US bans foreign-made consumer routers over cybersecurity concerns | Fox Business
The FCC is looking to ban foreign made routers over security concerns. The OpenWRT One as far as I am aware is ONLY made in China that I could find.
Is this router going to be subject to this ban?
I think the only concern from a security stand point is if third parties add hidden code in various processors or coprocessors on the router electronics that would be independent of the router firmware that is opensource.
No, the OpenWrt One is not part of this ban.
Very simply: all existing routers that have already been approved by the FCC and are available for sale prior to this action are not subject to the ban.
This action affects all devices that are not currently certified. So all new products in this category will be subject to the ban and thus may not be made available in the US market.
That said, my use of the term "this category" is intentional as there is still a lot that is not known about exactly how the government will determine a product's classification. Specifically, it calls out consumer routers, but nobody knows if that will also apply to other things. For example -- APs or wifi extenders that are not built as routers. Or business grade devices that are also used by home users (think Unifi and TP-Link Omada as examples). And of course there is an 'exemption' process that will surely affect what companies are able to sell new devices in the US market, among many other unanswered/unsettled questions.
Even for existing FCC certified routers there is reason for concerns, as the fine print stipulates that firmware upgrades adding (any) features would void the existing certification.
True... but as long as the hardware ships with the certified firmware from Banana Pi's factory, theoretically firmware available from other sources (OpenWrt) and not on Banana Pi's website, it should hopefully be in the clear.
In the infinite wisdom of governmental regulation, though... "let's keep routers secure by not allowing firmware updates that are necessary to keep routers secure."
Prior to March 1, 2027, the OET will re-evaluate whether to further extend applicability.
March 2027 would be decertification day if they don't extend it. Not only would firmware updates by illegal, so would just operating them. US users would have to toss their hardware. FCC has the authority to kick in doors to seize illegal hardware; DHS has the authority to seize domains of those that host illegal US-only firmware.
FCC announcement gives further definition for router, through linked documents:
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf
"Covered list":
https://www.fcc.gov/supplychain/coveredlist
...inclusion of routers, we incorporate the definitions included in the associated National Security Determination
The "router" definition in the referenced NSD document:
https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf
Routers: For the purpose of this determination, the term “Routers” is defined by National Institute of Science and Technology’s Internal Report 8425A to include consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems.
Seems to cover pretty much all devices that forward packets in networks. To me sounds like routers, APs, extenders, switches, whatever...
Edit:
FCC's FAQ that aim to clarify some topics: https://www.fcc.gov/faqs-recent-updates-fcc-covered-list-regarding-routers-produced-foreign-countries
The funny part is that the U S government itself is not restricted ...
Does this affect government purchases or use of routers?
No, the Covered List does not restrict the import or sale of routers for the exclusive use by the federal government
The coverage I’ve been seeing on this has expressed that the definition is still very much up for interpretation insofar as what counts as a ”consumer” device (for example, an MT6000 surely is, but what about a U6+ or a UDM-Pro?) and if a switch or ap that doesn’t route (but rather “forwards”) packets is also subject to the ban on “routers”.
Ultimately, nobody really knows for sure right now. But one thing is for sure - it is going to cause chaos.
Might mean more cheap routers for us Europeans, if the US market is closed.
The catch-22 I am concerned about. I do suspect though that having open source firmware AND a community support group that ensures absolute security would allow some carved exemption for openWRT.
With the design of the OpenWRT Once the firmware is a known and easily investigated quantity. The only concern is hardware and whether or not that hardware itself has hidden processor code existing outside of flashed hardware. Compromised hardware with hardwired backdoors existing outside of firmware is the real concern.
Though on the flip side is the whole argument about ensuring only our government has back doors known into things.
Otherwise everyone's sentiments confirmed most of what I suspected. Thanks for the contributions everyone.
Our government's love of paperwork.
So it looks like as long as OpenWRT keeps up with the paperwork process things will be fine.
And given the open source nature of things I suspect there is going to be a bigger enforcement stick we will have to have help with as since it is open source, everyone takes the code and adds a customized version to their hardware.
This will make the recertification route with new firmware versions may force a review process by the originating repository maintainers. It is not really known how going forward firmware updates will be certified and approved by the FCC if the code is in violation of licensing agreements of the code base that was used.
It's quite safe to assume that OpenWrt will NOT even try to attempt keeping up with the paperwork. Requirements include a quite hard commitment to manufacture in the US - at least in the future (to be renewed/ 'checked' every 18 months), that requirement is not even close to being met (not merely the assembly, also the firmware development and down to all the chips (last I checked, Mediatek doesn't meet that requirement) and other components). No router manufacturer can make that commitment with a straight face now, or within a 5-10 year time frame, sure there will be some bribing their way out of it, but I don't think OpenWrt can or even wants to test that approach (the legal implications and the money involved would be beyond stupid).
Disclaimer: not wearing any hats, not being involved in the design/ decision making in any way, shape or form - just applying common sense.
BTW - there's a main thread:
You would need someone on the other side willing to carve out such an exemption... I have too little insight into this to even make a wild guess...
I would recommend reading Thompson's "Reflections on trusting trust"... before declaring hardware to be the only challenge.
The USA will be back soon to Typewriters
I bet reimplementing typewriter production process will be more expensive than making routers out of stock parts because it requires machinery. And machinery comes from Germany...
... speaking of Germany. When I worked with Germans they tought me magic approach called "umetikettierung". Was used by them in urgent situations. Now the whole market is in dire state. You buy butter it says "Made in New Zealand" you make fatty acids analysis and turns out to be half vegetable origin. You buy natural gas from America but it turns out to be from Russia. Same story about chips 
Don’t worry about the OpenWrt One. You will never be able to get your hands on one anyway. I have bin trying to get one in the UK since the first email on the email list about them years ago. I just gave up in the end. When no one from openwrt could tell me how to get one apart from Chinese website and having to pay through the nose in inport taxs. So just forget about it.
Well, you could order one from Amazon. Yes, it will still be delivered from China and i’m not sure if Amazon handles all the taxes. Not to ignore, it became quite expensive in the last weeks...
If I understand correctly, existing FCC certified routers need to be re-evaluated frequently AND any firmware upgrades adding (any) features requires re-certification? Is this really achievable for this project?
Amazon in UK?
Thanks. When I was looking you could not get them from amazon.co.uk.