Re: FCC issues new rules about foreign made routers

[Jared Mauch via NANOG <nanog () lists nanog org>]

> On Mar 24, 2026, at 1:04 PM, John Levine via NANOG <nanog () lists nanog org> wrote:
>
> It appears that Saku Ytti via NANOG <nanog () lists nanog org> said:
> > Relevant URLs are
> >
> > https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf
> > https://www.fcc.gov/supplychain/coveredlist
> >
> > 'Routers^ produced in a foreign country, except routers which have
> > been granted a Conditional Approval by DoW or DHS.'
> >
> > I wonder what 'Routers^' are 'produced' in the US, in such a way that
> > it meaningfully improves security posture.
>
> As far as I know, the answer is none.  There are plenty of routers designed in the
> US but they're all built offshore.  It would make sense to ask where the software is
> written, but they don't do that.
>
> The conditional approval procedure is absurd. It requires the vendor
> to commit to manufacture in the U.S.

I suspect this is why the waiver is really the method, at least for the foreseeable future.  Much of this is existing 
and predates the current administration for those of us who have been watching this space.  There’s quite a bit of 
problems out there with these embedded systems and how they are managed and maintained.  

The number of people who don’t want to upgrade firmware because of worries of new problems vs those who really should 
upgrade because the embedded solution is based on a very old and already exploitable software suite is quite large.  I 
discovered this during a lot of the research into open resolvers done quite some time ago.  The number of these 
embedded platforms that did something odd or were broken was quite big.

With the advancements in tools where you can take something like binwalk and a software image to find exploits by using 
an AI toolset, plus you get the really difficult to patch situations such as this:

https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns/

The likelihood that you can determine how to exploit something is really easy these days.

Just as many have been working on securing things like routing for years, the idea that these critical devices might 
need to have some sort of broader set of steps than “have vendor SDK, built and shipped image” is really a good thing.  

If you don’t know what tools/suites are under the covers, you may want to look closer at it.  Since so many devices run 
Linux, a variant of busy box, possibly dnsmasq and other items, you will become quite surprised when you look at the 
nested licenses (if there is proper transparency here).  These all periodically get updates which may address public or 
privately reported vulnerabilities which may be a reason to upgrade.

I’ll leave the rest as an exercise for those who primarily deal with the security lists/forums.

- Jared

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/LV7JFALGNHNCN2ZJMWCO4B5X25IY5GUS/