Posted by moonka 19 hours ago
https://www.fcc.gov/document/fcc-adds-routers-produced-forei...
https://docs.fcc.gov/public/attachments/DA-26-278A1.pdf
https://www.bbc.com/news/articles/c74787w149zo
https://www.cnet.com/home/internet/fcc-bans-foreign-made-rou...
The FCC maintains a list of equipment and services (Covered List)
that have been determined to “pose an unacceptable risk to the
national security
Recently, malicious state and non-state sponsored cyber attackers
have increasingly leveraged the vulnerabilities in small and home
office routers produced abroad to carry out direct attacks against
American civilians in their homes.
Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers.
Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors.
The US has a bazillion devices with crap security because we set ourselves up for this.
The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one.
What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business.
What you need is the ability for consumers to replace the firmware.
That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them.
So, we don't need an electrical code to enforce correct wiring. We just need a kind soul driving by our house to notice the company who built our house wired it up wrong. Then that kind person can inform the company of the bad wiring.
And if the company agrees it's their wiring at fault, we can wait 3 months for a fix. Then the next month another kind soul finds more bad wiring. And we just have to hope there is an army of kind strangers out there checking every building built by every company. And hope in the meantime that the building doesn't burn down.
Meanwhile, people have to live with bad wiring for years, that could have been completely prevented to begin with, by an electrician following the electrical code we all already agree on.
For an analogy to work, its underlying elements should have a relation to the target. Your analogy is not in the same universe. For electrical work, there is a baseline of materials and practices which is known to produce acceptable results if adhered to. For software, there isn't. (Don't tell me about the Space Shuttle. Consumer software doesn't cost tens of millions and isn't written with dedicated teams over the decades.)
The Space Shuttle sure blew up a lot for something with that much process applied.
Many of these devices have security flaws that are horrific and out of best practices by over a decade.
Just having something like "Have a bonded 3rd party security team review the source code and running router software" would solve around 95% of the stupid things they do.
Software absolutely has baseline materials, have you never written software before? Never used a library? Programming language? API? Protocol? Data format or specification? CPU instruction? Sorting algorithm? A standard material is just a material tested to meet a standard. A 10d nail is a 10d nail if it meets the testing specs for 10d nails (ASTM F1667). Software can be tested against a spec. It's not rocket surgery.
No known practices with acceptable results?? Ever heard of OWASP? SBOMs? Artifact management? OIDC? RBAC? Automated security scanning? Version control? Code signing? Provenance? Profiling? Static code analysis? Strict types? Formal proofs? Automated testing? Fuzzing? Strict programming guidelines (ex. NASA/DOD/MISRA/AUTOSAR)? These are things professionals know about and use when they want standard acceptable results.
What are you talking about re: space shuttle and tens of millions? Have you actually read the coding standards for Air Force or NASA? They're simple, common-sense guidelines that any seasoned programmer would agree are good to follow if you want reliability.
I think the problem here is there's too many armchair experts saying "Can't be done" when they don't know what they're talking about, or jaded old fogeys who were on some horrible government project and decided anything done with rigor will be terrible. That's not the way it is in the trades, in medicine, in law, and those folks actually have more to think about than software engineers, and more restrictions. I think SWEs are just trying to get out of doing work and claiming it's too difficult, and the industry doesn't want to stop the free ride of lack of accountability it's had for decades.
AI is going to introduce 100x more security holes than before, so something will have to be done to improve security and reliability. We need to stop screwing around and create the software building code, before the government does it for us.
Those standards aren’t related to the functionality or security of the router.
Trying to make analogies from software to hardware will always fall down on that point. If you want to argue that there should be stricter security & correctness requirements for routers, maybe look more toward "here is how people actually treat them in practice" with regard to ignoring updates...?
As in my example, some random stranger needs to first find out your "house" (the vendor's software) is wired wrong. And this needs to happen for every "house" (every piece of software). While waiting for this to be discovered, your house burns down (hackers penetrate millions of devices, or perhaps just Microsoft Sharepoint that the govt is uses).
