Since March, the US has banned domestically manufactured new router models for the consumer market. Because that wouldn’t be the case, there are exceptions. Some were granted so quickly that it is hard to imagine that the official requirements were met. Meanwhile, the Federal Communications Commission (FCC) is expanding the scope of the ban, but creating new ambiguities.
Read more after the ad
At the heart of the US ban is a secret finding by unnamed US intelligence agencies that “consumer-grade routers” posed an unacceptable risk to the national security of the United States or the safety of US persons. A published summary refers to IT attacks that were carried out via routers – all via foreign routers, since by definition there are no domestic routers. Models that have already been approved can continue to be used and sold. Your software and firmware may only be updated until March 1st, and only for security or compatibility purposes.
The devil is in the details, and the FCC has left key questions unanswered. Last week the authority published answers to certain frequently asked questions (FAQ). In many cases it comes down to the nitty-gritty: What exactly is a “consumer-grade router” and what is not? Because there is expressly no list.
Expansion to routers for SMEs
A small table in the 24th of 25 FAQ is surprising by stating that both “consumer” and “small and medium-sized business routers” are included. This is new and contradicts the answer to question 8 “How are routers defined?”. As before, the authority refers to security suggestions from the standards institute NIST (National Institute of Standards and Technology’s Internal Report 8425A), which refer to “consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer” – i.e. “networking devices for the consumer market that are primarily intended for use in households and can be installed by the consumer.”
Such devices are also used by small companies; But “business routers” are something different than “consumer” routers, which are also used by non-consumers. One would think.
At least the table makes it clear that cell phones with WiFi hotspots are not covered by the ban – but pure data modems for mobile communications are, be they stationary or mobile (for example with a WiFi hotspot). There is no apparent technical reason for this differentiation. Cable modems with routers are also subject to the ban, as are routers installed in households by the ISP or a professional. However, tiny mobile phone cells (femtocells), fiber optic terminals, and analog telephone adapters with an Ethernet socket are excluded.
Read more after the ad
What is recorded?
The author of the 25th question was probably desperately looking for a guideline: Is there a list of indicators, a test of all circumstances, or level-based criteria independent of NIST IR 8425A that determine whether a device is a “consumer-grade router”? Answer: “No.” The FCC again refers to NIST IR 8425A, this time to its Appendix C. This eliminates all clarity.
Because Appendix C mainly deals with how routers get into traffic (spoiler: buy or rent!). Otherwise, he says little new when he states that “consumer-grade” devices can be found in households and that their primary purpose is for use there, not for “enterprise, industrial, etc.”, but that small businesses could also use consumer-grade devices. In addition, manufacturers of consumer-grade devices cannot assume that the user has expertise in the area of IT security or is able to take significant measures to secure the product.
References to four third-party documents follow: two from industry associations and one each from the Singapore regulatory authority and the German Federal Office for Information Security (BSI TR-03148). Of the four, only Singapore excludes Internet provider-rented routers from the security proposals. The security suggestions from these four committees play no role for the FCC or the exemptions.
