| ▲ | WarOnPrivacy 12 hours ago |
| The FCC maintains a list of equipment and services (Covered List)
that have been determined to “pose an unacceptable risk to the
national security
Recently, malicious state and non-state sponsored cyber attackers
have increasingly leveraged the vulnerabilities in small and home
office routers produced abroad to carry out direct attacks against
American civilians in their homes.
Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices. Security experts have been trying to call attention to this problem for 2 decades.Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. This includes the FCC which license their devices and the FTC who (until recently) had the direct mandate to protect consumers. Our most recent step backward was to gut those agencies of any ability to provide consumer oversight. All they they can do now is craft protectionist policies that favor campaign donors. The US has a bazillion devices with crap security because we set ourselves up for this. |
|
| ▲ | AnthonyMouse 11 hours ago | parent | next [-] |
| > Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one. What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business. What you need is the ability for consumers to replace the firmware. That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them. |
| |
| ▲ | 0xbadcafebee 4 hours ago | parent | next [-] | | > What you need is not a government mandate for infallibility, it's updates So, we don't need an electrical code to enforce correct wiring. We just need a kind soul driving by our house to notice the company who built our house wired it up wrong. Then that kind person can inform the company of the bad wiring. And if the company agrees it's their wiring at fault, we can wait 3 months for a fix. Then the next month another kind soul finds more bad wiring. And we just have to hope there is an army of kind strangers out there checking every building built by every company. And hope in the meantime that the building doesn't burn down. Meanwhile, people have to live with bad wiring for years, that could have been completely prevented to begin with, by an electrician following the electrical code we all already agree on. | | |
| ▲ | inejge 3 hours ago | parent | next [-] | | > So, we don't need an electrical code to enforce correct wiring. For an analogy to work, its underlying elements should have a relation to the target. Your analogy is not in the same universe. For electrical work, there is a baseline of materials and practices which is known to produce acceptable results if adhered to. For software, there isn't. (Don't tell me about the Space Shuttle. Consumer software doesn't cost tens of millions and isn't written with dedicated teams over the decades.) | |
| ▲ | danaris 3 hours ago | parent | prev [-] | | I mean, if you could download an update that would fix the wiring in your house, it would be much less critical that the initial installer got it right. (Still much more important than your router, though; it doesn't stop being an electrocution hazard during the un-updated period.) Trying to make analogies from software to hardware will always fall down on that point. If you want to argue that there should be stricter security & correctness requirements for routers, maybe look more toward "here is how people actually treat them in practice" with regard to ignoring updates...? |
| |
| ▲ | thayne 8 hours ago | parent | prev | next [-] | | > What you need is the ability for consumers to replace the firmware. I don't think that's enough. Most people aren't going to replace the firmware on their device with an open source replacement made by someone else. Now if the firmware was required to be open source, and automatic updates could be seamlessly switched over to a non-profit or government agency in the event of the company going out of business, you might have something. But there would be a lot of details to work out. | |
| ▲ | samus 5 hours ago | parent | prev | next [-] | | > And "require longer support" doesn't fix it because many of the vendors will go out of business. Which is not a real issue in practice. It's like arguing that warranty doesn't matter because the vendor might go out of business. | | |
| ▲ | consp 3 hours ago | parent [-] | | It might also be illegal. Don't know about the US but forcing a bankruptcy to avoid regulations is usually frowned upon by the court system here. So putting a product in a child-dummycorp to go poof when you want and let the parent stay afloat usually puts the parent in the line of fire directly and you are screwed either way. |
| |
| ▲ | avadodin 2 hours ago | parent | prev | next [-] | | The government obviously cares less about citizens running firmware China can hack than it does about citizens potentially running firmware the government can't hack. | |
