USA bans all new routers for consumers
The USA will only allow routers manufactured in the country for consumers from now on. However, such models do not exist.
The USA will immediately stop allowing new routers for the consumer market unless they are manufactured in the USA. The regulatory authority FCC shocked the market with this on Monday (local time). This does not only refer to assembly; rather, the entire manufacturing chain, from design to chips to software, must be exclusively located in the USA and be provided by companies with US ownership and management. This affects routers with and without wireless capabilities.
National security is cited as the reason for the comprehensive ban is cited as the reason for the comprehensive ban. The problem: We have not yet found any consumer router models that are completely manufactured in the USA in terms of volume.
Already approved models may continue to be used and sold. However, the ban, with a rule change from December, means that firmware or software updates for already approved models would also be inadmissible immediately. An exemption permit allows certain software updates until March 1, 2027.
The exception apparently does not apply to updates that introduce new functions. However, security vulnerabilities can still be closed for now, and compatibility issues with operating systems can still be resolved. It remains to be seen whether this permit for restricted software or firmware updates will be extended at the beginning of 2027.
High Hurdles for Exemption Permits
Exemption permits are possible, but they come with such high requirements that only a few manufacturers would likely undertake them. [Update 5:27 AM from here] A separate application is required for each model. This applies to routers that enter general distribution, as well as those distributed by internet providers to customers or sold wholesale for use in companies.
First, the application must include extensive information on company structure, partners and any joint ventures, owners with five percent or more, management, and any possible influence by foreign governments. This is followed by the disclosure of competitive circumstances: all components (bill of materials) including their country of origin, the holders of all relevant intellectual property rights, who is responsible for software updates, where exactly the routers are manufactured, assembled, and tested, where firmware and software come from, information on all single points of failure in the supply chain including alternative plans, and above all, a justification why the device is not manufactured in the USA, why the specific foreign sources were chosen, and what alternatives exist.
Finally, each exemption applicant must submit a “detailed, time-bound plan for establishing or expanding production in the USA” for the respective router. This must be detailed, including already issued and planned investment sums, sources of funds, and exact timelines and milestones. In case of approval, quarterly progress reports are mandatory, and each subsequent application must account for progress on commitments from previous approvals.
Ministry of War or Homeland Security
The application must be submitted to either the Ministry of War or the Department of Homeland Security. Any permits granted will only be for a limited time. On the one hand, circumstances can change, and on the other hand, this serves as leverage to ensure the relocation of production to the USA. And this is meant comprehensively: “Production generally includes any major stage of the process through which the device is made, including manufacturing, assembly, design, and development.”
The concept is explicitly based on the ban on new foreign drone models, which the FCC announced shortly before Christmas. A week ago, the authority issued the first exemption permits: three drone models and a software-defined radio for drones are allowed to apply for distribution permits until the end of the year.
What is a Router?
It is doubtful whether the effort is worthwhile for consumer-grade routers, which typically yield only small margins. This leads to the question of what exactly the FCC means by consumer-grade routers. The authority initially refers to the published summary of a determination by unnamed US intelligence agencies, which in turn refers to a publication by the US National Institute of Standards and Technology (NIST).
In September 2024, NIST submitted proposals to strengthen the – undeniably modest – IT security of routers (NIST IR 8425A). It states: “Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems.” In German: “Router leiten Datenpakete weiter, meistens nach dem Internet Protokoll (IP), zwischen vernetzten Systemen.” The FCC does not say more than that.
This encompasses a wide range of devices, from WLAN repeaters to smartphones, and also depends on their specific use. What exactly is meant might depend on the mood at the FCC. It mentions various problems and IT attacks that have been facilitated by security vulnerabilities in routers. It consistently speaks of “foreign” routers, which is true because there are no domestic ones according to the FCC’s definition. The authority does not present arguments that hypothetically US-manufactured routers would be safer.
At the same time, the FCC points out that it is not responsible for the ban but only for its announcement and enforcement. The order comes from unnamed US intelligence agencies. Nevertheless, FCC Chairman Brendan Carr explicitly welcomes the order and is pleased that foreign-produced routers, which were found to pose an unacceptable national security risk, have been added to the FCC’s Covered List.
heise online asked the FCC whether it classifies open-source software as domestically produced.
https://www.heise.de/en/news/USA-bans-all-new-routers-for-consumers-11222049.html