ROUTERS Act Takes a Narrow View on Cybersecurity

On Sept. 9, 2024, the U.S. House of Representatives passed the ROUTERS Act. This bill commissions a study of the potential national security risks posed by consumer routers, modems, and gateways.

So, what does this new bill mean for you? Follow us as we get into the weeds with the ROUTERS Act.

The Removing Our Unsecure Technologies to Ensure Reliability and Security Act—usually referred to by its catchy acronym, the ROUTERS Act, tasks the National Telecommunications and Information Administration with conducting a study of the potential national security risks posed by consumer routers, modems, and gateways related to four specific countries. These four “covered countries” are China, Iran, North Korea, and Russia. The bill targets devices that meet one of the following criteria:

• Designed by someone associated with a covered country
• Developed by someone associated with a covered country
• Manufactured by someone associated with a covered country
• Supplied by someone associated with a covered country

Since most of us don’t have a bunch of North Korean or Iranian gadgets kicking around our houses, it’s clear that the primary target of this investigation is more than likely Chinese manufacturing.

The bill requires that the study be completed and a report on its results be given to Congress by the Secretary of Commerce no later than one year from the date the bill is signed into law. It should be noted that, unlike many similar bills, the ROUTERS Act itself doesn’t place any restrictions on Chinese products or companies. It just orders a study of potential security vulnerabilities to be performed.

The ROUTERS Act passed the House with broad bipartisan support. It has now been passed to the Senate and referred to the Committee on Commerce, Science, and Transportation.

What the ROUTERS Act doesn’t do

The language in the ROUTERS Act is very broad, deliberately casting a wide net as to what pieces of equipment come under government oversight. At the same time, the bill is actually rather narrow in many ways, with considerable blind spots for what was pitched as a comprehensive cybersecurity bill.

Since this bill only commissions a study, it won’t actually prevent any network security threats, although the hope is that the study will enable better and more effective legislation in the future. There are, however, some gaps in the scope of the study itself, which are somewhat concerning. The bill doesn’t address the following:

• Enterprise-grade equipment
• The role of internet service providers (ISPs)
• The devices we use
• ALL routers, modems, and gateways

Even if we concede the premise of the bill, with its narrow focus on dangers posed by China (and the three other countries that are not noted for their electronics manufacturing capabilities), these are still significant omissions for a bill aimed at national security. There’s a lot more to networking technology than just the router sitting in your house.

The bill doesn’t address enterprise-grade equipment

It’s important to note the key word in the language of the ROUTERS Act: consumer. The bill targets home-bound routers, modems, and gateways you can purchase from any retailer or receive through an internet provider.

What the bill doesn’t address is enterprise- and business-grade networking equipment, which safeguards sensitive high-level information hackers can utilize to shut down utilities, drain bank accounts, and launch weapons. It also doesn’t address the equipment internet providers use within their networks, which sits between the internet and the consumer-grade equipment this bill specifically calls out.

Take Cisco, for example, a popular manufacturer of enterprise- and business-grade products and services. Along with NETGEAR, many of its routers were used as springboards to attack energy, transportation, and water facilities in early 2024.

According to a report by The Washington Post, these routers were mostly outdated units sitting in small offices. They weren’t receiving security updates due to age, leaving vulnerabilities unpatched and ripe for the picking. That’s exactly what the hacker group Volt Typhoon did to hide their international origins, use malware to steal employee login credentials and install back doors.

Needless to say, there’s more at stake hacking into a government or city facility than infiltrating a home network. Now, let’s take a look at the equipment supplied by internet providers.

The bill doesn’t address ISPs and the equipment they use

In October 2023, the Pumpkin Eclipse botnet bricked 600,000 DSL gateways used by one specific internet provider. The affected models were the ActionTec T3200s, ActionTec T3260s, and the Sagemcom F5380.

“When searching for exploits impacting these models in OpenCVE for ActionTec, none were listed for the two models in question, suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface,” states a report from Black Lotus Labs. “An unknown zero-day flaw may have also been used as an attack vector.

While we can’t speak for all internet providers, we know some do not automatically upgrade consumer equipment until:

• The device reaches its end of life
• The device fails, or
• The subscriber asks for an upgrade

Based on the use of the word “consumer” in its wording, the ROUTERS Act does not aim to include ISP-supplied gateways, modems, and routers in its study.

If ISP-provided equipment is included in the study and vulnerabilities are discovered, the road to removing the hardware from customers’ homes will be a long one. ISP network-wide equipment changes are typically planned and carried out over several years.

However, home networking equipment is just part of the problem. The safest router, modem, and gateway on the planet won’t protect your sensitive banking data if the devices you use are full of security holes. That leads us to the next glaring omission of the ROUTERS Act.

