Home routers targeted again/still

[Quattro Pete]

Dang it, thanks for reminding me I need to remove the r7000 from work that was part of some testing. Can't believe it's like 8 years old.

Yeah, those things had pretty good specs when they were first released in 2014 (1GHz dual core CPU, 256MB RAM, gigabit ports) which made them very popular choice for installing third party firmware. I first bought a refurb one for cheap in 2018, ran it 24x7x365 for 5+ years, and when it finally took a dump I replaced it with another refurb one. With Fresh Tomato, it was one of my favorite home routers of all time.

And Fresh Tomato is still actively being developed/updated. Latest release is 2/15/2026.

 

[fantastic]

an "Advisory" = "BAN" This didn't age well.
What else are they going to Ban next?

From the video source:
"The ban does nothing to protect old routers from malicious firmware, and older routers are already where the most exploited security holes are found."

 

[ripcord]

In reality, there is no ban on anything. What has actually happened is that the FCC has changed the requirements for granting licenses for a class of radio communications devices. There have always been requirements and restrictions on these devices, BTW.

 

[fantastic]

In reality, there is no ban on anything. What has actually happened is that the FCC has changed the requirements for granting licenses for a class of radio communications devices. There have always been requirements and restrictions on these devices, BTW.

That restriction will be very wide apparently. With only US made devices getting "Approved". This is a more extreme change that essentially "Bans" other COO's.

 

[ripcord]

That restriction will be very wide apparently. With only US made devices getting "Approved". This is a more extreme change.

I expect there will be some modifications and clarifications to the rule along with further restrictions on additional classes of devices coming down the pike.

 

[OVERKILL]

an "Advisory" = "BAN" This didn't age well.
What else are they going to Ban next?

From the video source:
"The ban does nothing to protect old routers from malicious firmware, and older routers are already where the most exploited security holes are found."

As I posted in the other thread, this doesn't address the underlying issue with cheap consumer-grade edge or even IoT devices, which is the lack of QC on their firmware and the absence of a requirement for them to address security vulnerabilities in a timely manner, for the useful life (not the sale life) of the product.

This seems to try to address the future proliferation of potentially Chinese-sourced devices with backdoored firmware, while ignoring that the main issue, currently, is abandoned and highly vulnerable firmware on millions of consumer devices from companies all over the world. Until these devices are retired/replaced, this is basically closing the gate after the horse already bolted.

 

[fantastic]

As I posted in the other thread, this doesn't address the underlying issue with cheap consumer-grade edge or even IoT devices, which is the lack of QC on their firmware and the absence of a requirement for them to address security vulnerabilities in a timely manner, for the useful life (not the sale life) of the product.

This seems to try to address the future proliferation of potentially Chinese-sourced devices with backdoored firmware, while ignoring that the main issue, currently, is abandoned and highly vulnerable firmware on millions of consumer devices from companies all over the world. Until these devices are retired/replaced, this is basically closing the gate after the horse already bolted.

Keeping an old router alive that has reached the companies EOL is time to get a new one. I don't like it just as much as you don't like it but that's the world we live in. Companies & shareholders decide what is profitable. Consumer devices such as laptops & cellphones are getting better (longer firmware update lifespan) but who's going to force these companies to update their old devices or routers? I don't see it happening so the next logical step is to get something new with potentially better firmware protections & updates. Not to limit those choices.

Blocking all new routers is not the answer. Manufacturing in the US on electronics has been a worldwide participation. No way we can shut the gate for long.

 

[OVERKILL]

Keeping an old router alive that has reached the companies EOL is time to get a new one. I don't like it just as much as you don't like it but that's the world we live in. Companies & shareholders decide what is profitable.

A few points:
1. "EOL" has no standard definition. For a Temu "Gerberlink" bought today, that could be next week, while for a Unifi device, it could be a decade. This is why there needs to be some sort of standard created for this, because "what is profitable" clearly isn't delivering what's necessary.

