FCC Blocks New Offshore Routes Over Supply Chain and Cyber Risk Concerns
The US Federal Communications Commission (FCC) said Monday it is banning the import of new consumer routers, made in foreign countries, posing “unacceptable” risks to cyber and national security.
The action is designed to protect Americans and the basic communications networks the country relies on, FCC Chairman Brendan Carr said in a post X. The development means that new models of routers manufactured in other countries will no longer be eligible for marketing or sale in the US The move comes after a national security decision issued by the Executive Branch Agencies, Carr added.
To that end, all consumer-grade routers manufactured in foreign countries have been added to the Covered List, unless they have been granted Conditional Authorization by the Department of War (DoW) or the Department of Homeland Security (DHS) after determining that they do not pose any risks.
As of writing, the approved list includes only drone systems and software-defined radios (SDRs) from SiFly Aviation, Mobilicom, ScoutDI, and Verge Aero. Manufacturers of consumer-grade routers can submit a Conditional Approval request. According to BBC News, Starlink Wi-Fi routers are exempt from the policy, as they are made in the US state of Texas.
“The Executive Branch decision noted that foreign-made routers (1) present a ‘supply chain risk that could disrupt the US economy, critical infrastructure, and national security’ and (2) pose a ‘significant cyber security risk that could be used to rapidly and severely disrupt US critical infrastructure and directly harm US citizens,'” the FCC said.
The agency said state-sponsored and non-state-sponsored threat actors have exploited security flaws in small office and home routers to infiltrate American homes, disrupt networks, facilitate cyber espionage, and allow the theft of intellectual property. In addition, these devices can be assembled into large networks for the purpose of password spraying and unauthorized network access, as well as acting as espionage proxies.
China-nexus adversaries such as Volt Typhoon, Flax Typhoon, and Salt Typhoon have also been identified as active botnets that include foreign-made routers to conduct cyber attacks on critical American communications, energy, transportation, and water infrastructure.
“In the Salt Storm attack, state-sponsored cyber actors used compromised and foreign-produced routers to jump to embed and gain long-term access to certain networks and redirect them to others based on their objectives,” according to the National Security Determination (NSD).
Also highlighted by the US government is a botnet called CovertNetwork-1658 (also known as Quad7), which has been used to orchestrate highly evasive password spraying attacks. The operation is being evaluated as the operation of a Chinese threat actor tracked as Storm-0940.
It is worth noting that the update to the Covered List does not affect the customer’s continued use of routers that have already been purchased. It also does not affect retailers, who can continue to sell, import, or route-market models that have previously been approved through the FCC’s equipment approval process.
“Unsecured and foreign-made routers are the main targets of attackers and have been used in several recent cyber attacks to allow hackers to gain access to networks and use them as launching pads to compromise critical infrastructure,” NSD said. “The damage inflicted on American networks and critical infrastructure from foreign-made routers is unacceptable.”
Routers have been a beneficial target for cyber attacks, as they serve as the primary access point to the internet. Vulnerable routers can allow malicious actors to perform network surveillance, exfiltrate data, and deliver malware to victims. In 2014, journalist Glenn Greenwald alleged in his book No Place to Hide how the US National Security Agency (NSA) intercepts routers before US manufacturers ship them out for back doors.
