skip to main content

ROUTERS Act Takes a Narrow View on Cybersecurity

The bill doesn’t fully address issues in the networking industry

On Sept. 9, 2024, the U.S. House of Representatives passed the ROUTERS Act. This bill commissions a study of the potential national security risks posed by consumer routers, modems, and gateways.

So, what does this new bill mean for you? Follow us as we get into the weeds with the ROUTERS Act.

What is the ROUTERS Act?

The Removing Our Unsecure Technologies to Ensure Reliability and Security Act—usually referred to by its catchy acronym, the ROUTERS Act, tasks the National Telecommunications and Information Administration with conducting a study of the potential national security risks posed by consumer routers, modems, and gateways related to four specific countries. These four “covered countries” are China, Iran, North Korea, and Russia. The bill targets devices that meet one of the following criteria:

  • Designed by someone associated with a covered country
  • Developed by someone associated with a covered country
  • Manufactured by someone associated with a covered country
  • Supplied by someone associated with a covered country

Since most of us don’t have a bunch of North Korean or Iranian gadgets kicking around our houses, it’s clear that the primary target of this investigation is more than likely Chinese manufacturing.

The bill requires that the study be completed and a report on its results be given to Congress by the Secretary of Commerce no later than one year from the date the bill is signed into law. It should be noted that, unlike many similar bills, the ROUTERS Act itself doesn’t place any restrictions on Chinese products or companies. It just orders a study of potential security vulnerabilities to be performed.

The ROUTERS Act passed the House with broad bipartisan support. It has now been passed to the Senate and referred to the Committee on Commerce, Science, and Transportation.

Don't like how your internet provider handles outages and security threats?

Enter your zip code below to find and compare other options in your area.

What the ROUTERS Act doesn’t do

The language in the ROUTERS Act is very broad, deliberately casting a wide net as to what pieces of equipment come under government oversight. At the same time, the bill is actually rather narrow in many ways, with considerable blind spots for what was pitched as a comprehensive cybersecurity bill.

Since this bill only commissions a study, it won’t actually prevent any network security threats, although the hope is that the study will enable better and more effective legislation in the future. There are, however, some gaps in the scope of the study itself, which are somewhat concerning. The bill doesn’t address the following:

Even if we concede the premise of the bill, with its narrow focus on dangers posed by China (and the three other countries that are not noted for their electronics manufacturing capabilities), these are still significant omissions for a bill aimed at national security. There’s a lot more to networking technology than just the router sitting in your house.

The bill doesn’t address enterprise-grade equipment

It’s important to note the key word in the language of the ROUTERS Act: consumer. The bill targets home-bound routers, modems, and gateways you can purchase from any retailer or receive through an internet provider.

What the bill doesn’t address is enterprise- and business-grade networking equipment, which safeguards sensitive high-level information hackers can utilize to shut down utilities, drain bank accounts, and launch weapons. It also doesn’t address the equipment internet providers use within their networks, which sits between the internet and the consumer-grade equipment this bill specifically calls out.

Take Cisco, for example, a popular manufacturer of enterprise- and business-grade products and services. Along with NETGEAR, many of its routers were used as springboards to attack energy, transportation, and water facilities in early 2024.

According to a report by The Washington Post, these routers were mostly outdated units sitting in small offices. They weren’t receiving security updates due to age, leaving vulnerabilities unpatched and ripe for the picking. That’s exactly what the hacker group Volt Typhoon did to hide their international origins, use malware to steal employee login credentials and install back doors.

Needless to say, there’s more at stake hacking into a government or city facility than infiltrating a home network. Now, let’s take a look at the equipment supplied by internet providers.

The bill doesn’t address ISPs and the equipment they use

In October 2023, the Pumpkin Eclipse botnet bricked 600,000 DSL gateways used by one specific internet provider. The affected models were the ActionTec T3200s, ActionTec T3260s, and the Sagemcom F5380.

“When searching for exploits impacting these models in OpenCVE for ActionTec, none were listed for the two models in question, suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface,” states a report from Black Lotus Labs. “An unknown zero-day flaw may have also been used as an attack vector.

While we can’t speak for all internet providers, we know some do not automatically upgrade consumer equipment until:

  • The device reaches its end of life
  • The device fails, or
  • The subscriber asks for an upgrade

Based on the use of the word “consumer” in its wording, the ROUTERS Act does not aim to include ISP-supplied gateways, modems, and routers in its study.

If ISP-provided equipment is included in the study and vulnerabilities are discovered, the road to removing the hardware from customers’ homes will be a long one. ISP network-wide equipment changes are typically planned and carried out over several years.

Austin Aguirre:  Many customers are reluctant to swap their equipment if they feel their connection is functioning properly. It’s a hassle: You have to install the new gateway, and set your network up all over again. Plus, there’s always a chance that a device or two won’t agree with the new gateway.