2. The liability, as we are discovering, of having these old, vulnerable pieces of hardware on the internet, is massive. You aren't going to be able to force Joe Homeowner that his 3-year old Douche-Link from Dollartree needs to be replaced because the new Giga-douche 6000 is out, so I think the appropriate solution is to force the companies to provide timely updates to address any known CVE's within a defined period for what is determined as a standard for "useful life", which I think 10 years is probably appropriate.

This sounds worse/more complicated than it is. Most of these devices are just running customized versions of busybox with their own GUI/branding, there isn't a lot of effort put into the development. A long-term lifecycle requirement for firmware support would force them to standardize across products, which means better, more tested firmware on everything they produce, very similar to how Apple does IOS or Cisco does their IOS, or how Unifi does their firmware.

While perhaps painful for these companies at first, the end result is better for everyone.

Consumer devices such as laptops & cellphones are getting better (longer firmware update lifespan) but who's going to force these companies to update their old devices or routers? I don't see it happening so the next logical step is to get something new with potentially better firmware protections & updates. Not to limit those choices.

But if the new devices have the same problem (and they will) then nothing is being addressed. We actually need some sort of well defined regulation as I've described above.

Blocking all new routers is not the answer. Manufacturing in the US on electronics has been a worldwide participation. No way we can shut the gate for long.

I agree, and it doesn't solve the problem. While it might prevent the proliferation of backdoored devices from foreign nation-state sponsored actors, it completely fails to address the issue of CVE's present in the millions of devices already in the wild, and the lack of robust and long-term support for firmware on devices of Western origin, which have the same problem as the Asian ones.

 

[fantastic]

A few points:
1. "EOL" has no standard definition. For a Temu "Gerberlink" bought today, that could be next week, while for a Unifi device, it could be a decade. This is why there needs to be some sort of standard created for this, because "what is profitable" clearly isn't delivering what's necessary.

2. The liability, as we are discovering, of having these old, vulnerable pieces of hardware on the internet, is massive. You aren't going to be able to force Joe Homeowner that his 3-year old Douche-Link from Dollartree needs to be replaced because the new Giga-douche 6000 is out, so I think the appropriate solution is to force the companies to provide timely updates to address any known CVE's within a defined period for what is determined as a standard for "useful life", which I think 10 years is probably appropriate.

This sounds worse/more complicated than it is. Most of these devices are just running customized versions of busybox with their own GUI/branding, there isn't a lot of effort put into the development. A long-term lifecycle requirement for firmware support would force them to standardize across products, which means better, more tested firmware on everything they produce, very similar to how Apple does IOS or Cisco does their IOS, or how Unifi does their firmware.

While perhaps painful for these companies at first, the end result is better for everyone.

But if the new devices have the same problem (and they will) then nothing is being addressed. We actually need some sort of well defined regulation as I've described above.

I agree, and it doesn't solve the problem. While it might prevent the proliferation of backdoored devices from foreign nation-state sponsored actors, it completely fails to address the issue of CVE's present in the millions of devices already in the wild, and the lack of robust and long-term support for firmware on devices of Western origin, which have the same problem as the Asian ones.

Yes, you're right, That would be a good direction if they all had to comply with a standard "life cycle". Unfortunately, like you said it won't make billy from down south replace his 3 yr old rooter...lol. True lifespan can depend on how good the electricity is to your house for example. What about hardware limitations...especially the cheaper IOT you might be talking about. I still don't think it would satisfy these issues fully. All of this hacking, spying, spoofing it's no wonder some don't want to give up writing paper checks...ha!

 

[OVERKILL]

Yes, you're right, That would be a good direction if they all had to comply with a standard "life cycle". Unfortunately, like you said it won't make billy from down south replace his 3 yr old rooter...lol. True lifespan can depend on how good the electricity is to your house for example. What about hardware limitations...especially the cheaper IOT you might be talking about. I still don't think it would satisfy these issues fully. All of this hacking, spying, spoofing it's no wonder some don't want to give up writing paper checks...ha!

I think Apple does a pretty good job showing what this would look like. An iPhone 7 for example, won't get any of the newest IOS releases, but it runs IOS, and they back-port all the security patches to the older releases, for the old hardware.

