One month ago, the United States Federal Communications Commission put forth a ban on the sale of all Wi-Fi routers made outside the US, giving manufacturers the option to apply for a conditional approval exemption on the agency’s website.
Let’s talk about what this ban is going to mean to your business (and to your entire team’s personal lives) as things progress. Fair warning, things aren’t going to be simple.
Virtually All Consumer-Grade Routers are Now Included on the Covered List
So, what’s the Covered List?
The FCC maintains a list of communications equipment and services deemed to pose a danger to the safety and security of the United States and its residents. Once something is added to the list, its import for either sale or use is banned. As of March 23rd, this list included all foreign-made routers (which turned out to be nearly all of them), as the “foreign-made” distinction encompasses all major manufacturing processes.
For example, let’s say ACME designed a router in Minneapolis, manufactured its components outside Taipei, and assembled it in Fort Lauderdale. That router would be considered foreign-made and could not be used or sold in the US without conditional approval.
While all currently owned or authorized devices are grandfathered in, all new hardware (except Starlink devices and now conditionally-approved Netgear and Adtran routers) will not meet these requirements. Furthermore, these exempt devices will only be allowed to receive updates until March 1, 2027. After that, the software and firmware will remain stagnant, allowing these devices to swiftly become inexcusably insecure.
This Situation is a Cybercriminal’s Dream
Part of a cybercriminal’s job is to undermine the security that protects our daily drivers, all the software and devices that modern businesses rely on. In their efforts, these cybercriminals will collaborate and share their findings via the Dark Web, crowdsourcing attack vectors and vulnerabilities. Likewise, developers work to identify and resolve these vectors and vulnerabilities as quickly as possible—ideally, before the threat is actively exploited. It’s effectively the new space race, just waged without borders as compared to world superpowers and taking place in cyberspace.
The other difference is that we already know the ongoing outcome: eventually, a technology is deemed no longer worth the effort to protect, and it is left to the mercy of attackers as developers shift their attention to newer innovations. As a result, the abandoned tech effectively becomes a minefield with more and more buried traps.
Why Were All These Routers Banned?
Based on what the FCC has publicly stated, the White House convened an interagency executive body which determined that sufficient risks were present to place all foreign-produced routers on the Covered List. This was allegedly due to the fact that routers were the infrastructure that allowed the Volt, Flax, and Salt Typhoon cyberattacks. FCC Chair Brendan Carr shared a statement saying that this ban is an effort to protect cyberspace from attacks, along with critical US infrastructure and supply chains.
It is important to note that just two percent or so of consumer routers are compliant with the requirements this action places on networking hardware, and if it evolves to explicitly include business-grade devices, 91.2 percent would suddenly have their status called into question.
Hardware Shortages are Most Likely Imminent
As we mentioned, Texas-based Starlink is the only manufacturer inherently exempt from this measure, although Netgear has successfully obtained conditional approval for a variety of its products until October of 2027. TP-Link and Asus have also come out in support of a ban, being in a favorable position to shift their manufacturing processes to abide by these new restrictions and/or also secure conditional approval.
Even so, it will not be easy for these companies to shift their operations enough for compliance before the October 2027 expiration date for conditional approval.
How Does this Impact Businesses?
At the time of writing, this ban is still restricted to consumer-grade routers, but who knows how things will ultimately shake out… and even so, there will be some level of impacts that come back around to your business operations.
If the ban does extend to enterprise-grade routers, your business will need to adopt a compliant tool in order to operate. Even so, many businesses use “consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer” for their connectivity needs, and will need to switch to a device not included on the covered list. Plus, your team members may work remotely at times. If they do so by using an owned device from one of the following brands…
- Asus
- D-Link
- Eero
- Linksys
- Nest
- Razer
- Synology
…or a rental via their ISP from…
- Arcadyan
- Wistron
- Arris
- Technicolor
- Askey
- Sagemcom
- Humax
- Nokia
…they will soon have no choice but to obtain a compliant option, either purchasing it for themselves or renting a new device from their Internet service provider. Either way, they will likely be paying more, as scarcity will likely increase prices in stores and to help the ISP offset their costs.
All Things Considered, Security Just Became Even More Important
While this ban appears to currently be limited to consumer-grade hardware, this in no way means your business can rest on its laurels. Cyberattacks across the board are likely going to get a lot worse as a result of these bans. After all, too few people keep their home infrastructure up-to-date as it is… what happens when routers are far more scarce and expensive to procure than they are now? This is also without even mentioning that many businesses utilize consumer-grade hardware, despite the necessary features of enterprise-grade options.
As a result, we recommend that all businesses commit to a few key protective measures:
- Switch to professional-grade hardware now. Even if this ban hadn’t put an expiration date on all consumer-grade routers, your business deserves to use the right hardware for its needs. Enterprise routers are more secure and more capable by design than their consumer-focused counterparts.
- Update your firmware. While your router is still usable, make sure you keep it fully patched and up-to-date. This minimizes the window an attacker has to successfully breach your IT.
- Maintain your credentials. Many devices, particularly networking hardware, come with default passwords set. You need to immediately change these passwords to sufficiently secure alternatives using complex passphrases.
- Enable encryption. Using a VPN (virtual private network) allows you to shield your business’ traffic from prying eyes, even if they manage to intercept it.
Want Help Dealing with Your Business IT? Reach Out!
As we move forward, hardware procurement will get more complicated before it ever gets easier. We can be there for you to help you manage your essential tech, ensuring you have what you need and can rely on it.
Find out more by reaching out at (270) 282-4926.
Comments