I don't think that's enough. Most people aren't going to replace the firmware on their device with an open source replacement made by someone else. Now if the firmware was required to be open source, and automatic updates could be seamlessly switched over to a non-profit or government agency in the event of the company going out of business, you might have something. But there would be a lot of details to work out.
That "genericness" is what's missing in the router space. Literally every consumer router that comes out has some super proprietary design that's meant to be replaced in its entirety in 3-4 years. Many can run Linux, sure, but how many have a replaceable/upgradable board? How many are like a PC where you can install whatever OS you want?
Sure, you can forcibly flash a new OS (e.g. OpenWRT) but that is a hack. The company lets you do that because they figure they'll get a bit more market share out of their products if they don't lock the firmware so much. They key point remains, however: They're not just hardware—even though they should be!
The world of consumer routers needs a PC-like architecture change. You can buy routers from companies like Banana Pi and Microtik like this but they're not marketed towards every-day consumers. Mostly because they're considered "too premium" and require too much expertise to setup.
I think there's a huge hole in the market for consumer-minded routers that run hardware like the Banana Pi R4 (which I have). When you buy it, you get the board and nothing else. It's up to you to get a case and install an OS on it (with OpenWRT, Debian, and Ubuntu being the normal options).
We need something like the Framework laptop for routers. Not from a, "it has interchangeable parts" perspective but from a marketing perspective. Normal people are buying Framework laptops because geeky friends and colleagues recommend them and they're not that much more expensive/troublesome than say, a cheap Acer/Asus laptop.
This is the most thoughtful comment I've seen on this topic. I hadn't even considered this approach, but you're right. The hardware needs to be commoditized in a way that makes the software a layer that can be replaced. Someone else said this but in a way that described flashing a third-party package as HN nerds would. That's too much effort and it won't work.
It should be as generic as PC hardware. Every router manufacturer should build devices that can run the OSes of all their competitors' devices and vice versa. Maybe some features won't work with the other company's OS cause it isn't designed for that, but overall it ought to be replaceable. "Normal people" still wouldn't flash a new OS, but making it an option is a step towards making devices more secure.
If every router could get a new OS as easily as your techy friend could install Firefox or an ad-blocker or whatever else, we'd start the long march to a real longterm solution.
Or they could just run an existing open source OS, like openwrt.
i will allow sunsetting and removing ipv4 after 2020 (that is more that 5 years ago)
What they're actually trying to do is obsolete the devices faster because then they won't add new protocols or other software-only features to older devices so you have to buy a new one, or only expose features in more expensive models that the less expensive hardware would also be capable of doing. Which is all the more reason for us to not have that.
And if they were required to allow anyone to replace the firmware then you would get companies reflashing and selling them that way from the store because the free firmware has more advertisable features. There's a reason you can go to major PC OEMs and pick between Windows, Linux and "don't even install one" and the reason is that if you give customers a choice, they generally don't want their software to be made by the OEM.
This is exactly why. Obsoleting older devices keeps (in their eyes) the purchase treadmill running. Making a device that could be updated forever means never making another sale to that user (unless some physical failure happens, or the user wants a second one).
Anyhow, this is a common enough practice. Many companies that provide infrastructure type software and sell to Fortune 500 companies often have a clause whereby they deliver their software to their customers if the shut down.
And you can't wait until after they're dead to have them do something. By then they're gone or judgment proof because they're already bankrupt. Especially when you're talking about companies that aren't in the jurisdiction because you can't even make them do anything when they're already not shipping products to you anymore. It has to be from Day 1.
There was a promising design from Azure Sphere for 10 years of IoT device Linux security updates from Microsoft, even if the IoT vendor went out of business. This required a hardware design to isolate vendor userspace code from device security code, so they could be updated independently. Could be resurrected as open standard with FRAND licensing.
A decade of security updates for routers would require stable isolation between low-level device security and IoT vendor userspace. In Sphere, the business model for 10 years of paid updates was backed by hardware isolation. Anyone know why it didn't get market traction? There was a dev board, but no products shipped.