The bill doesn’t even address the devices we use

Like computers, other devices like smartphones, tablets, game consoles, set-top boxes, smart TVs, and even IoT gadgets should have security updates enabled by default. But at some point, the security updates stop. For example, Apple supplies updates for up to seven years after an iPhone’s initial release. Samsung now provides the same seven-year update window for new Android phones, as does Google with its Pixel phones.

However, updates are optional because they’re not guaranteed to work as intended. The internet is full of complaints about how an update “bricked” a computer, phone, router, or some other device, meaning the update rendered the device useless and unfixable.

That’s typically not the case with corporate and business-level networks and devices. Updates are tested first and then distributed accordingly.

Support for Windows 10 ends in 2025

One looming concern is Microsoft’s set end-of-life date for Windows 10: Oct. 14, 2024. The problem is the newer version, Windows 11, has strict hardware requirements, so not every computer can update to Microsoft’s latest platform. This means consumers must:

• Buy a new computer
• Swap out the incompatible components or
• Hack the registry to bypass the upgrade restrictions

As of Aug. 24, 2024, Microsoft Windows is the most-used operating system globally. Consumers not willing to use any of the three solutions previously mentioned may choose to linger on Windows 10 indefinitely, causing a major security risk. Microsoft revealed the Extended Security Updates program for organizations in February, but it’s not meant to serve as a long-term solution. Microsoft has yet to announce a version of this program for consumers.

According to Statistica, 54% of the Windows-based PCs in use run Windows 10, followed by 31% with Windows 11. Surprisingly, 3% of all Windows machines still run Windows 7—less than 1% have Windows 8 and 8.1 installed. And while these Windows 7 and 8 machines may have security update subscriptions, what if they don’t? That’s a security risk for sure.

The bill doesn’t address ALL routers, modems, and gateways, either

Or does it?

As the bill states, the investigation targets a specific batch of “persons” or “entities” that are owned by, controlled by, or influenced by China, Iran, North Korea, and Russia. This seemingly rules out a great many local router, modem, and gateway manufacturers.

But even NETGEAR and other American-based manufacturers could fall under investigation because, technically, their products may not be manufactured on American soil. According to NETGEAR, China-based Shenzhen Gongjin Electronics Co., Ltd. manages one manufacturer in Vietnam, which builds some NETGEAR products. “Legacy” NETGEAR products are also built in China, according to the company.

And while the U.S. government is understandably wanting to crack down of foreign espionage and other nefarious activities, there’s more at stake to protecting national security than looking into a handful of router/modem/gateway manufacturers.

All vulnerabilities are a problem—period

On a consumer level, routers usually enable automatic firmware updates by default. If not, users are prompted to turn them on during setup. Equipment supplied by internet providers should be handled by them, not the customer. Updates to enterprise- and business-grade equipment are presumably tested before deployment (for stability reasons).

Unfortunately, a negative spin in the media, fueled by the current anti-China sentiment, focuses on Singapore-based TP-Link, which manufactures consumer and business-grade networking products. The company was founded in China, but its two headquarters reside in Singapore and the United States. However, two U.S. lawmakers have called for an investigation into the company over national security concerns.

We’re no stranger to the company either: We’ve been reviewing its home products for years. We reviewed the Archer AX21, which has been the target of several botnets due to a now-patched flaw, CVE-2023-1389. TP-Link’s router is still on the radar as botnets search for AX21 models that haven’t received the update.

Part of the current negative spin on TP-Link includes a list of 343 vulnerabilities recorded by the National Institute of Standards and Technology. What you won’t see in all the anti-Chinese rhetoric is NETGEAR’s list of 1,199 vulnerabilities or the 139 listed with Linksys, which are American companies.

But we’re not here to call out specific manufacturers, although we do name a few as examples. Holes in software will always be a thing, whether they’re in router firmware, network switches, the smartphones we use, or the latest Windows 11 laptop. Manufacturers aim to keep their products current up to a certain point, but it’s also the user’s responsibility to ensure they receive critical updates.

But what if devices have reached their end of life? There are no security fixes after that, and that’s where hackers like Volt Typhoon attack vulnerable networks.

Overall, the bill clearly targets specific “entities” that pose a national threat. But given how terrorist and hacker groups target any networking product, investigating a handful of manufacturers doesn’t make any sense when the entire industry, from the supply chain to the software developers to the distributors, is equally vulnerable.

Our final take on the ROUTERS Act

Make no mistake: The ROUTERS Act targets four specific foreign countries: China, Iran, North Korea, and Russia. However, the broader issue surrounding national security is more than just clamping down on a handful of router, modem, and gateway manufacturers. As we’ve laid out here, the entire networking devices market suffers from vulnerabilities, starting with the supply chain and working out to the devices we use.

Fixing that will take lots of time and lots of money, not to mention compliance from every manufacturer that supplies network and internet-connected devices to the U.S. market. The ROUTERS Act is a start, but it’s not clear it’s effectively targeting the problem.