BTS #71 - What Makes a Device a Router?
In this episode, the hosts discuss the new FCC regulations regarding consumer routers, exploring the implications for cybersecurity, the definitions of what constitutes a router, and the challenges of manufacturing compliant devices. They delve into the debate surrounding the effectiveness of these regulations in mitigating cyber risks, the role of hardware versus software vulnerabilities, and the potential impact on consumers and existing devices in homes. In this conversation, the hosts discuss the implications of the FCC’s decision to decertify routers and firmware, the challenges posed by the conditional approval process, and the potential impact on router security and availability. They explore conspiracy theories surrounding the regulations, compare US and EU cybersecurity standards, and address the complexities of hardware backdoors and default credentials. The conversation highlights the need for better security practices and the importance of addressing vulnerabilities in enterprise devices.
Transcript
Paul Asadoorian (00:54.323): This week we discuss new FCC regulations on consumer routers, defining what a router is and how to tackle security issues associated in general with network devices. Stay tuned Below the Surface, coming up next.
Paul Asadoorian (01:11.179): Welcome to Below the Surface. This is episode number 71 being recorded on Thursday, April 2nd, 2026. I’m Paul Asadoorian joined by Mr. Chase Snyder. Chase, welcome.
Chase Snyder (01:22.034): Hey Paul, good to be here.
Paul Asadoorian (01:23.815): Mr. Vlad Babkin is here with us. Vlad, welcome.
Vlad Babkin (01:27.295): Hello.
Paul Asadoorian (01:28.699): And special returning guest, Josh Marpet, is here with us. Josh, welcome.
Joshua Marpet (01:33.432): Thank you so much, very much appreciate it.
Paul Asadoorian (01:36.095): Your internet famous will get to that after a quick announcement. Below the Surface listeners can learn more about Eclypsium by visiting eclypsium.com/go. There you’ll find the ultimate guide to supply chain security. An on demand webinar I presented called Unraveling Digital Supply Chain Threats and Risk, a paper on the relationship between ransomware and the supply chain, and a customer case study with DigitalOcean. If you’re interested in seeing our product in action, you can sign up for a demo. All that at eclypsium.com/go. So these new FCC regulations are sparking much debate. I’ll let Chase and Josh kind of kick off what led to the topic of this podcast. There is a video short that we recorded at RSA on the Eclypsium YouTube channel that now has, as of right now, 267,000 views, 3.3 thousand likes, and 309 comments.
Chase Snyder (02:35.86): You’re seeing different numbers than me. I see 418,000 views. That’s crazy. Okay.
Paul Asadoorian (02:40.459): Oh really? Do I need to refresh? Oh wait, oh wait, wait, maybe I didn’t refresh. Oh no, you’re right, I stand corrected. Let’s do that again. 418,000 views, 5.9 thousand likes, and 471 comments.
Chase Snyder (02:58.452): We’re gonna hit half a million on that thing, Josh. I’m confident.
Paul Asadoorian (03:01.427): It’s crazy. Give us the gist of the video for our audience that hasn’t seen it yet.
Joshua Marpet (03:06.19): Okay, Chase you want to take it or you want me to?
Chase Snyder (03:09.148): Yeah, let’s go. Okay. So we were debating like, okay, the FCC published this router ban. They updated the covered list to include foreign routers not made in the USA. It got a huge flurry of news. We were debating whether or not to even write about it. Cause Eclypsium, talk about hardware supply chain. So it’s in our wheelhouse, but it’s already so noisy. We like, you know, the news it’s already happening, but we’re at RSA and I had a camera and little microphones and we were doing like, you know, subway takes style, mini interviews about topics of the moment with various people. Josh, friend of the pod, friend of Eclypsium stops by the booth and we’re like, yeah, this is great. Good to, I’ve never met you before in person. Now I have, it was a delight. And we decided to do one of these interviews just in front of the booth. And we talked about the router ban. And we talked for like, five to 10 minutes probably. And something that you said that totally resonated to me was that anything in your home, like a TV, a smart TV that has RJ45 connectors, that has Wi-Fi cards in it, that’s a router, or it could be. We posted that clip on YouTube. We chopped out, it’s like less than a minute long, and the internet exploded.
Chase Snyder (04:34.516): And the comments, you know, we’re violating rule number one by reading the comments, but they’re actually great. And I think in good faith, there’s some good, there’s some good faith arguments on there that we should address. But yeah, okay. So we’re over 400,000 views. People have opinions about what counts as a router. And to me that indicates that like the original documentation, the FCC public notice that they put out and the documents that they reference, the NIST IR document, which you, quoted off the dome, off the top of your head, the exact section where they define what a router is. That stuff has sort of some language in it that is apparently up for debate amongst at least the YouTube commentariat.
Joshua Marpet (05:17.341): Well, it’s more along the lines of my definition of a router and your definition of a router and probably most of the commenters definition of a router is a device that routes packets from one network to a different network and it operates at layer three. And so it operates at the packet level and it has rules that it routes the packets by and it like it, there’s a lot of different features of a router, right? Now you could say, that sounds like a firewall to a certain extent. And yes, I mean, that’s effectively a layer three router. By the way, is a layer three switch a router? We’re not going to get into that at the moment. But a router operates in much the same way that a firewall does, by allowing packets to pass from the green network to the red network, if it has this flag on it or whatever. There’s lots of rules it follows.
Joshua Marpet (06:12.502): And we go, okay, that’s a router. And we all go, yeah, that’s a router. But the definition that was given was simply any device that sends packets from one network to another. Go ahead.
Paul Asadoorian (06:21.958): I actually, I have the definition here, at least one of them, consumer grade networking devices that are primarily intended for residential use and can be installed by the consumer. They say routers forward data packets, most commonly internet protocol IP packets between networked systems. And so I had this other definition that I’m like, anything can be a router provided it has this criteria kind of keying off what the FCC and the definition from the National Institute of Science and Technology states. My definition is if it’s a device that can run Linux, let’s just say, or any operating system, Linux most common, and it has more than one network interface, can become a router. And the thing is, is a router, right? Josh, you the very sensational statement that TV is a router.
Joshua Marpet (07:19.32): Yep, it is.