Oh gee. Maybe because no one sane looks at an industrial product adversarially built to confine and prevent the end user from doing anything to it and wants anything to do with it? It isn't rocket science. If I can't buy it and get a damn manual and programming tools to twiddle all the bits, I'm not adopting. Not even at gunpoint, or if you're the last supplier on Earth. I won't be held voluntarily hostage because a bunch of corporate types, and bureaucrats decided to work together to normalize adversarial silicon. Multiply by everyone I know, and anyone with enough braincells to rub together to pattern match "regulatory capture" and "capitalist rent seeking". You can call me a bore if you want. The incentives are completely unaligned, as this place is so fond of saying. End user adoption is built on faith in product. End user capacity to have faith in the product is based on the capability of the technically savvy purchaser to keep the thing running, repair, understand, and explain it to the non-technically savvy. I look at adversarial silicon isolating me from the hardware; I have to sound off-my-rocker to my non tech-savvy friends family to actually explain that yes, there are industrial cabals out to keep you from doing things with the thing you bought.
It doesn't make any business sense, or practical sense whatsoever. Don't bother quoting regulations that demand the isolation (baseband processors and radio emission regulations) at me. Yeah. I know. I've read those too.
Get over business models that require normalized game theory, and we can talk. Until then, enjoy never having nice things catch on. Hint: your definition of "nice" (where I can't control how it works after purchase) is mutually exclusive with things I'm willing to syndicate as "nice". Nice people don't manipulate others.
Hence the isolated device security hardware should be an open standard with FRAND licensing. If devices ship with a prepaid commercial license for 10 years of device security updates from BIG_CO, the default commercial baseline would be raised independent of IoT vendors. Tech-savvy users could then have the option to replace the device security layer with the OSS _or_ competing commercial stack of their choice.
Which is not a real issue in practice. It's like arguing that warranty doesn't matter because the vendor might go out of business.
> That solves the problem in three ways.
That alleviates the problem, but definitely doesn't solve it. Updates are still required, and most people will never update devices they don't directly interact with.
Continue your chain of reasoning: DNS name becomes unmaintained, gets grabbed by open source / foundation / gov agency, pushes open source firmware update.
Same thing happens today with botnet C&C servers.
Tough shit. You provide updates for the mandated amount of time, or you lose access to the market. No warnings, you're just done.
> And "require longer support" doesn't fix it because many of the vendors will go out of business.
Source code escrow plus a bond. The bond is set at a level where a third party can pay engineers to maintain the software and distribute updates for the remainder of the mandated support period. And as time passes with documented active support, the bond requirements for that device go down until the end of the support period.
Requiring that the customer be allowed to replace the firmware is essential, I agree, but not for this reason. That requirement, by itself, just externalizes the support costs onto open source communities. Companies that sell this sort of hardware need to put up the resources, up front, irrevocably, to ensure the cost of software maintenance is covered for the entire period.
Personally I don't buy consumer router hardware that I can't immediately flash OpenWRT on, but that option is not suitable for the general public.
The real problem is: assuming that firmware can be updated, how do you run a nationwide update programme overcoming a population that doesn't really care or have the skills to do it.
Vehicle safety standards (mandated annual safety checks like the UK MoT test) is the closest analogy I can think of - in the UK you can't insure your car without a valid MoT. If you were serious, then maybe tying ISP access to updated router firmware would be the way to go.
Do you mean 'out of business so they cannot provide updates'?
Because, if you mean cheap companies won't be able to provide updates and stay in business, surely that's the point. Companies would have to shim to a standardised firmware that was robust, or something, to keep costs down.
Isn't this all to protect USA business interests and ensure the Trump regime can install their own backdoor though?
How does one ensure the support for the devices is funded?
You managed to say that with a straight face!
Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out.
How on earth is embedded creds in any way: "no known bugs"?
I think we are on the same side (absolutely) but please don't allow the buggers any credibility!
You misunderstand how organizational knowledge works. You see, it doesn't.
Some embeds the credentials, someone else ships the product. The first person doesn't even necessarily still work there at that point.
