[hmaxwell]

I'm curious about the policy rationale behind banning router imports. If a government were considering legislation like that, what would the primary concern usually be? Given that so much internet traffic is now protected by TLS/SSL and other encryption, why would it still matter if citizens were using routers that might be backdoored?

Is the concern mainly things like botnets and DDoS activity, weak default credentials on network equipment, or compromised business networks where poorly secured routers or attached NAS devices could expose sensitive or proprietary data? In other words, is the concern less about decrypting traffic and more about using the router as a foothold for surveillance, disruption, or access to poorly secured internal systems?

[nathas]

It's everything you mention in the second paragraph, and additionally just the ability to turn them off.

Imagine everyone had their routers disabled simultaneously. I don't know if the cell networks could function with the surge in standard traffic that would happen, and then you've effectively plunged all or part of the country into a communication blackout.

I think "turn it off permanently by bricking it" is almost as bad as "leverage for DDoS".

I worked on Bot Mitigation at Amazon, and we once saw a ton of traffic that was heavily distributed amongst consumer devices world-wide, but surprisingly in the US too. We suspected compromised routers that were using the home page as a health check. There was a lot of investigation I did, and the short realization after talking with the network engineers is that the amount of traffic, and distribution of sources, would be impossible to stop. There merely isn't enough bandwidth in the world to stop so many residential device if it hits a specific target. To be clear, this was coming from less than half of active Amazon customers, not everyone in the US.

Anyway, it wasn't routers, but it was a consumer device, and it wasn't nefarious, it was incompetence (in code), as usual.

[gruez]

>Imagine everyone had their routers disabled simultaneously. I don't know if the cell networks could function with the surge in standard traffic that would happen, and then you've effectively plunged all or part of the country into a communication blackout.

IME cell networks definitely can't cope with a loss of all routers in an area, given how mobile data becomes basically unusable when there's a power outage. That said, "everyone had their routers disabled" is probably not realistic, given that there are plenty of non-chinese router vendors.

[progmetaldev]

Isn't the issue that a lot of these devices have vulnerabilities and aren't updated often enough, rather than the device being of Chinese origin? You look at hardware for the home market, and most haven't received an update in years, if not a decade. Widely deployed hardware with out of date software seems like it's just a script to crawl home IP address spaces, like a Metasploit module, no?

Maybe I'm misunderstanding the link to Chinese vs. non-Chinese router vendors?

[topspin]

Among policy and security people, the term they bandy about is Advanced Persistent Threat (APT). They're not wrong; there are a number of recent cases, and these are ongoing, and you've heard of some of them: Volt, Flax and Salt Typhoon and Velvet Ant. There are more you haven't heard about, because only the operators know they exist.

These are networks of controlled devices. They're hard to eradicate, as shown by the fact that they haven't been eradicated: they're still active and being used to compromise systems, including defense and intelligence systems, power systems, financial systems, identity systems, etc.

Is banning foreign gear going to fix this? No. Security isn't a product. It is, however, a process, and in a process you take steps. I think this: we (individuals and institutions) enjoy tremendous liberty in the use of communications equipment in the US and most of the West. Taking that for granted is a mistake. If part of keeping this means the US has to spin up a domestic supply of network gear, or carefully modulate where such gear comes from, then lets do that. Otherwise, The Powers That Be will leverage its concerns into far worse steps.

[supertrope]

The FCC Chairman is sucking up to the President.

If this were really about computer security they would follow California’s example of requiring unique passwords. Maybe make manufacturers liable for not patching known remote exploitable security vulnerabilities. It doesn’t matter if the source of a DDoS is a Huawei box or a Netgear box.

[ImJamal]

There are a few reasons

- Access to data (dns/ips, domain names (if not using ESNI), amount of traffic, etc) of sites you are visiting

- Access to the inside of your network where it can attack machines that may not be secure

- DDoS

- The ability to shut down your internet

I'm sure there are more.

[jen20]

> is the concern less about decrypting traffic and more about using the router as a foothold for surveillance, disruption, or access to poorly secured internal systems?

That should probably be the technical concern. Even if you have traffic protected by TLS, you still typically have enough metadata to cause some problems for users individually, but the assumption that foreign equipment is back-doored by some security service or other is probably safe.

[x0x0]

The policy rationale is the Trump admin takes bribes to permit router imports. No different than how various companies won tariff exemptions.

[leptons]

That, and like drones, maybe one of his kids starts up a router company which becomes the sole company allowed to sell routers in the US.

[hedora]

And, like news networks, maybe the router companies are forced to let him hire a censor (they like to call them ombudsmen) so the white house can real-time block inconvenient traffic.