Paul Asadoorian (07:19.58): It could become a router. TVs have a Wi-Fi interface. They have a network interface. They run an operating system, Android, Linux, and variations. And with just one command in Linux, that becomes a router. You tell the kernel that it can route packets between interfaces with sysctl-wip-fwd-1. That’s not the exact syntax, but pretty close. You run that command, and it tells the kernel.
Joshua Marpet (07:47.106): Vlad looks angry at you.
Paul Asadoorian (07:48.361): Right, tells the kernel you can route between interfaces effectively turning it into a router. I also posted from the Eclypsium account an article that says the title is how to turn anything into a router, which I mean we’ve done since the dawn of Linux basically, right, you could take anything and make it your firewall slash router for your house. I used to use an old PC and there’s millions of different devices that can do this, right.
Joshua Marpet (08:09.922): Yep. Untangle and Vyatta OS and there’s a dozen different things that went firewall. I think released a way to do that on. You just had a box with multiple NICs in it and you were good and you wanted to do that for your wireless. Okay. As long as it has a wifi card, we’re good there too. It’s, it’s, it’s, it’s absolutely crazy because…
Paul Asadoorian (08:29.546): I mean your phone, comments are pointing out your phone, if you put it in hotspot mode, is a router. Right? Yes, that.
Joshua Marpet (08:36.162): Right. Vlad, go ahead.
Vlad Babkin (08:37.584): Actually, one question, how did they word the regulation? Because if they worded it as an it is intended to be a router, that’s one thing. But if they worded it as it can be a router, that’s it, yeah. Because like literally anything that runs Linux de facto can be a router. It’s not very hard to do.
Joshua Marpet (08:49.27): is capable. You read it.
Paul Asadoorian (08:52.02): Well, the point is that they, yeah. And that’s the problem. Yeah, Vlad, you very astutely point out that’s the problem is the FCC did not clarify intention of the device, which is something I’m recommending the FCC issue guidance on to say that it has to be intended for as a residential gateway or router and not some other consumer electronics device that would not be the primary gateway for your home or clarify it with some language.
Chase Snyder (09:23.26): Okay. But, but if the point of the router ban is to mitigate cyber risk, which it is, you know, it references Volt Typhoon, Salt Typhoon. Says there has been attacks on American citizens in their own homes using their small office and home office routers. If the ostensible purpose is to mitigate cyber risk then the intent of the device doesn’t matter that much because if you can turn it in with, you know, minimal, yeah, non-sophisticated malware could do this at scale and just, you know, worm through it, like botnet, all the TVs it’s, it could be done. So it’s like, the intent of the thing is to mitigate cyber risk, then the language in it should indicate that, but, you know, arguably the stated intent is at best incomplete and at most just different than the actual intent.
Joshua Marpet (10:09.516): Mirai.
Paul Asadoorian (10:23.55): Right. Well, here’s some interesting facts. So the FCC largely regulates layer one, right? If you want to sell a device in the US and it does any type of radio frequency communications, you have to submit it to the FCC. They put it through a testing lab to make sure there’s basically the primary intent is to make sure it doesn’t interfere with other devices and transmits on the radio frequencies that are documented and they test that in the lab. With this regulation, they’re kind of stepping outside of the hardware, right, and going, you know, devices that route packets. It’s like, well, wait a minute, now you’re talking about layer three. You’re beyond layer one in the hardware at this point, which is my first interesting factoid. The second one is the ability of this regulation to actually improve the cybersecurity. The regulation states that you will not be allowed to sell hardware in the US of a router if it is manufactured overseas. Now I take that as like Mexico and Canada are okay because that’s not not overseas, but is that what it says foreign? I thought it said oversee it. So it but in any case,
Joshua Marpet (11:37.09): No, it says foreign technically, but so yeah, it says foreign. I don’t think so, it’s foreign.
Paul Asadoorian (11:43.995): Like let’s recall how many cyber security incidents can be attributed to Hardware backdoors that have come from a foreign country. We have the Cisco example. We have evidence that the counterfeit Cisco devices have had hardware backdoors. Okay, we have that. I have not seen any evidence that can these consumer based devices have a hardware backdoor that has led to significant cyber security events. In fact I don’t even recall any. The one that I could recall was, was it NanoKVM had the microphone on their IP based KVM that was in the hardware backdoor that was it was no it was no wasn’t into that kind of sorta right but that was not used in any of the typhoon or similar campaigns. The Typhoon or similar campaigns are preying upon software or firmware weaknesses in these devices. So doesn’t, I don’t care. So I guess the elephant in the room is I don’t care where the hardware is manufactured or where it comes from. The security risks that we’re incurring from this are in the software, not the hardware.
Vlad Babkin (12:58.846): I’ll make it even more evil. Like, let’s say I become an evil Vlad for a second and like wear my evil hat and like, okay, let’s say I’m a foreign intelligence service. I have money and resources to do some intelligence. I had this TP-Link company, which was in my pocket, which was pretty much spying on us consumers. Let’s assume they presume this is the case. Well, now TP-Link routers are banned because they’re all manufactured in China or wherever the hell they are. Well, I’ll just create a new company called US-Link, which will manufacture routers in the US and install my software, which I will deliver from my lab wherever I am and put on those routers. And now they’re de facto US manufactured. The firmware is like flashed in the US. It’s all great. The software is manufactured in China, but let’s not talk about that. And now I have a US-Link company which will sell router slightly pricier and market it as a like 100 % US product.
Paul Asadoorian (13:57.523): Yeah, but that’s a great point, Vlad, and begs the question, do all of the components have to be manufactured in the US, or can the components be manufactured somewhere else? But also, I think it’s an important distinction, which components? Obviously, the SOC chip, right, system on the chip that comes in your router, is the primary chip that we’re concerned about. Maybe if that has the radio on it or not, there might be other chips, there won’t be spy flash chips, but hold on. What about the capacitors and resistors in the board, which have absolutely zero impact on cybersecurity, maybe safety, like if a capacitor blow or whatever, right? But have zero impact on cybersecurity. These are passive devices with no intelligence. You’re just saying now we have to manufacture all the capacitors, resistors in the boards in the US? That doesn’t make any sense to me.
Chase Snyder (14:52.232): Well, I think the premise there is that if it’s manufactured abroad in a geopolitical adversary, that even if it’s one of those type of passive, you know, capacitor, what they’re going to do is embed some other little thing in it that’s somehow not going to get detected throughout the supply chain.