Remember that time NASA sent a Mars orbiter to Mars and then immediately crashed it because some of them were using pounds and the others newtons? Literally rocket scientists.
The best we know how to do here is to keep the incentives aligned so the people who suffer the consequences of something can do something about it. And in this case the people who suffer the consequences are the consumers, not the company that may have already ceased to exist, so we need to give the consumers a good way to fix it.
It doesn't matter. When you are building software, you build a security process, not security individuals or stuff like this happens.
>orbiter to Mars and then immediately crashed
Right, and it cost NASA 1.4 billion+ is direct losses to them. With software writers the losses occur to the end user.
Enterprise must be able to pay for support for as long as they use devices. Solved.
I can only think of requiring the devices to be serviceable, as you say. The absolute only way I can think of charging the consumers, ie the owners, is to charge a tax on internet connections. Then the government would pay somehow vulnerability hunters working along patchers, who can oversee each other.
Consumers are tricky: if you include support in the sale price, the company will grab the money and run in 3 or 5 years; and some companies will sell cheaper because they know they won't provide support.
The problem is not that people need a free meal. The problem is that people need the ability to eat some other food when the OEM's restaurant is closed or unsatisfactory.
Who ensures the maintainers for these routers are incentivized to do this competently and in a timely fashion?
You haven’t answered these key questions, which are equally or more important than whether a community firmware can be applied.
Businesses aren't incentivized to maintain it and hoping that the community can support it by opening it is perhaps necessary, but it's far from sufficient.
Either the business or maintainers need to be sufficiently incentivized--whether it's through funding, reputation, or something else (graduate-student torture).
No it isn't, software formally verified to EAL7 is guaranteed to be secure.
Then what's KPTI etc.?
> which also needs to be formally verified for a secure system.
Now we just need a correct and complete theory of quantum mechanics and to do something about that Heisenberg thing.
In general formal proofs tell you if something is true given a stipulated set of assumptions. They don't tell you if one of the stipulated assumptions is wrong or can be caused to be wrong on purpose by doing something nobody had previously known to be possible.
Even EAL7 can't guarantee anything. It can only say that the tools used for verification didn't find anything wrong. I'm not saying the tools are garbage, but the tools were made by humans, and humans are fallible.
Interestingly, Europe is about to try this: the Cyber Resilience Act is going to become obligatory for all sold digital products (hardware & software) by the end of 2027, with a bunch of strict minimum requirements: no hardcoded default passwords, must check for known vulnerabilities in components/dependencies, encryption for data at rest, automatic security updates by default (which must be separate from functionality updates), etc.
Remains to be seen whether this'll help, but good to see somebody have a go at fixing this.
Maybe I'm being an idiot but it seems like a lot of extra complexity to protect against really only physical attacks where someone directly steals the data storage.
Plenty of consumer-grade devices have had very lax security settings or backdoors baked in for purposes of “troubleshooting” and recovery assistance. It’s never been limited to foreign-made devices.
Security has never been part of the review process. The only time any agency has really cared is when encryption is involved, and that’s just been the FBI wanting it to be neutered so they can have their own backdoors.
The FCC licenses devices to the extent that devices can cause spurious transmissions in the radio spectrum. It’s not a general consumer protection agency. Computer security also is outside the mandate of the FTC, which exists to protect consumers from anticompetitive conduct and unfair business practices, not crappy products.
They regulate broadcast TV. Those rules leak into cable TV because the originators generally want content that can be sold for broadcast in the future and is advertiser friendly. Cable operators are also often beholden to community standards imposed by municipalities they serve. The FCC isn't responsible for content restrictions on cable.
The FCC also regulates interstate wire transmissions.
But ultimately, you're not quite getting it right. It's all RF, it's just that we sometimes choose a really shitty wire called "the atmosphere".
Sounds like it does to me. Also you're forgetting the part where the FTC under a prior administration either banned DLINK from selling in the US or heavily fined them for selling routers in the US that they knew were running insecure, buggy firmware.