The only way to get full compliance with a network-wide customer equipment swap is to brick the legacy gear so it no longer operates on the network, forcing customers to install the new equipment. That’s always a last resort.

However, home networking equipment is just part of the problem. The safest router, modem, and gateway on the planet won’t protect your sensitive banking data if the devices you use are full of security holes. That leads us to the next glaring omission of the ROUTERS Act.

The bill doesn’t even address the devices we use

Like computers, other devices like smartphones, tablets, game consoles, set-top boxes, smart TVs, and even IoT gadgets should have security updates enabled by default. But at some point, the security updates stop. For example, Apple supplies updates for up to seven years after an iPhone’s initial release. Samsung now provides the same seven-year update window for new Android phones, as does Google with its Pixel phones.

However, updates are optional because they’re not guaranteed to work as intended. The internet is full of complaints about how an update “bricked” a computer, phone, router, or some other device, meaning the update rendered the device useless and unfixable.

That’s typically not the case with corporate and business-level networks and devices. Updates are tested first and then distributed accordingly.

Peter Christiansen: This isn’t just a hypothetical scenario. I once had a computer that would try to update Windows every morning when I first got into the office. It would spend ten minutes trying to install the update, fail, then spend another ten minutes restoring the previous version of Windows. Losing 20 minutes or more of every day is incredibly frustrating.

Support for Windows 10 ends in 2025

One looming concern is Microsoft’s set end-of-life date for Windows 10: Oct. 14, 2024. The problem is the newer version, Windows 11, has strict hardware requirements, so not every computer can update to Microsoft’s latest platform. This means consumers must:

  • Buy a new computer
  • Swap out the incompatible components or
  • Hack the registry to bypass the upgrade restrictions

As of Aug. 24, 2024, Microsoft Windows is the most-used operating system globally. Consumers not willing to use any of the three solutions previously mentioned may choose to linger on Windows 10 indefinitely, causing a major security risk. Microsoft revealed the Extended Security Updates program for organizations in February, but it’s not meant to serve as a long-term solution. Microsoft has yet to announce a version of this program for consumers.

According to Statistica, 54% of the Windows-based PCs in use run Windows 10, followed by 31% with Windows 11. Surprisingly, 3% of all Windows machines still run Windows 7—less than 1% have Windows 8 and 8.1 installed. And while these Windows 7 and 8 machines may have security update subscriptions, what if they don’t? That’s a security risk for sure.

The bill doesn’t address ALL routers, modems, and gateways, either

Or does it?

As the bill states, the investigation targets a specific batch of “persons” or “entities” that are owned by, controlled by, or influenced by China, Iran, North Korea, and Russia. This seemingly rules out a great many local router, modem, and gateway manufacturers.

But even NETGEAR and other American-based manufacturers could fall under investigation because, technically, their products may not be manufactured on American soil. According to NETGEAR, China-based Shenzhen Gongjin Electronics Co., Ltd. manages one manufacturer in Vietnam, which builds some NETGEAR products. “Legacy” NETGEAR products are also built in China, according to the company.

And while the U.S. government is understandably wanting to crack down of foreign espionage and other nefarious activities, there’s more at stake to protecting national security than looking into a handful of router/modem/gateway manufacturers.

What does the ROUTERS Act mean for telecom policy?

The ROUTERS Act itself isn’t particularly controversial. Both sides of the aisle can agree that assessing potential security threats benefits everyone. The biggest issue with the bill is that one year isn’t a lot of time to do a deep dive into a huge market of devices found in almost every home in America. It could certainly be argued whether or not the urgency of the issue is enough to warrant a rushed job rather than dedicating more time and resources to doing a thorough investigation.

Of course, this bill doesn’t exist in a vacuum. The ROUTERS Act comes at a time when a lot of more aggressively anti-China legislation has been both proposed and enacted. For example, the Countering CCP Drones Act, which will have a lot more negative impacts on U.S. consumers,but it’s also not clear that the security risk posed by consumer drones justifies these impacts.

The ROUTERS Act also exists in a political atmosphere of paranoia that’s very conducive to censorship and government surveillance. In 2023, the proposed RESTRICT Act also concerned routers and other networking equipment but proposed far more drastic measures. Characterized in the media as the “Patriot Act on Steroids,” the RESTRICT Act would have given the government broad powers to surveil and control, among other things, home Wi-Fi networks and equipment, potentially even criminalizing common practices like using a VPN.

The ROUTERS Act is a much more sensible approach to potential national security threats, but we shouldn’t forget that the same bipartisan group of legislators that thought that national security required the government to be able to deter, disrupt, and prohibit “gaming applications” (yes, this was actually written into the RESTRICT Act) are also supporters of the ROUTERS Act.