Joshua Marpet (15:08.056): God, Manchurian Microchip again?
Paul Asadoorian (15:10.142): Dear God, like the likelihood of that when we talk about risk in the risk equation is so not even grounded in reality. Like you’ve got a firmware that has command injection and auth bypass on it. Like that’s the issue.
Vlad Babkin (15:19.098): It… It gets even worse. Like, if you think about it, small manufacturers who have to source every component in US will probably do it for higher price than the companies that can source it in China. But point is, if I’m an intelligence agency, I can just sell my router under the market price or under the production cost because it’s main value for me.
Joshua Marpet (15:45.902): Because you don’t have to make a profit.
Vlad Babkin (15:48.115): Yeah, the profit is not from the router, the profit is from intelligence. So de facto, only Chinese or foreign intelligence manufacturers routers will actually be cheap, if that’s the case. And everything else will be twice as high as the price, simply because they need to make some profit.
Joshua Marpet (16:07.0): So the problem, okay, so by the way, I think it’s 65, don’t quote me on this, but I think it’s 65% of the hardware bill of materials has to be manufactured in the US. And so.
Paul Asadoorian (16:17.207): So they did state the bill of materials with a percentage in the regulations? Okay.
Joshua Marpet (16:20.79): It was somewhere I forget where it was one of the things they called out as one of the regulations. So not the, not the actual router ban, but one of the things they called out in the footnote or whatever. But you know, even if I’m wrong and it has to be 50% or a hundred percent US, we just simply can’t right now. There’s no, I mean how many chip fabs do you think we have in the U S?
Paul Asadoorian (16:39.006): No. Like one like Nvidia has one. Yeah, and I think it’s just for Nvidia but also I want you to think about if these regulations the intent is one of the intents is to bring this chip fabrication and manufacturing to the US We can’t do that and meet the demand or supply and demand for these routers Like just go do I’ve done some market research. You can go prompt an LLM How many millions of devices are sold by the top consumer vendors that make consumer based IoT router, D-Link, LinkSys, TP-Link and the like. There are millions and millions of chips that need to come off an assembly line to produce those routers. It would conceivably take my wild guess five to 10 years for us to build that capacity here in the US to be on par with Taiwan and TSMC. Is it TSMC? TSMC in Taiwan, yeah. Right, yes.
Joshua Marpet (17:31.758): To start making those, it’s TSMC, to start making those chips, not to actually complete making those chips, by the way. That’s number one. Number two is we’ve got a limited time span. But Josh, why? Because they put out a further piece that said that the firmware in any router that is currently being used and is currently approved is going to be disapproved in either January or March of 2027.
Paul Asadoorian (17:57.386): 2027. It’s March of 2027.
Joshua Marpet (18:00.256): March of 2027, which means that all the routers, you know, every router you’ve got in your house and everybody’s got in every house.
Paul Asadoorian (18:05.233): Right which is all fine to sell now like they can continue selling those skus now is an important point in the discussion for a year and then then it had they have to develop the firmware in the U.S. is that the…
Joshua Marpet (18:18.542): No, then it has to meet the, as far as I know, it has to meet the same thing, which is that it has to have, because this is how it started. We are not going to approve or confirm your firmware. So you’re not allowed to import it because we don’t agree that your firmware will not interfere, you know, will not hurt our radio frequency systems here. But here’s the thing, we’re going to go in a few different directions all at once. Routers don’t necessarily have to have wifi.
Paul Asadoorian (18:48.854): So if a router doesn’t have Wi-Fi, is the FCC involved at all? If there are no, my understanding is if there’s no radio frequency communications, you do not have to get FCC approval to sell that device.
Joshua Marpet (19:04.318): One, two, there is a whole subculture of make your own router. And people will take switches that are layer three switches or can be made into layer three switches, throw a wifi card on the sucker and say, I’m done. Third, they name Salt Typhoon. Now look, I get that the consumer grade routers, wifi routers are a stepping stone, a relay to critical infrastructure. They’re absolutely correct. I get that that’s legit. Okay. So ban the routers. Oh my God. But anyway. Salt Typhoon, which they named as one of the reasons they put this into place. You know, I’m like, I remember that. How do I remember that? Oh right. That’s the group that wrote Jumbled Path that took over every CALEA system at the backbone of every phone network in the US. These are not consumer grade routers. These are things the size of like rooms and houses and big racks.
Paul Asadoorian (19:56.061): And Typhoons also targeted enterprise gear, as we’ve documented on our blog, which I think, I wanna get back to the firmware thing, but also, so I believe they clarified that it is not enterprise gear right now, and then we’re something like maybe in the future. This is household only. But you can go on eBay, and I’ve done this, and buy enterprise grade router, the smallest model router for around $40 from Fortinet, from Ivanti Makes VPNs, Palo Alto. I think I’ve got Fortinet, Palo Alto, and it’s Cisco, you can buy that stuff too. And so, does that open up the market now? Because they’re not beholden to this new FCC regulation. So conceivably, consumers could go buy used or new gear at maybe a similar price point. The newer gear is probably like a brand new Fortinet router, their small models will be a lot more than your TP-Link. Then there’s the used market but that’s that’s weird to me that’s very weird.
Vlad Babkin (21:06.398): It gets even better. We have consumers with all of these routers already deployed. The regulation says you cannot buy new ones, but it doesn’t do anything about whatever hardware is already installed. And it cannot really do anything about it because even if you tell consumers to just throw it out, who’s going to pay for it? Yeah, so just… Yeah. And even if you create incentives…
Paul Asadoorian (21:26.026): They’re not going to do that. There’s no incentive to do that. I’ve talked about that in the past. You have to create incentives for them, for them to do that.
Vlad Babkin (21:35.538): You have to create hardware for them to put into, and there is no hardware.
Chase Snyder (21:40.244): To me, the straightforward read of that, if I was going to interpret it in total good faith and be like, this is they’re trying to do what they say they’re trying to do is here, is that somewhere outside of my classification level, there has become increased paranoia may be justified that future currently being manufactured hardware is going to have more backdoors and whatever stuff in it. And so they’re not actually worried about what’s deployed right now. They’re like geopolitical tension has reached the point where we think China or whoever is gonna start really intentionally making routers and such with hardware backdoors. It was like, the ones in the past are not a big enough threat. The ones in the future are. That’s a good faith read. Yeah.