(both quotes were taken verbatim from first, Netgear's US website, and secondly the Bureau of Consumer Protections' section of the FTC's website)
Not that any consumer router is super nice and safe, honestly, you're better off making your own these days.
True, but the country of manufacture is related to the risk of back doors.
There is a huge security problem (everywhere, not just the US) with insecure consumer devices (not just routers, everything from Wi-fi enabled lightbulbs to cars). AT least someone seems to be waking up to the problem even if their solution is half-baked.
Sorry but this is merely a convenient excuse. Source: I have hard evidence of a Chinese IoT device where crap security practices were later leveraged by the same company to inject exploit code. It's called plausible deniability and it's foolish to tell me it's a coincidence.
You're not going to convince me that a foreign state actor pressuring a company to include a backdoor wouldn't disguise it as a "whoopsie, our crap code lol" as opposed to adding in the open with a disclaimer on it.
It's all closed source firmware. Even the GPL packages from most consumer router vendors are loaded with binary blobs. Tell me I should trust it.
(That is not to say that the FCC change will move the needle on the underlying issue of router security; as some of the ancestor comments have said, lax security practices are common industry-wide, irrespective of country of development/manufacture.)
[1]: https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa...
Here, we're discussing product as shipped, not product intercepted and modified. We're discussing if products are shipped secure or not.
The Snowden disclosures are important, but not relevant in this case.
Having state actors redirecting products after shipping, without telling the company or the client it's happening, and installing backdoors, has nothing at all to do with backdoors from manufacturers.
Maybe in theory. I think the practical chance of enforcing anything meaningful through those legal avenues against a US manufacturer is not meaningfully higher than the chance of doing so against a Chinese manufacturer, so it doesn't make sense to treat them differently on these grounds.
Literally your own Congress is not even allowed to review their budget! Not that any US politician even WANTS to know.
Oh, sweet summer child. Disclaiming these possible avenues of liability is the main goal of clickwrap "terms of service".
No, I don't have it but you may check with Santa Claus.
> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.
In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you can apply to get unbanned ("Conditional Approval").
In the FAQ (https://www.fcc.gov/faqs-recent-updates-fcc-covered-list-reg...), they even include guidance on how to apply: https://www.fcc.gov/sites/default/files/Guidance-for-Conditi...
If you (a manufacturer) apply, they want information regarding corporate location, jursidiction, and ownership. They want a bill of materials with country of origin and a justification for why any foreign-sourced components can't be domestic. They want information about who provides software and updates. And they want to hear your plan to increase US domestic manufacturing and progress toward that goal.
So, foreign-made consumer routers can still be sold, but they are going to look at them with a fine-tooth comb, and they are going to use FCC approval as leverage to try to increase domestic manufacturing.
That is not what's going to happen. What's going to happen is that anyone coughing up payola to the current executive in chief's people will get approved, and anyone that doesn't will remain blocked. This practice is currently widespread, in the form of tariffs.
if there's really one thing that destroys countries is corruption. being originally from a 3rd world country - I have seen it. now the US is heading towards the same path.
having worked in the IOT industry before - I can tell even domestic manufactures will be forced to pay bribes soon cloaked in 'state secrets' - there's already export laws etc - but now they will be forced to pay for compliance e.g maybe donating the president's vanity project.
Also, the biggest benefactors of payola aren't the politicians, it's the rent seekers, that is the businesses already in place that want to prevent competition. Because of this, they usually directly contribute to the politicians that promise to restrict the path to doing business.
For example, if you want a newest-generation extremely-efficient air conditioner in the US, you won't be able to buy it and even if you could, you wouldn't be able to get anyone to install it. Any given model of air conditioners needs to be on an approved list to be sold in the US, and the installer needs to be on an approved list, too. This means that by the time an air conditioner makes it onto the list, it's already old. Also, installers can require you buy it from them, and almost all do, so by the time time an installer on the list has it for sale, it's even older than that. Ironically this is all enabled by the EPA, on the auspices that they are ensuring that it's energy inefficient, when in reality they are preserving the market for the older, more expensive, and inefficient models.