| ▲ | wmf 10 hours ago | parent | prev | next [-] | | The concept of community firmware seems like a huge cop-out that allows companies to externalize costs. And it probably won't help security because 99% of devices will never get the third-party firmware installed anyway. | | |
| ▲ | AnthonyMouse 10 hours ago | parent | next [-] | | If they were trying to save costs they would ship the community firmware on the device to begin with because then they wouldn't have to write and maintain their own. The community welcomes them to externalize those costs onto the people with better incentives to improve the software. What they're actually trying to do is obsolete the devices faster because then they won't add new protocols or other software-only features to older devices so you have to buy a new one, or only expose features in more expensive models that the less expensive hardware would also be capable of doing. Which is all the more reason for us to not have that. And if they were required to allow anyone to replace the firmware then you would get companies reflashing and selling them that way from the store because the free firmware has more advertisable features. There's a reason you can go to major PC OEMs and pick between Windows, Linux and "don't even install one" and the reason is that if you give customers a choice, they generally don't want their software to be made by the OEM. | |
| ▲ | sroussey 10 hours ago | parent | prev [-] | | It could be part of dissolution of the company to mandate community firmware. But it depends on their licenses… Anyhow, this is a common enough practice. Many companies that provide infrastructure type software and sell to Fortune 500 companies often have a clause whereby they deliver their software to their customers if the shut down. | | |
| ▲ | AnthonyMouse 10 hours ago | parent [-] | | We don't care about their licenses; that's their problem. If they need firmware with a license that allows them to redistribute it there are plenty of free ones to choose from. And you can't wait until after they're dead to have them do something. By then they're gone or judgment proof because they're already bankrupt. Especially when you're talking about companies that aren't in the jurisdiction because you can't even make them do anything when they're already not shipping products to you anymore. It has to be from Day 1. | | |
| ▲ | walterbell 9 hours ago | parent [-] | | > It has to be from Day 1. There was a promising design from Azure Sphere for 10 years of IoT device Linux security updates from Microsoft, even if the IoT vendor went out of business. This required a hardware design to isolate vendor userspace code from device security code, so they could be updated independently. Could be resurrected as open standard with FRAND licensing. | | |
| ▲ | AnthonyMouse 9 hours ago | parent [-] | | The main thing you need is for the lowest-level code to be open and replaceable/patchable because it's the only part which is actually specific to the device. Windows running on Core Boot is a better place to be than custom Linux running on opaque blob, because in the first case you can pretty easily get to newer Windows, vanilla Linux or anything else you want running on Core Boot after the original version of Windows goes out of support, and you can update Core Boot, whereas the latter often can't even get you to a newer version of Linux. | | |
| ▲ | walterbell 8 hours ago | parent [-] | | Modern coreboot depends on opaque blobs on CPU (FSP/ACM on Intel) and auxiliary processors (ME/PSP), but AMD is moving in the right direction with OpenSIL host firmware. Arm devices have their own share of firmware blobs. A decade of security updates for routers would require stable isolation between low-level device security and IoT vendor userspace. In Sphere, the business model for 10 years of paid updates was backed by hardware isolation. Anyone know why it didn't get market traction? There was a dev board, but no products shipped. |
|
|
|
|
| |
| ▲ | post-it an hour ago | parent | prev | next [-] | | Why not just put the onus on ISPs? 99% of users lease their router from their ISP. If updates stop after three years, looks like you're getting a complimentary service appointment to get a new router. | |
| ▲ | kelnos 5 hours ago | parent | prev | next [-] | | > But then vendors want to stop issuing them after 3 years Tough shit. You provide updates for the mandated amount of time, or you lose access to the market. No warnings, you're just done. > And "require longer support" doesn't fix it because many of the vendors will go out of business. Source code escrow plus a bond. The bond is set at a level where a third party can pay engineers to maintain the software and distribute updates for the remainder of the mandated support period. And as time passes with documented active support, the bond requirements for that device go down until the end of the support period. Requiring that the customer be allowed to replace the firmware is essential, I agree, but not for this reason. That requirement, by itself, just externalizes the support costs onto open source communities. Companies that sell this sort of hardware need to put up the resources, up front, irrevocably, to ensure the cost of software maintenance is covered for the entire period. Personally I don't buy consumer router hardware that I can't immediately flash OpenWRT on, but that option is not suitable for the general public. | | |