Paul Asadoorian (22:20.243): That makes some sense, Chase. You’re right. Yeah. I said some.
Joshua Marpet (22:28.65): It doesn’t, it doesn’t because look, they’re not stopping. Again, it has to have a wifi chip in it for it to be certified by the FCC. All I have to do is sell enterprise switches with these hardware backdoors in them. And I’m right past all of these, all of these different barriers are trying to put in the way. If you really wanted to do this right, and because you’re trying to keep the household routers from being operationally used as relays to get a critical infrastructure. Mandate an approval process that included a firmware and binary analysis of the router. Mandate a trusted execution on the routers. Mandate that you…
Paul Asadoorian (23:08.627): Wait, hold on. I’m sorry, Josh. I have a question though. Is this ban saying that when they say, routers they’re not defining as having Wi-Fi. Routers they’re saying route packets. But I think they’re stepping outside of that radio frequency and saying routers, regardless of whether they have radio frequency communications or not.
Joshua Marpet (23:34.252): I agree with you, but the problem is, I think this is why they went after Household. Because to buy a router for an enterprise, you’re not gonna buy a router for enterprise with Wi-Fi. You’re buying a router that does packets over RJ45 or fiber or something.
Paul Asadoorian (23:42.587): Right, right. But let’s say let’s say it has to have radio frequency communications What’s really hilarious to me is that you could market a router that just does ethernet and if the FCC says well if it doesn’t have RF I don’t care about it. You could sell that in the US then you could make a Wi-Fi access point, which is technically a bridge not a router It technically does not route packets because it’s all in the same subnet it bridges the traffic from Wi-Fi to ethernet does not route it and it would not classify as a router according to their current definition.
Chase Snyder (24:20.102): Alternately, everybody just goes fully wired and we enter a wired internet only golden age where everybody has wicked fast gaming.
Joshua Marpet (24:23.756): I have an ubiquity system and I have access points that are mesh. I like between the very smart access, some of those access points are amazing these days and they’re just bridging over to a wireless network. So the point, but they’re bridging, they’re moving packets from one network system to another network system. Is that a router?
Paul Asadoorian (24:45.181): Right, but they’re not routing because it’s on the same LAN. They’re just bridging. They’re bridges.
Joshua Marpet (25:01.324): And this is the problem.
Chase Snyder (25:01.492): Well, let’s ask the YouTube commenters because a lot of people made this specific distinction saying like he’s talking what he’s talking about is a bridge not a router. So some percentage of the people in YouTube thought about that and made the distinction.
Joshua Marpet (25:14.124): And the problem is that the definition of router from the FCC is moving packets from one network system to another. And that’s a bridge.
Paul Asadoorian (25:21.479): Yes, they say routers forward data packets most commonly internet protocol IP packets, but it’s not specific enough to make the distinction between a router and a bridge.
Joshua Marpet (25:33.944): So to all the YouTube commenters who commented, you’re an idiot or whatever, I’m going by the FCC’s government definition. I’m not going by the definition that you have and that I have and that we all have as technologists. I’m going by the letter of the law. And by the letter of the law, if you have a toaster with an RJ-45 and a wifi card, it’s a router.
Paul Asadoorian (25:57.767): Right, because it’s vague.
Chase Snyder (25:59.25): Yeah. And that’s kind of where the language of intent starts to be meaningful in there too. And like, you know they have the language in there of intent, but it’s only around intended for consumers to be able to install in their homes. It’s not about whether it’s supposed to be used as a router by their definition, or anyone else’s. But yeah. So, okay. I don’t want to, okay. Yeah, go ahead.
Joshua Marpet (26:23.756): Really quickly, famous story of a coffee machine in a factory. You ever heard this? There’s an office with internet access and a factory floor with a closed network, right? They bring in a coffee machine, they stick it up in the lobby of the office, they plug it in, and this thing has a little web server in it so you can tell if the coffee pot’s full or not. This is awesome, okay? And they plugged it in, but they couldn’t get it in the office. So they realized, this thing has Wi-Fi, so they plug in the Wi-Fi password into it. And so now they can tell in the office if the coffee pot is full. It’s amazing. The next day they show up and everybody’s got ransomware. And then the screaming starts from the factory floor because all the CNC machines have ransomware. Like how the hell did that happen? It’s a closed air gap network. They plugged in the coffee pot with RJ45 and put the wifi on to the OT network. And guess what?
Paul Asadoorian (27:16.883): To the OT network, yeah. And the WiFi to the enterprise network, which has access to the internet. And bridge a router, I Technically, would assume technically that would be a router because they’re probably different subnets and it would have to do some routing. But if it’s Linux, it’s again, it’s Linux got WiFi, got ethernet, one command, and you’re routing packets.
Joshua Marpet (27:36.814): Ta-da! I’m gonna shut up.
Vlad Babkin (27:45.217): Two comments, two words. Network segmentation. You should learn it sometime. Like, I don’t know. All of these, let’s connect a coffee pot to our network with, oh, hey, it’s the same network with all of the OT hardware. Yeah, I did hear at one point a mind-boggling story about such a thing. Not sure if it is true. I remember hearing it a long time ago when there was one dude flying on a plane and he connected to the wired plane network and he just started scanning around and he found all of the plane systems which were just in the same network and had no authentication. So de facto he took over the plane and then the poor stewardess just saw it and was scared completely out of her mind. He didn’t do anything but like when they landed they literally had the SWAT team just run in and grab the guy and that’s why they started closing off the wired ports. I’m not sure if this story is true, but if it is, yeah, network segmentation is hard.
Joshua Marpet (28:46.648): That’s Chris Roberts. He’s a friend of mine. Yeah, he’s a friend of ours and it’s true story.
Paul Asadoorian (29:03.881): That’s it. I want to go back to March 2027 as it relates to these regulations. Is that FCC saying that they will not, like even if you got an exemption and you’re selling a new router here or let’s say you’re not, I am confused as to what that date means. Does it mean you have to develop the firmware here in the US or the things that were not approved that everyone’s using now, you’re not allowed to produce firmware for them, which, I mean, this could be disastrous, right? This could be manufacturers’ end of life and end of supporting, end of supporting everything because they don’t want to make the firmware. They’re almost making the problem worse. Is that, am I understanding this correctly?