The old payola model. This new model encompasses the old one and adds a neat layer of outright politician bribery on top.
According to SCOTUS in Snyder v. United States, if the payment occurs after the official act, it's a perfectly legal "gratuity."
Dario (CEO of Anthropic) said the DoW contract violations and threats were direct retaliation for not paying Trump "campaign" money. Later, he was forced to apologize for speaking the truth.
Wow NGL this sounds great if you ignore the reality that it'll be used as a partisan backdoor to enriching the administration.
This comb likely is designed to extract loose $1M checks from the foreign manufacturers.
by giving daddy trump his taste, no doubt.
You're assuming a non-partisan technocratic process, which this administration has amply shown is neither capable nor willing to provide. This requirement becomes another opportunity for Pay-to-Play, either in cash or quid pro quo, to the government directly (see, e.g., NVidia and AMD export allowances) or to Trump's inner circle (see, e.g., crypto venture regulation, merger approvals).
People who care about the problems of digital security are not going to lean into the idea of simply banning devices based on where they were manufactured. Rather they would work at general standards and solutions to actually solve the problems - things like untying the markets for hardware/firmware/services, requiring firmware source escrow, mandating LAN protocols and controllers so every single IoT device isn't backhauling to its own mothership, and so on.
Likewise people who care about domestic manufacturing first and foremost are not going to champion applying steep blanket tariffs two decades after all of that industry has already left, or using regulatory agencies to shake down manufacturers for unrelated concessions.
No, of course I'm not assuming that. That's not the administration's pattern of behavior, so it would be a crazy assumption.
I agree it'll be abused. I just didn't feel it necessary to state the obvious.
Yes china routers are a liability, but free trade and open market ensure at least one thing that's essential : no single state has surveillance capability on its entire population
I took a screenshot to share if anyone is interested
This is about full domestic control of the internet. For both ingress and egress.
Remember how Iran likely murdered thousands of protestors a few months ago, but we don't actually know? They want to be able to do that here.
The OpenWRT One [1] sponsored by the Software Conservancy [2] and manufactured by Banana Pi [3] works lovely.
[1] https://openwrt.org/toh/openwrt/one
[2] https://sfconservancy.org/activities/openwrt-one.html
[3] https://docs.banana-pi.org/en/OpenWRT-One/BananaPi_OpenWRT-O...
If it was required they would do it.
If the software is an important differentiator (arguably, it is for things like Ubiquiti, but clearly it is not for most consumer routers), then release the patches under the Business Source License with a 3-5 year sunset back to BSD / Apache / GPL.
Even if this wasn't done, at the very least they must publish their software testing procedures, the way UL, ETL, and CSA require to certify devices for the US power grid. (https://www.komaspec.com/about-us/blog/ul-etl-csa-certificat...) They can also do black box testing.
But ideally they would actually inspect the software to ensure its design is correct. Otherwise vibe-coded apps with swiss cheese code will be running critical infrastructure and nobody will know until it's too late.
In its defense, there's some practicality to it; we wouldn't say that a "get out of debt" plan that involved spending all available money on lottery tickets is worthwhile because "its not gonna happen". But defeatism is just a shortcut to say "I don't want to talk/think about it" in many cases.
And in this one, if the US Gov't required that all routers purchased by any agency they could influence had the ability to run open source code it would certainly shake up the market.
Why? You'd need to get someone electorally useful involved. That, unfortunately, elimiates a lot of the nihilistic, holier-than-thou tech types. But that's pretty doable nowadays. You just need an electorally-relevant group of people on your side.
The difficulty of installing OpenWRT or Linux in general on hardware comes from that hardware not being documented, or not having straightforward APIs like BIOS/EFI.
Or for some devices, community distributions that dubiously remix manufacturer-supplied binaries are available. But we generally see that as soon as the manufacturer stops their updates, the community versions start lagging behind as well.
Oh, no, not this again!
> But we generally see that as soon as the manufacturer stops their updates, the community versions start lagging behind as well.