| ▲ | steve_gh 3 hours ago | parent [-] | | How does this help? 99% of the population aren't technically minded enough. Most people just buy a wifi router, plug it in (maybe having read the instructions) and that's it. They have neither the skills nor the inclination to update firmware. The real problem is: assuming that firmware can be updated, how do you run a nationwide update programme overcoming a population that doesn't really care or have the skills to do it. Vehicle safety standards (mandated annual safety checks like the UK MoT test) is the closest analogy I can think of - in the UK you can't insure your car without a valid MoT. If you were serious, then maybe tying ISP access to updated router firmware would be the way to go. | | |
| |
| ▲ | nobodyandproud 5 hours ago | parent | prev | next [-] | | That’s a technical solution to a business and incentives problem. How does one ensure the support for the devices is funded? | |
| ▲ | macintux 10 hours ago | parent | prev | next [-] | | > What you need is the ability for consumers to replace the firmware. > That solves the problem in three ways. That alleviates the problem, but definitely doesn't solve it. Updates are still required, and most people will never update devices they don't directly interact with. | | |
| ▲ | wmf 10 hours ago | parent [-] | | Auto-update obviously. | | |
| ▲ | macintux 10 hours ago | parent | next [-] | | Which introduces new security risks, but more importantly, the consumer has to configure the device to use open source firmware, and set up auto updates, unless the device is being auto updated by the device manufacturer and forces all of their customers to switch to the new firmware, which seems very unlikely. | |
| ▲ | kelnos 5 hours ago | parent | prev [-] | | How? The device phones home to the manufacturer's servers to get new updates. Manufacturer goes out of business, servers get shut down. How does it know where to get updates now? | | |
| ▲ | M95D 3 hours ago | parent [-] | | > Manufacturer goes out of business, servers get shut down. Continue your chain of reasoning: DNS name becomes unmaintained, gets grabbed by open source / foundation / gov agency, pushes open source firmware update. Same thing happens today with botnet C&C servers. |
|
|
| |
| ▲ | gerdesj 10 hours ago | parent | prev | next [-] | | "You ship something with no known bugs and then someone finds one." You managed to say that with a straight face! Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out. How on earth is embedded creds in any way: "no known bugs"? I think we are on the same side (absolutely) but please don't allow the buggers any credibility! | | |
| ▲ | AnthonyMouse 10 hours ago | parent [-] | | > How on earth is embedded creds in any way: "no known bugs"? You misunderstand how organizational knowledge works. You see, it doesn't. Some embeds the credentials, someone else ships the product. The first person doesn't even necessarily still work there at that point. Remember that time NASA sent a Mars orbiter to Mars and then immediately crashed it because some of them were using pounds and the others newtons? Literally rocket scientists. The best we know how to do here is to keep the incentives aligned so the people who suffer the consequences of something can do something about it. And in this case the people who suffer the consequences are the consumers, not the company that may have already ceased to exist, so we need to give the consumers a good way to fix it. |
| |
| ▲ | catlikesshrimp 10 hours ago | parent | prev | next [-] | | Somebody has to pay for the support. There is no free meal. Enterprise must be able to pay for support for as long as they use devices. Solved. I can only think of requiring the devices to be serviceable, as you say. The absolute only way I can think of charging the consumers, ie the owners, is to charge a tax on internet connections. Then the government would pay somehow vulnerability hunters working along patchers, who can oversee each other. Consumers are tricky: if you include support in the sale price, the company will grab the money and run in 3 or 5 years; and some companies will sell cheaper because they know they won't provide support. | | |
| ▲ | AnthonyMouse 10 hours ago | parent [-] | | > Somebody has to pay for the support. There is no free meal. The problem is not that people need a free meal. The problem is that people need the ability to eat some other food when the OEM's restaurant is closed or unsatisfactory. | | |