Joshua Marpet (29:48.034): Yep. They’re decertifying. So right now you can’t do any new firmware. Okay. If it doesn’t already approved, it’s you can’t do it. All right. Until they get the conditional approval channel set up.
Paul Asadoorian (30:02.508): Any new hardware or firmware, any new hardware or firmware. But firmware for, if stuff that’s being sold now in the US, you have new firmware for it, that’s okay until March 2027.
Joshua Marpet (30:11.512): Yes, that’s correct. That’s the new thing. You sell a router right now, it’s already approved, it’s already good, it’s fine, and you sell it in March, 2027, you will not be able to sell it anymore. Your firmware, your router, your FCC certification is going to be decertified in March of 2027. And so they’re trying to do this to push because they realize that some of these routers have long lifespans. I mean, how long did the WRT-54G get sold for?
Paul Asadoorian (30:38.619): Yeah in multiple iterations over like 10 years or more.
Joshua Marpet (30:40.654): 10 years. So they’re like, all right, we don’t want our, we don’t want these manufacturers to slap a new shell on it and call it a new version of a router, even if it’s the same hardware, same firm or same everything, so they can keep selling them. So they’re like, all right, in 2027, everything goes away. It’s a foreign company. And it’s like, you don’t understand all you’re incentivizing is for these manufacturers to stop producing firmware updates because it’s not going to get certified. You’re going to stop producing security patches because it’s not going to get certified. You’re going to stop producing any new features and any new fixes for all these routers.
Paul Asadoorian (31:16.627): So how are they gonna regulate if just let’s use TP-Link or whatever, they’re selling a couple of models now and 2027 rolls around and they put out new firmware, are they gonna stop people from downloading it? Are they gonna stop manufacturers from distributing it? How would they control that?
Joshua Marpet (31:33.922): Well, if they can’t sell it, if TP-Link or any of the other, you know, Fortinet, Juniper, whatever, can’t…
Paul Asadoorian (31:41.337): I see. It’s the other way. If I can’t sell those models anymore in the US, I’m not going to produce any new firmware updates for them because I can’t sell new ones. So why would I keep producing firmware updates for stuff that no one’s going to pay me money for anymore? Yeah.
Joshua Marpet (31:55.042): Ding ding ding. So it’s really tough because they’ve disincentivized the manufacturers from doing these magic things like producing security updates. I know crazy, crazy. Why would you need? Yeah, they’re making it worse. And so now we have this whole situation where, okay, we’re all like, all right, so there’s a conditional approval process mentioned in the regulation, but there’s no conditional approval process that’s been promulgated in any way, shape or form that I can find. If anybody can find it, please send it to me. Okay. But I can’t find any conditional approval process that’s actually out there. So we have no conditional approval process. We have no understanding of what it’s going to take to be conditionally approved. I’m sure that router manufacturers are trying to pull together whatever they can to figure out, I’ll send them a package of firmware that’s been checked by any of the half dozen companies that do firmware analysis.
Paul Asadoorian (32:47.901): You know what would be awesome? I think this would help move the needle security wise. It would also tremendously help our respective companies that we work for, all of us collectively, if they did a model like PCI. If they said, well, you want to sell a new model and you want to produce firmware for it, that’s great. Conditional approval is there’s this list of vendors, just like PCI, qualified scanning vendors that you can go to and you can go get your devices certified. That company will produce a report. You’ll come back to the FCC and say, look, I got this new model router. It’s got this firmware. And it was approved by vendor XYZ that was on your list of conditional, for conditional access testing or what have you, and adopt the PCI model of qualifying it. That would be great for everyone. Hey, we’d get better security. I mean, you’d have to define, then you have to create a standard. What is the security standard for these routers, which collectively as a community. We have most of those pieces already. We could pull together a nice standard. It would take us some time to agree on it, but yeah, it’s exactly right. There’s standards. We have a standard, and then you have testing harnesses and frameworks that adhere to that standard. You have to certify your testing process, so then FCC would have to then have a process just like PCI, right, to, I did this at Tenable. I was actually there when Tenable was applying to be a qualified scanning vendor, QSV, right? And so you have to say, I can test it, here’s the proof that I can test in PCI world to the regulations. In this case would be, I have to prove I can test firmware and hardware to whatever specification and standard we agree upon. That would be amazing. That would be awesome. That would help everyone, I think. I mean, it’s selfish of us to think that, because obviously our respective companies would want to be on that list. Because anything being sold, we get money to go test it.
Joshua Marpet (34:46.39): And you have to have a way forward. Right now they’re saying no, no, no, but you have to have a way forward.
Paul Asadoorian (34:51.741): Yeah, right, right, yeah, with no, Yeah, we can’t just stop selling routers here in the US. This is ridiculous. And then, but here’s my other thing I’ve been newling on. So any computer can be a router. And I think one of the YouTube commenters pointed this out. If you buy a motherboard, it has ethernet and Wi-Fi. Is that a router? You can buy, I have them laying around. I’ve got a bunch of them. They’re fanless mini PCs with four Ethernets on them. They’re not really marketed as a router. They’re marketed as a PC. So we’re not going to be buy computers that have more than one network interface on them anymore? They’re going to have to go through the approval process for a router?
Vlad Babkin (35:51.026): Yeah what happens if you insert a network interface in it like let’s say motherboards rights is just one but then you just buy a card like Wi-Fi card well those are not router neither is this motherboard is a router so you put them together and suddenly you get a router you’re not gonna sell it.
Paul Asadoorian (36:05.393): Right, you buy a kit, yeah. Right, you buy a kit, and you buy the router with no wifi, and it comes with a wifi dongle, and when you get it, you’re plug it in, and then, this is crazy. I can’t believe we’re having this discussion, actually. This is crazy.
