple-like "it just works." Bought it at Costco with 3 nodes for $399.

This replaced a rather expensive Orbi wifi 7 system that was absolute garbage. Devices dropping at random, including phones, iPads, MacBooks and smart home IoT devices like cameras and thermostats. Inconsistent speeds. Terrible coverage no matter where I moved the nodes to or how many I activated (experimented with everything from two to four). Tried every combination of changing channels, wired versus wireless backhaul, etc. Ripped it all out and replaced it with the Deco noted above, essentially losing the cost of the system (nearly $1000 with 4 nodes).

The garbage Orbi was an attempt to replace an aging cluster of Apple AirPort Extreme AC access points. While they were working well enough, and were extremely stable, they seemingly topped out around 650Mbit/s on a good day and of course were no longer receiving firmware updates and security patches. Theoretically they should have been faster than that, but never got there. Perhaps the number of wifi devices were overwhelming it (over 30 between various phones, tablets, laptops, and IoT devices; everything else that could be connected to ethernet was).

I use a Firewalla Gold SE as a router, so I can see where my IP traffic goes, and get notified if one of my IoT devices (including the Deco access points themselves) access any IP addresses in China. I've got automatic Deco firmware updates turned off (who knows if that setting is trustworthy or not). I've not noticed any suspicious traffic since I've owned the TP-Link, but of course it's easy enough to hide malicious firmware in a file downloaded from any domestically-located AWS server.

I'm not terribly excited to potentially replace my TP-Link Deco with an expensive industrial-grade Ubiquiti or Cisco system or something. So much uncertainty about it all... so I'm not going to even consider replacing any equipment until it becomes critical to do so.