| ▲ | nobodyandproud 5 hours ago | parent | next [-] | | Who creates and regularly keeps the firmware for the dozens and dozens of router models secure and up-to-date? Who ensures the maintainers for these routers are incentivized to do this competently and in a timely fashion? You haven’t answered these key questions, which are equally or more important than whether a community firmware can be applied. | |
| ▲ | catlikesshrimp 7 hours ago | parent | prev [-] | | I mean, OEM would make the device upgradeable, government will pay independent bounty hunters and patchers and will push the updates. Then consumers pay for all that. |
|
| |
| ▲ | RobotToaster 9 hours ago | parent | prev [-] | | >The problem is that "secure firmware" is a relativistic statement. No it isn't, software formally verified to EAL7 is guaranteed to be secure. | | |
| ▲ | AnthonyMouse 9 hours ago | parent | next [-] | | I would like to introduce you to Spectre and Rowhammer. | | |
| ▲ | RobotToaster 9 hours ago | parent [-] | | Secure software won't protect you from insecure hardware, which also needs to be formally verified for a secure system. | | |
| ▲ | AnthonyMouse 9 hours ago | parent [-] | | > Secure software won't protect you from insecure hardware Then what's KPTI etc.? > which also needs to be formally verified for a secure system. Now we just need a correct and complete theory of quantum mechanics and to do something about that Heisenberg thing. In general formal proofs tell you if something is true given a stipulated set of assumptions. They don't tell you if one of the stipulated assumptions is wrong or can be caused to be wrong on purpose by doing something nobody had previously known to be possible. |
|
| |
| ▲ | crote 4 hours ago | parent | prev | next [-] | | Sure, you formally verified that the software confirms to the specification, but how are you going to prove that the specification is correct? | |
| ▲ | kelnos 5 hours ago | parent | prev [-] | | You're being sarcastic, right? The entire concept of "guaranteed to be secure" is a fantasy. Even EAL7 can't guarantee anything. It can only say that the tools used for verification didn't find anything wrong. I'm not saying the tools are garbage, but the tools were made by humans, and humans are fallible. |
|
|
|
| ▲ | pimterry 14 minutes ago | parent | prev | next [-] |
| > no Gov agency would ever mandate secure firmware Interestingly, Europe is about to try this: the Cyber Resilience Act is going to become obligatory for all sold digital products (hardware & software) by the end of 2027, with a bunch of strict minimum requirements: no hardcoded default passwords, must check for known vulnerabilities in components/dependencies, encryption for data at rest, automatic security updates by default (which must be separate from functionality updates), etc. Remains to be seen whether this'll help, but good to see somebody have a go at fixing this. |
|
| ▲ | orthogonal_cube 12 hours ago | parent | prev | next [-] |
| That’s the ironic part. Plenty of consumer-grade devices have had very lax security settings or backdoors baked in for purposes of “troubleshooting” and recovery assistance. It’s never been limited to foreign-made devices. Security has never been part of the review process. The only time any agency has really cared is when encryption is involved, and that’s just been the FBI wanting it to be neutered so they can have their own backdoors. |
|
| ▲ | rayiner 10 hours ago | parent | prev | next [-] |
| > This includes the FCC which license their devices The FCC licenses devices to the extent that devices can cause spurious transmissions in the radio spectrum. It’s not a general consumer protection agency. Computer security also is outside the mandate of the FTC, which exists to protect consumers from anticompetitive conduct and unfair business practices, not crappy products. |
| |
| ▲ | dlcarrier 8 hours ago | parent | next [-] | | I could see why someone might be confused in the Mayer of what the FCC can regulate, considering that it regulates the content of television and radio broadcasts and somehow regulates cable TV providers, despite the use of wired connections to customers, instead of radio transmissions. | | |
| ▲ | kelnos 5 hours ago | parent [-] | | Where in the Federal Communications Commission's governing legislation does it say that they're only allowed to regulate things sent through the airwaves? |
| |