Chase Snyder (36:23.634): Okay. So do we want to, do we want to air out any of the most fun conspiracy theories about it? Because I feel I asked a bunch of people this question before and after we talked to Josh and people had some fun. Takes, you know, there’s, I mean, one, one general one that I heard multiple times was that this is a move specifically to either target in a negative way or to help one or two specific companies. And this sort of goes back to the theory that Vlad was bringing up earlier that some company could, I don’t know, thread the needle on the regulations and have like a made in US router company that gets the first and maybe only exception. In, in the FCC document, it says that the, it’s, it’s the DOJ or the, or the DOD or the DOW that’s going to have to do the exception or grant the exception. Um, and they probably, you know, would hire a third party that has the ability to analyze hardware and firmware for security properties. I wonder who would do that. So it’s like, okay, so this is just the DOW getting in, getting their hands in the pie of the approval process for these things that already have tons of approvals that have to go through. And so now it’s, it’s a tool that could be used to, you know, help out or harm specific companies for whatever reason, security or profit motives or the reason. So that’s a, that’s a take that I heard that’s also present in the comments and that people also said to me out loud in person. I think the most fun, possibly most unhinged conspiracy take that I heard is that they, the government wants you to use only government approved routers that have that wifi based motion detection and can like monitor the physical movement of humans that are moving around within within the range of them, which, you know, it’s, it’s, it’s true. You can use wifi for motion detection. They, they, they’ll even try to sell you this as an add on service for like five bucks a month. Some of the router companies will be like, hey, do you want an in-house security system that uses your wifi signals to detect whether there’s a person moving around your house while you’re gone? Which is very funny to me. That seems…
Vlad Babkin (38:42.045): The government already has Amazon wiretap, otherwise known as Amazon Alexa.
Chase Snyder (38:47.346): Yeah. Yeah, exactly. I was like, would they do that? There’s easier ways. Easier ways. Occam’s Razor says that’s not it.
Joshua Marpet (38:50.377): The fact is, that the easier ways or ring. Yeah. The conspiracy theories are running rampant about this and I’m not going to, I’m not going to comment on any of them because frankly I have my own thoughts, but the, the biggest problem is that there’s not a clear path or understanding of why this was done in such a way at such a time in such a strange way to make perverse incentivization. There’s not enough time to get this done, right? You want to insource? You want to bring manufacturing back to the US? I’m all for it, man!
Paul Asadoorian (39:26.803): But you still have to have a plan to replace the tens and millions of routers that are deployed in the US today. That is the problem. And while this addresses maybe the long tail, with the incentives the way it’s being structured now is that new routers will be scarce, hard to get approval, but conceivably now more expensive. So now there’s no incentive for any consumer to go upgrade their router, right? If someone’s going to go upgrade their router, or maybe is thinking about it, and they go look at, well, now there’s only like three manufacturers, and guess what? They’re $300 a piece, because either they had to increase costs for the process to get approval, and or increase costs by manufacturing here in the US. Now your $50 routers are $300. No one’s now incentivized to upgrade at all. Unless you have what I proposed in the past is some incentive program for people to replace their routers with something that is more secure. Right? So you have to incentivize the ISPs and the consumers and get funding from the government to go, hey ISP, you’ve got tens of millions of customers. They’ve all got mostly insecure routers. You need to have a program where people can upgrade or replace their routers and the government is gonna help subsidize that, help create incentives for both the ISPs and the consumers to upgrade to something that hopefully is more secure right that has to adhere to a higher standard of security and not just where the hardware is made but actual security in the firmware itself.
Chase Snyder (41:08.484): UBI man, universal basic internet, government dull internet.
Joshua Marpet (41:11.825): God, I’m gonna hit you.
Paul Asadoorian (41:13.232): Yeah. No, no, no. It’s not regulating the Internet. It’s the incentive program for people to win the device that gives them access to the Internet is has better security than what we have now. I have not seen anything come from any regulations here in the US that help solve that problem. There have been lots of attempts at what was it? The cyber U.L. and lots of other attempts like that. None of them have legs to actually fix the issue.
Chase Snyder (41:44.178): Yeah. Something I thought about as I was reading this document is that also relatively recently, whenever it was that the EU Cyber Resilience Act came out, that is a document. You know, that’s like a hundred page PDF with a very detailed sort of set of plans and requirements to introduce a little bit more security into the hardware and firmware specifically supply chain and the supply chain for digital products. And it has also has timelines for enforcement, has very specific penalties. You know, it has teeth and it has details about how to, yeah, how to actually comply with it. And I was like, OK, so there’s precedent for like a good supply chain security policy and set of regulations and stuff. And this doesn’t quite rise to that threshold as we’ve been discussing it. And I don’t know whether it’s like I keep, you know, maybe I’m too internet brain, but I keep things like, is this some sort of global geopolitical 5D chess that I just can’t really see what the game is that’s being played? Or is it just not very good job done on a straightforward attempt at actual supply chain security? they’ll, you know, they’ll take some time and they’ll they’ll fix it up and we get better over time. They’ll they’ll iterate on it and it’ll get better. Or some combination.
Paul Asadoorian (43:02.557): Well, I think it’s, you know, what is the quote? Like, don’t attribute to maliciousness what can be contributed to or attributed to incompetence, right?
Joshua Marpet (43:11.118): Yeah, I think this is magic thinking. I think this is, if we ban everything that comes from a foreign country, they’ll just build it in country. And the problem is, is that that is possible. We can build it in country, but it’s going to take five to 10 years to get us ready to do so, to start getting ready to do so. It’s going to take routers that are close to four or $500, which are instead of 80 bucks, 120, 160 bucks. And that’s just punishing people who don’t need to be punished.
Chase Snyder (43:40.478): People are going to have to go touch grass, man. They won’t be able to doom scroll anymore. That’s how it’s going to affect me anyways, but yeah.
Joshua Marpet (43:45.812): No, you’re going to find clubs of people building routers out of weird stuff, which means you’re going to have an even more fragmented infrastructure experience and you’re going to have easier access because the attack vectors against DIY are going to be monstrous.
Chase Snyder (43:59.006): Yeah, it’s gonna be a weird hardware landscape out there. The hardware environment and the attack surface is gonna be more strangely shaped.
Vlad Babkin (44:14.172): I’m just thinking all of this. When you actually ban foreign imports, Russia tried that and it kind of worked for them, but not quite. They really wanted to get some internal chip production and whatnot. Well, they have some kind of chip production, but their own internal manufacturers are telling that their chips are not stable, not usable, and so on and so forth. It will take us like 5 to 10 years to actually start producing something, but it is even like producing something of quality. Yeah, it will take much longer. Like, only thing…
Paul Asadoorian (44:52.873): Quality, but it has to be at a reasonable price, which is a great point, Vlad, right, is that we need quality chips, but again, the market is demanding the $50 router, so to get to that quality and put it in a $50 router, that’s a huge challenge.