I don't think we'll ever get full mitigation, somebody is still going to Alibaba themselves something that might skirt these requirements, but it would address the vast majority of them and that might be "good enough".

One ISP up here, Cogeco, does a pretty decent job (for the most part, there are sometimes false positives) tracking exploit activity and cutting people's internet off if they believe a device is compromised. That would probably be sufficient to get these "loose ends" if the other policy we discussed was put in place.

 

[PandaBear]

That restriction will be very wide apparently. With only US made devices getting "Approved". This is a more extreme change that essentially "Bans" other COO's.

I'm sure Broadcom and Qualcomm would be very upset about this.

EOL is just a marketing term. WIndows 10 is EOL, Linux of some older version is EOL, your out of warranty Corolla is EOL, your diploma from 30 years ago is also EOL compare to what is being taught today.

So, what does that mean when it is all EOL? Who can tell me what can I use and what can I not use just because they stopped developing new firmware for my router? US companies are just as bad as stopping support for older hardwares.

Maybe they should mandate all firmware source code to be open sourced so everyone else in the world can patch them? That should teach those manufacturers a lesson on abandoning things. Maybe they should be forced to buy back things that are still functional but end of life if security issues occur so they stop making such careless mistakes instead of trying to sell you new things and force you to pay?

 

[MaximumMini]

I'm sure Broadcom and Qualcomm would be very upset about this.

EOL is just a marketing term. WIndows 10 is EOL, Linux of some older version is EOL, your out of warranty Corolla is EOL, your diploma from 30 years ago is also EOL compare to what is being taught today.

So, what does that mean when it is all EOL? Who can tell me what can I use and what can I not use just because they stopped developing new firmware for my router? US companies are just as bad as stopping support for older hardwares.

Maybe they should mandate all firmware source code to be open sourced so everyone else in the world can patch them? That should teach those manufacturers a lesson on abandoning things. Maybe they should be forced to buy back things that are still functional but end of life if security issues occur so they stop making such careless mistakes instead of trying to sell you new things and force you to pay?

Hmmmmm.......
Open Source would certainly be the best way to ensure no hacks.....but then.....nosey govt agencies couldn't get in.
Is that even in the realm of possibility? We all know they snoop on our phones, right?

 

[alarmguy]

That restriction will be very wide apparently. With only US made devices getting "Approved". This is a more extreme change that essentially "Bans" other COO's.

Right now that includes every router sold in the USA will be banned except Starlink.
So all the makers are in equal footing to build factories here. Also all current approved models can still be made overseas. So they have years to plan production here. Home routers now far exceed performance that a household can use.

TP Link has already started to plan and implement USA production. I am sure all the other major brands too. I do wonder if traditionally known USA router companies will stay in the home router business. Meaning the companies without massive deep pockets like TP lInk will lit be worth it to them to want to continue to compete? Heck, I dont even know who is left as far as US based except TP Link and Netgear? It will be interesting to see what unfolds, however the "public" won't notice much of anything, except maybe higher prices still years away though. .

 

[MaximumMini]

The return of Cisco

 

[OVERKILL]

Hmmmmm.......
Open Source would certainly be the best way to ensure no hacks.....but then.....nosey govt agencies couldn't get in.
Is that even in the realm of possibility? We all know they snoop on our phones, right?

This software (home router software) is already open source, it's almost exclusively based on busybox. That isn't the issue here, the issue is the "abandonware" nature of IoT devices sold to home users. The purpose of disclosing CVE's is so they get addressed, but that doesn't happen in the majority of instances with consumer-grade gear because there's no obligation by the OEM to patch those CVE's once the product is in the wild and they are discovered.

 

[PandaBear]

Hmmmmm.......
Open Source would certainly be the best way to ensure no hacks.....but then.....nosey govt agencies couldn't get in.
Is that even in the realm of possibility? We all know they snoop on our phones, right?

They would force the seller to install open source firmware in US or something like that.

Or install a backdoor for the US gov to sell it in the US, because they will say open source is insecure or something like that unless you let the law enforcement in.

