The recent decision by the US to add foreign-made consumer routers to the FCC’s Covered List has ignited a debate on supply chains, geopolitics, and trust. While these are valid concerns, it is important to recognize that the ban primarily addresses future procurement decisions rather than current security risks.
Attackers do not wait for procurement cycles. Routers have become a prime target in both enterprise and home networks due to their positioning at the edge, frequent internet exposure, and lack of attention post-deployment. Our research consistently shows routers as high-risk devices with significant vulnerability density and increasing exploitation in the real world.
The focus on where a device is made overlooks the real issues that organizations need to address – how the devices are constructed, managed, and updated. The origin of a device does not guarantee its security.
Many vulnerabilities stem from common issues such as outdated software, slow patching processes, weak credentials, exposed interfaces, and long lifespans without vendor support. Banning a device does not resolve these underlying security flaws.
The larger concern lies with the existing installed base of routers in homes, offices, and remote work environments. These devices, often unpatched and unmonitored, pose a significant risk to organizations. A compromised router can lead to various malicious activities, impacting both personal and corporate data.
While the ban may reduce future risks to some extent, it does not address the current vulnerabilities that organizations face. Security is an ongoing process that requires continuous monitoring and action.
It is crucial to treat network infrastructure as an active attack surface, maintaining an inventory of routers, managing lifecycle, enforcing updates, and implementing security measures such as unique credentials and segmentation.
The FCC decision highlights the importance of trust and resilience in technology supply chains, but organizations should not be misled into thinking that the problem has been solved. The real work lies in addressing the root causes that make routers susceptible targets for cyberattacks.
It is time to prioritize and take action to enhance router security and protect against evolving threats.