Vlad Babkin (45:14.59): Yeah, market will probably survive as like a $100 router instead of $50 router, but definitely not $500 instead of $50. And again, looking at Russia, they are right now trying to ban all VPNs imaginable and trying to tighten the screws. It’s like latest week news. I’m just watching that region for, okay, understand Russia and they can tell interesting stuff for people. And this news is very interesting because Russia does not really have replacement for most services. For example, they don’t have a Discord competitor, don’t have Google Meet competitors, don’t have Slack competitors, etc. So if they just ban VPNs, Russia will access all IT infrastructure. They literally are not ready. So in this case, US is kind of doing a similar thing with routers, because if you access all of the foreign routers, do we even have large-scale consumer router manufacturers in US who can actually hit the demand? The question is, even if the circulation comes into place, what companies are left? So far, I just don’t see anything. Not on enough scale or…
Paul Asadoorian (46:24.201): But I mean, we’re running under the assumption though that hardware manufactured in the US can’t be backdoored. Like, it can totally be backdoored in the US as well. Yeah.
Joshua Marpet (46:36.408): Will refer you to Cisco repackaging equipment back in the 90s so they could put interesting firmware on the hardware.
Paul Asadoorian (46:46.587): If you’re concerned, and I think I’ve said similar things in the past, if you’re concerned about hardware backdoors, we shouldn’t be as concerned with where it comes from, but the validation process that must be in place to validate and verify that it does not contain any backdoors. And with hardware, it can be very difficult, but it’s not impossible to have some of those safeguards.
Vlad Babkin (47:09.714): Yeah, so for example, hardware vendors are completely notorious for making their firmware incredibly hard to actually get your hands on. And this is true for routers, true for cameras, et cetera, et cetera. So what you get is usually an encrypted blob. Good luck analyzing that. So maybe if you get your hands on a specific device with some kind of effort and research, you can actually decrypt it. But that’s device per device. You cannot do this update to update. And there is no regulation for that. If some, again, Chinese intelligence service decided to pretty much move TP-Link inside US, name it US-Link, and install its own firmware, companies like Eclypsium, for example, you would face difficulties because their firmware will come encrypted. And we will have a lot of fun trying to actually get our hands on it.
Paul Asadoorian (48:03.037): You know what’s interesting and it reminded me, Vlad, of if you look at Mirai, the most popular botnet malicious malware, or malware I should say, that attacks largely consumer-based devices as well as others, look at its primary infection vector. Does it need to bypass firmware encryption, firmware signature validation? Does it need to even exploit vulnerabilities? Now the number one thing that Mirai pre- is default credentials! So we can have the best hardware, no backdoors in the hardware, we can have air quotes secure firmware, but the problem is this is going to still persist because we have this credential problem. Default and weak credentials.
Vlad Babkin (48:47.902): By the way, your recommendation for any software vendor, routers, actual software, enterprise software, whatever, don’t make a default password ever. If you deploying hardware, make sure that your password is arriving with the router packaging so that the default password is not admin-admin, but admin and something random on the router itself. Or, for example, if you are packaging software during the software setup, make a new admin account with a random password. That makes your software a lot more secure, basically for free.
Paul Asadoorian (49:24.243): Yep. That needs to be that we talked about this before, know, wiping out the default credentials certainly certainly helps. And that’s wow.
Vlad Babkin (49:32.316): Yep. You can’t exploit default credentials if there are none. That’s it. It’s as simple as that.
Joshua Marpet (49:45.73): Yeah, but if there’s literally no default credentials to be found, how do you exploit them?
Paul Asadoorian (49:50.878): But many standards and guidelines exist that would govern what the user could set for a password to make sure that it’s not easily guessable. We see this with lot of systems today, like, hey, you need to create an account. Well, can’t create. So let’s say I get a router. My username is admin. And I want to set the password to admin. It’s going to reject that and say, no, you need to have an 11-character password that is letters, numbers, symbols, whatever.
Vlad Babkin (50:19.337): stick to two very simple rules. Password must be eight characters or above, sometimes 10 characters or above. And you should check it against a password word list. Like take RockYou, and that’s it. Don’t implement actual rules for letters, digits, and whatnot. They actually don’t help. Like if you start to check passwords, they’re very easy to guess passwords which follow all of those rules, and almost uncrackable ones which contain just lowercase letters. So…
Paul Asadoorian (50:44.104): But that’s why our findings from the IPKVM research identified as a security finding, resilience to password brute force guessing. And that would, combination with strict or password guidelines and rules, making it slower if you’re brute force guessing it. And JetKVM did that, right? They implemented, I think NanoKVM did it as well. You know, they put safeguards in that help thwart the automated brute force guessing of passwords. So technology exists to help solve what we just unearthed as the real problem of default and weak credentials. That’s the first, in my mind, the number one problem we have to address. Then you move on to vulnerabilities like the classic authentication bypass and command injection, right? That bypasses a lot of safeguards as well that you could put on your system. I don’t care if your firmware is encrypted. I don’t care if your firmware is signed cryptographically. Once the router is running, if there’s an auth bypass with command injection, even if you signed every piece of software that’s running on that device, I can still execute commands.
Joshua Marpet (52:02.488): So I just found this apparently, and I’m late to the thing, but they have conditional guidance approval now, or conditional approval guidance now. The entire document is about who you are, where you build, and will you move here, not about whether the router is secure.
Chase Snyder (52:23.974): Okay, so there’s an indicator of purpose there. There’s some, they’re tipping their hand about what the point of this thing actually is now.
Joshua Marpet (52:30.262): A manufacturer could get conditional approval with firmware full of backdoors, default credentials, and unpatched CVEs, so long as they have a clean ownership structure and an on-shoring plan.
Vlad Babkin (52:41.659): And it’s like two steps backwards, one step forward. Classics.
Joshua Marpet (52:48.95): It’s crazy. It’s absolutely crazy.
Paul Asadoorian (52:52.603): It’s interesting that we have the solutions, but they’re nothing like what the solution is being proposed. We have the right solutions. That conditional approval guidance is the wrong solution. I mean also, let’s talk about enterprise devices because those devices were used in the typhoon campaigns and continue to have software and firmware vulnerabilities that threat actors are exploiting. We’re so we’re not gonna address that issue. We’re just gonna say we want you to manufacture in the US.