While there isn’t anything inherently nefarious about the ROUTERS Act, that doesn’t ensure that its findings won’t be used to justify overreaching or indiscriminate legislation in the future.

That said, there are reasons why we should be paying more attention to the security of our manufacturing supply chains. As part of its ongoing war with Ukraine, Russia has increasingly focused on hybrid warfare, including targeting NATO countries in Europe through cyberattacks, arson, and possibly even explosives. Meanwhile, a deadly attack in Lebanon was carried out through the use of thousands of bombs placed in pagers and other communication devices by Israeli military and intelligence services.

The devices we put in our homes and carry around in our pockets are all the result of long, global supply chains that could be similarly compromised, even if the devices themselves weren’t actually manufactured in China. The realities of current international tensions necessitate more careful oversight of every piece of equipment that relies on the component supply chain in order to protect against terrorism and national security threats, though that doesn’t mean we should just hand the metaphorical keys to our personal devices over to the government.

“Relying on foreign companies to guarantee security for technology such as computer chips for cruise missiles or footage streaming from drones poses an incredible risk to U.S. interests and safety,” says the U.S. Naval Institute in its report about hardware trojans and the supply chain.

Hardware trojans are additional circuits on the nanoscopic scale that are difficult to detect. They can provide backdoors, shut down systems, destroy electronics, launch weapons, and more. These nefarious components can be injected at any stage of the supply chain. While there hasn’t been publicly disclosed information regarding the use of hardware trojans, the threat is possible so long as the supply chain remains unchecked.

All vulnerabilities are a problem—period

On a consumer level, routers usually enable automatic firmware updates by default. If not, users are prompted to turn them on during setup. Equipment supplied by internet providers should be handled by them, not the customer. Updates to enterprise- and business-grade equipment are presumably tested before deployment (for stability reasons).

Unfortunately, a negative spin in the media, fueled by the current anti-China sentiment, focuses on Singapore-based TP-Link, which manufactures consumer and business-grade networking products. The company was founded in China, but its two headquarters reside in Singapore and the United States. However, two U.S. lawmakers have called for an investigation into the company over national security concerns.

We’re no stranger to the company either: We’ve been reviewing its home products for years. We reviewed the Archer AX21, which has been the target of several botnets due to a now-patched flaw, CVE-2023-1389. TP-Link’s router is still on the radar as botnets search for AX21 models that haven’t received the update.

Part of the current negative spin on TP-Link includes a list of 343 vulnerabilities recorded by the National Institute of Standards and Technology. What you won’t see in all the anti-Chinese rhetoric is NETGEAR’s list of 1,199 vulnerabilities or the 139 listed with Linksys, which are American companies.

But we’re not here to call out specific manufacturers, although we do name a few as examples. Holes in software will always be a thing, whether they’re in router firmware, network switches, the smartphones we use, or the latest Windows 11 laptop. Manufacturers aim to keep their products current up to a certain point, but it’s also the user’s responsibility to ensure they receive critical updates.

But what if devices have reached their end of life? There are no security fixes after that, and that’s where hackers like Volt Typhoon attack vulnerable networks.

Overall, the bill clearly targets specific “entities” that pose a national threat. But given how terrorist and hacker groups target any networking product, investigating a handful of manufacturers doesn’t make any sense when the entire industry, from the supply chain to the software developers to the distributors, is equally vulnerable.

Our final take on the ROUTERS Act

Make no mistake: The ROUTERS Act targets four specific foreign countries: China, Iran, North Korea, and Russia. However, the broader issue surrounding national security is more than just clamping down on a handful of router, modem, and gateway manufacturers. As we’ve laid out here, the entire networking devices market suffers from vulnerabilities, starting with the supply chain and working out to the devices we use.

Fixing that will take lots of time and lots of money, not to mention compliance from every manufacturer that supplies network and internet-connected devices to the U.S. market. The ROUTERS Act is a start, but it’s not clear it’s effectively targeting the problem.

Author -

Peter Christiansen writes about telecom policy, communications infrastructure, satellite internet, and rural connectivity for HighSpeedInternet.com. Peter holds a PhD in communication from the University of Utah and has been working in tech for over 15 years as a computer programmer, game developer, filmmaker, and writer. His writing has been praised by outlets like Wired, Digital Humanities Now, and the New Statesman.

Editor - Jessica Brooksby

Jessica loves bringing her passion for the written word and her love of tech into one space at HighSpeedInternet.com. She works with the team’s writers to revise strong, user-focused content so every reader can find the tech that works for them. Jessica has a bachelor’s degree in English from Utah Valley University and seven years of creative and editorial experience. Outside of work, she spends her time gaming, reading, painting, and buying an excessive amount of Legend of Zelda merchandise.