| ▲ | rstat1 9 hours ago | parent | prev [-] | | So if a company uses as part of its marketing for a product the phrase "advanced security, privacy, and connectivity for homes of every shape and size" and then is later found to have lied about the "advanced security" and "privacy" part of their marketing by shipping firmware with security bugs, does that not now fall under the "deceptive" category of the "unfair, deceptive and fraudulent business practices" part of the FTC's mission? Sounds like it does to me. Also you're forgetting the part where the FTC under a prior administration either banned DLINK from selling in the US or heavily fined them for selling routers in the US that they knew were running insecure, buggy firmware. (both quotes were taken verbatim from first, Netgear's US website, and secondly the Bureau of Consumer Protections' section of the FTC's website) |
|
|
| ▲ | zobzu 8 hours ago | parent | prev | next [-] |
| I know it's the norm to criticize the admin, but I don't think its what they're saying. I think they're saying "they know of the vulns they leave in and only fix them after it's been exploited by their states". Not that any consumer router is super nice and safe, honestly, you're better off making your own these days. |
|
| ▲ | WhyNotHugo an hour ago | parent | prev | next [-] |
| I suppose foreign routers might not have convenient mechanisms for the government to access and control them at will, hence the "unacceptable risk to the national security". |
|
| ▲ | Glyptodon 8 hours ago | parent | prev | next [-] |
| IMO they should have a choice between open source that can be updated out of band from the manufacturer or assuming direct liability for issues for the product's life. |
|
| ▲ | longislandguido 11 hours ago | parent | prev | next [-] |
| > Vulnerabilities have nothing to do with country of manufacture. They have always been due to manufacturers' crap security practices. Sorry but this is merely a convenient excuse. Source: I have hard evidence of a Chinese IoT device where crap security practices were later leveraged by the same company to inject exploit code. It's called plausible deniability and it's foolish to tell me it's a coincidence. You're not going to convince me that a foreign state actor pressuring a company to include a backdoor wouldn't disguise it as a "whoopsie, our crap code lol" as opposed to adding in the open with a disclaimer on it. It's all closed source firmware. Even the GPL packages from most consumer router vendors are loaded with binary blobs. Tell me I should trust it. |
| |
| ▲ | gobins 11 hours ago | parent | next [-] | | Are you saying that other manufacturers don't do this? | | |
| ▲ | cjk 11 hours ago | parent | next [-] | | If US manufacturers (or manufacturers in allied countries) do this, legal avenues exist to hold those manufacturers accountable. Not so with China. (That is not to say that the FCC change will move the needle on the underlying issue of router security; as some of the ancestor comments have said, lax security practices are common industry-wide, irrespective of country of development/manufacture.) | | |
| ▲ | lmm 3 hours ago | parent | next [-] | | > legal avenues exist to hold those manufacturers accountable Maybe in theory. I think the practical chance of enforcing anything meaningful through those legal avenues against a US manufacturer is not meaningfully higher than the chance of doing so against a Chinese manufacturer, so it doesn't make sense to treat them differently on these grounds. | |
| ▲ | pyrale 6 hours ago | parent | prev | next [-] | | The Snowden leak showed that Cisco routers had been altered to enable surveillance [1]. Whether or not the manufacturer is complicit, or how the alteration is performed is ultimately irrelevant to the end user. Ultimately, the only people that got in legal trouble for this were Snowden and people who provided service to him. [1]: https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa... | | |
| ▲ | b112 an hour ago | parent [-] | | Actually it's entirely relevant how, in the context of this conversation. Here, we're discussing product as shipped, not product intercepted and modified. We're discussing if products are shipped secure or not. The Snowden disclosures are important, but not relevant in this case. |
| |
| ▲ | mindslight 11 hours ago | parent | prev [-] | | > legal avenues exist to hold those manufacturers accountable Oh, sweet summer child. Disclaiming these possible avenues of liability is the main goal of clickwrap "terms of service". |
| |
| ▲ | longislandguido 11 hours ago | parent | prev [-] | | Are you asking me if I have the master list of naughty and nice router manufacturers? No, I don't have it but you may check with Santa Claus. |
| |
| ▲ | cowpig 11 hours ago | parent | prev | next [-] | | What was the company, and what did they inject? | | | |
| ▲ | mindslight 11 hours ago | parent | prev | next [-] | | And who hasn't seen American software companies where crap security practices are later leveraged by the same company to run exploits? It's of course always phrased in Orwellian terms of business practices, terms of service, "security", etc but we can still call a spade a spade. | |
| ▲ | hrmtst93837 2 hours ago | parent | prev [-] | | [dead] |
|
|
| ▲ | khana 11 hours ago | parent | prev [-] |
| [dead] |