Joshua Marpet (53:31.886): Not according to them. It’s basically all about manufacturing in the U S and you know, I’m sorry, but it’s important to manufacture in the U S I’m all on board with that. Please don’t get me wrong. But the, the big problem is that it takes five to 10 years to set up a chip fab. If you want me to build everything else in the U S well, don’t you think the chips are kind of important? Like I can build a shell. I can build capacitors. I can build diodes. I can build PCBs. I can build all those in the U S with a very minor amount of setup. I mean, yeah, you’ll need some money, but you could do it pretty easily, right? You know what I’m saying? But the problem is, is that the chips are the ones that take the longest time with two nanometer photolithography. Like, I’m sorry, that takes a while to set those suckers up. And the only one that I’ve been in, in the US, okay, they never opened. They turned it into a data center because they realized they could make more money with the clean rooms and data center mode than they could using as a chipfab.
Paul Asadoorian (54:37.097): Yeah, again, the incentives are backwards. I want to talk about the enterprise appliances for a moment because there was a new in the five minutes we have vulnerability. Well, it’s an old vulnerability from October 2025. I don’t remember the CVE. Hold on. I do. I’m lying. Thank you. CVE 2025-53521 is well in October of 2025. It was a CVSS six or seven or something like that. And it was deemed as authenticated denial of service vulnerability. So required authentication and was deemed a denial of service vulnerability. Now, mind you, we go back in time to last October that there was about 40 plus advisories or CVEs addressed by F5 as a direct result of their year long breach that they suffered where threat actors purportedly gained access to 40 plus, knowledge of 40 plus vulnerabilities that had not been disclosed and or patched. And so kind of forced F5’s hand to patch these. Now, if you looked at all 40 plus of them, like many of us did, and we said, well, all of them require authentication. So therefore we don’t have to rush to fix that. Now, more security, mature organizations were like, well, wait, if F5 was breached for an entire year, we really got to go look and make sure that our F5 stuff is good and many organizations did that, which is good. But many didn’t really prioritize patching because while it’s not, you know, it’s not a critical vulnerability until this last week, I believe, when CVE 2025-5321 was upgraded because in the wild it was being noticed, observed, that it was being exploited. It was being exploited without authentication for remote code execution. So wiped out those two criteria, same CVE is now a 9.3 and does not require authentication and gives the attacker remote code execution capabilities on F5 devices. Which is just, you know, I’ve not seen the attribution to which Threat Actor Group was observed exploiting this. It was UNC5212 that’s credited with breaching F5. I don’t have any evidence that says UNC5212 is the one exploiting this kind of reborn vulnerability, if you will. But now this goes from something that you probably should have patched to something that if you haven’t patched now, you probably already breached. Yeah, you’re in trouble now. And it’s dealing with the Access Policy Manager feature in F5, which is kind of like their Zero Trust feature. I don’t know, Chase or Vlad or Josh, have you looked into that feature on F5? It’s kind of marketed as their Zero Trust Conditional Access Policy feature, which tells me it also needs to be exposed to the internet if it’s making decisions as to who should access it or not. And so you have to turn this feature on and you have to configure an access policy on the system in order to be vulnerable. But again, if you’re using F5’s gear, this is a feature you might be using.
Joshua Marpet (58:00.182): A lot of people are going to policy based access control and using open policy, open policy agent, using Rego as the policy language. A lot of people are going that way. I was just at RSA, RSAC, excuse me. They get, they get annoyed with you if you just say RSA and I love Jen Easterly. I’m going to, okay. It’s RSAC and open policy ran several events that I went to. They ran great events. Amit Elazari is awesome. She put together a panel of people that were insane. She’s all about policy-based access control, her company is, and they have very smart arguments about this. But obviously, to do this, you have to have a policy center. And just like access control or identity management, you have to have a central store of identity, have to have a central store of policy. If you have a central store of identity or policy, everything has to have internet access to get to it to get the latest updates on policy. If that’s the case, there’s a possibility for problems.
Paul Asadoorian (59:09.927): Yeah, I’m not picking on F5. They’re not the first company to disclose a vulnerability and then have to reclassify it and reassess the risk score or severity score, I should say. Ivanti, I believe, has done this and other vendors have as well have succumbed to this where they go, we fixed this and it was a low severity vulnerability or we fix this in was a bug and it wasn’t a vulnerability at all, only to come out later that it is a vulnerability and or it is a much higher severity vulnerability that is much easier to exploit. And so it’s painful to me to think about this process and how we improve it, right? We need better vulnerability and security research to be looking at these in that process when you find a vulnerability, making sure it’s classified correctly. And based on historical data, a lot of the major enterprise, network edge, and security appliance vendors don’t have or are not applying their teams that do have that knowledge to this problem. A lot of these companies have great threat and security researchers, but they weren’t tasked with, hey, can this actually be exploited? Which is a problem. So they’re relying on either security researchers like us or threat actors themselves to figure out what they can do with a bug or vulnerability to then go reclassify it. By then it’s too late, right? Because this was being exploited. I mean, it’s not really a zero day. I mean, is it like a one day, a half, a 0.5 day? Because there was a vulnerability that was published and there is a fix for it, but we just classified it wrong. I don’t know what you call that. It’s like a 0.5 day.
Chase Snyder (01:01:07.09): I saw, I saw a slide recently at some conference that was about how the percentage of vulnerabilities that get exploited that are medium risk score. And it’s like medium risk score stuff actually gets exploited a lot, but it’s not, you know, it doesn’t rise to the stop. The priority stack for patching and it creates this weird attack surface. And so it’s like yet another wrinkle when a vulnerability that gets adjusted from medium to high risk score. You get sort of fatigued. It’s like, didn’t we patch this already? It did weird. Didn’t we get the multiple taps on it.
Joshua Marpet (01:01:57.358): Yeah, the last thing I’ll say is that, you know, honestly, nobody ever gets to the mediums to patch them. So that’s why people chain mediums together to get through the Swiss cheese. Okay?
Paul Asadoorian (01:02:02.985): Right. Absolutely. Yeah, I know I’m sorry we’re slightly over time, but want to thank our hosts today, Josh, Vlad, and Chase. Thanks everyone for listening and watching this edition of Below the Surface. That’ll do it for this episode. We’ll see you next time.