Care to demonstrate that?
The reason OpenWrt abandoned most routers was
1) insufficient flash space in the kernel partition, or insufficient total flash space in no-USB, no-SPI routers,
2) unwillingness to repartition flash because it breaks compatibility with official firmware (as if anyone installing OpenWrt would care),
3) insufficient RAM to run newer kernels
and, most importantly,
4) unwillingness to support older kernels like DD-WRT does.
What are you referring to? Would you not say there is a difference between OpenWRT having to make a list of supported whole systems, whereas an amd64 Linux distribution making a list of chipsets? I can go buy an off the shelf laptop, stick a generic "Linux install" USB in it, and be reasonably certain most things are going to work. Whereas OpenWrt I have to look at their list of supported machines, and buy exactly that one, even down to the hardware rev. Some of this is due to embedded constraints, but a good chunk is also due to the lack of hardware discoverability.
>> community distributions that dubiously remix manufacturer-supplied binaries are available
> The reason OpenWrt abandoned most routers was
I didn't mean things like OpenWrt, which I'd say is a general Linux distribution that does contortions to fit on specific devices. Rather I was talking about things like Valetudo which are closer to rooting the stock distribution with some tweaks, or the countless "custom ROMs" you see (saw?) in the phone world which are effectively remixing the manufacturer images. I thought DD-WRT was in that camp, especially for many devices (eg where do these "older kernels" come from?), but I'm hazy on that.
(personally I gave on up OpenWrt some 10 years back, and just use generic Linux (NixOS) on amd64. A VM on my server for the router, and lower-power amd64 boards for the additional APs (most of which double as Kodi terminals))
Self ownership and full 'right to repair' has carve-outs in the FCC's regulations in the name of limiting unintentional broadcasting/radiation. Maybe a challenge to those would survive in the post-Chevron environment. I wouldn't expect any Congress in the last 25 years to pass a law which would go against the incumbent telecom lobbyist interests though, and I'd expect such a hole if it did hit case law, to get 'patched' fairly quickly.
About the only way to really solve that would be to embarrass vendors enough to open their moats.
(To be clear, I don't think that's good enough; at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help, but I think it's useful to point out that auditing code doesn't require being able to install it)
This is already the case today with many embedded devices. They have secure boot enabled so even if the vendor releases the GPL source code (big if), you can't do anything because the device will only boot the vendor's signed firmware.
> at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help
This is already possible. The RF components frequently have a signed firmware blob that is verified on load. There is no reason but planned obsolescence and greed keeping the application processor locked to running the vendor's signed code.
That sounds like what Software Freedom Conservancy would call a GPL violation:
https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...
Sure, it is. So what? Have you got 200k for lawyers and years of your life to spend in court fighting over it?
I have personally contacted the SFC with ample evidence of deliberate and wilful GPL violations, such as providing a written offer for source code and then ignoring or flat out refusing requests for the source code. The SFC has acknowledged the vendors are violating the spirit and letter of the GPL.
Nothing happens. The SFC is one organisation with limited resources, FOSS developers don't want to spend their time in court, they'd rather develop software. Vendors know 9 times out of 10 they will get away with the GPL violation scot-free.
It's fine to put on your rose colored glasses and pretend GPL forces companies to release source code. Reality is, the vendors have a larger marketing budget than the entire SFC endowment and the vendor's legal team is happy to tar-pit requests ad infinitum.
It's very difficult to inspect a laid out chip for nefarious elements - there's too much of it to do manually. Having a secure supply chain is probably the best way to prevent that happening.
Which is not to say that I support this rule - it sounds like another import weapon trump can swing against people who aren't his friends.
Very few companies make the chips too. It'd be very easy for the government to force them to add backdoors.
Trusted, qualified independent experts: Ala Underwriters Laboratories.
I get the desire to not have to trust a third party, but realistically, there isn't a way to function without doing so, outside of going out and living in the forest in a cabin you've built yourself, either doing without electricity, or with solar panels you've built yourself from raw materials.