 

[PandaBear]

Right now that includes every router sold in the USA will be banned except Starlink.
So all the makers are in equal footing to build factories here. Also all current approved models can still be made overseas. So they have years to plan production here. Home routers now far exceed performance that a household can use.

TP Link has already started to plan and implement USA production. I am sure all the other major brands too. I do wonder if traditionally known USA router companies will stay in the home router business. Meaning the companies without massive deep pockets like TP lInk will lit be worth it to them to want to continue to compete? Heck, I dont even know who is left as far as US based except TP Link and Netgear? It will be interesting to see what unfolds, however the "public" won't notice much of anything, except maybe higher prices still years away though. .

This software (home router software) is already open source, it's almost exclusively based on busybox. That isn't the issue here, the issue is the "abandonware" nature of IoT devices sold to home users. The purpose of disclosing CVE's is so they get addressed, but that doesn't happen in the majority of instances with consumer-grade gear because there's no obligation by the OEM to patch those CVE's once the product is in the wild and they are discovered.

It is a way to make money for router rental from Comcast, or a way for firmware to be loaded during connection time from the host like cable modems.

I'm going to bet that people will just be ordering "development kit" in the future then download open source firmware to bypass this stupid thing, or rent from Comcast for $8 a month for no reason.

You own nothing and you will be happy.

 

[alarmguy]

It is a way to make money for router rental from Comcast, or a way for firmware to be loaded during connection time from the host like cable modems.

I'm going to bet that people will just be ordering "development kit" in the future then download open source firmware to bypass this stupid thing, or rent from Comcast for $8 a month for no reason.

You own nothing and you will be happy.

I worked with thousands of homeowners and some small businesses with their Wi-Fi and router problems connecting to our equipment.

They are not like people in these types of forums, you guys many of which have far greater knowledge than me (and I was a troubleshooter for my company when other techs couldn’t figure something out)

The typical homeowner has absolutely no clue about modems, routers, and even the apps on their own cell phones. Holy crap, sometimes trying to hook our cameras up and security system up to their cell phone was a freaking nightmare. There was so much garbage and malware running on their phones the phone so slow would not even run our apps I would have to spend in half hour or 45 minutes deleting the crap

Same with the routers buried under the tons of garbage in their closets or in cabinets an under cabinets wires hanging all over antennas all over the place. I am not exaggerating. Many times hooking up the equipment was a freaking nightmare too.

The typical homeowner has no clue what is going on in their house and they certainly are not capable of doing or configuring or downloading anything regarding routers.

I stress not the people in forums like this but the typical homeowner could care less about any of this as long as they can connect to the Internet.
It’s why Internet providers bump peoples speed at higher cost because the typical homeowner is not even capable of using it and even if they have it, their home Wi-Fi setup is so messed up they would not get the full speed anyway. Win-win in profits for the Internet provider.

It was a dream come true, working in a business or homeowners home who understood their network like many people in this forum.
You would know right away that you weren’t gonna get bogged down with an open can of worms trying to finish the job that you sent there for.

This post is written out of memories of the frustrations before I retired

 

[PandaBear]

Yes. For those "typical" home user they are probably better off just rent the ISP equipments, like paying $5 a month for iCloud backup and photo backups.

It is just that "forcing" people what not to buy and mix it with politics is no good.

 

[OVERKILL]

It is just that "forcing" people what not to buy and mix it with politics is no good.

I mean, typical for government, as I've mentioned previously, they are off the mark. The real issue isn't COO of the hardware, it's the complete lack of regulation of the software. They are allowed to ship absolute garbage on devices that are going to be connecting to the internet, and this is what gets exploited. And it's made worse by the fact that there's no obligation to patch vulnerabilities/address CVE's, either in the shipping firmware, or post-sale.

The appropriate course of action wouldn't have been to go after COO, but to regulate the software of anything IoT, enforcing a minimum support period of say 10 years for firmware, and requiring that CVE's be addressed in a reasonable timeframe, like say 2 weeks or something. This will force software standardization across devices (like Unifi does, Cisco does, Juniper does...etc.) to reduce the maintenance surface, which will ultimately lead to better code and more stable products.