Human processes aren't like computers. They're messy. They fail sometimes. They need checks and balances. Sometimes those checks and balances don't work. Sometimes the checks only work well after the fact, and the people who were harmed aren't all made whole.
That's life. We probably can't do much better.
Some trust has to be created through testing standards and the law, but generally we do believe what the label says in day to day life.
Detection of the car being on a rolling road, special button combos that trigger the emissions testing map, etc
Maybe trusted community of people could do it for everyone, but there's currently all kinds of potential legal trouble brewing in that approach. Complete and public reverse engineering of every aspect of any device would have to be made completely legal, so that people could freely publish all artifacts extracted from a device and produced during reverse engineering and collaborate on them without any fear of repercussions. Also HW manufacturers would have to be prohibited from NDAing documentation for SoCs, etc.
Side benefit would be that this would also serve as a documentation for freeing the device and developing alternative firmwares with modernized sw/reduced attack surface.
The FCC's power just got substantially nerfed, and "we've decided to slow lane all foreign-made routers" feels like that may have been beaten on the old, higher, standard. Let alone the new one that gives the FCC almost no power.
Are there even consumer-grade routers that are produced in the USA...?
[1] https://www.heise.de/en/news/USA-bans-all-new-routers-for-co...
> As outlined below, today’s action does not impact a consumer’s continued use of routers they previously acquired. Nor does it prevent retailers from continuing to sell, import, or market router models approved previously through the FCC’s equipment authorization process. By operation of the FCC’s Covered List rules, the restrictions imposed today apply to new device models.
I’m sure plenty of US factories are capable of importing boxes that look like routers but are actually just switches (because the router firmware is missing) and re-flashing them here…
> In conjunction with original software development, Island is designed and assembled in the USA to improve security and enable tighter quality control throughout the entire production process. The code for Island routers has only been loaded internally at Island HQ in the U.S; customer support is also managed directly in our U.S. Headquarters.
Starlink?
(Which is why it's a bit ironic I saw the Google Fiber guy post on X about how they always had TPM^TM "security" in their routers; thats cool, but the drivers you used still made them "general purpose computing over the air" devices)
Usually the argument is that X can't be made in the US because China's so good at it that the US could never compete, so we shouldn't even try. But if a company with 367 employees in a country with the population of a medium-size metro area can do it, it proves that argument is bunk.
Assembling them in Latvia, or the US, from internationally sourced components isn't a solution to anything.
> Usually the argument is that X can't be made in the US because China's so good at it that the US could never compete, so we shouldn't even try. But if a company with 367 employees in a country with the population of a medium-size metro area can do it, it proves that argument is bunk.
Unless Latvia is a much better environment for this kind of industry than the US is.
Previous example: https://news.ycombinator.com/item?id=37392676
If companies market the devices as something other than "routers" then consumers will not buy them for routing duty.
(Meanwhile, the non-average people who want to use general-purpose computers as homespun router/NAS/do-all boxes are already aware of how this all works...and many of us have been doing it this way for decades. (Often, this happens alongside dedicated access points that do have good wifi radios.))
I have roommates who are engineers and I had to explain to them the difference between Wi-fi access point and LAN when I replaces our wireless router with a router + 3 APs.
So start your own company called usa router co, and sell some random arm board with a preinstalled router image... the end user won't know the difference.
And superficially, it sounds like a straight-forward thing for me or anyone else to do here in the states, but things get murky quickly: What differentiates a foreign-made router from a US-made router?
Can I get some flunky push the button in his studio apartment in Idaho to flash open (but globally-sourced!) firmware onto some boxes from Alibaba (in exchange for startup promises) and call that good enough?
Do I have to spin up the boards here in the States? And the ICs, too? How about the passive jelly-bean parts like the capacitors and resistors and the antennas?
What of the rest of the device? Like, things such as the housing, the packaging, the power supply, and the included ethernet cable: Do I need to source those from domestic US production or is it OK if they're foreign-made components?
Do I have to produce the software in the States? (If so, Linux is right out.)
Where is the line drawn? How is the line shaped?