The FCC this week designated all consumer routers manufactured outside the US as a national security risk, banning new foreign-made models from sale. The rule catches not just TP-Link but Eero, NetGear, and Google Nest too, since they all manufacture overseas.
The move has a concrete backstory. Three Chinese nation-state groups, Volt Typhoon, Flax Typhoon, and Salt Typhoon, used compromised SOHO routers to build botnets targeting US critical infrastructure over several years. The FBI and DOJ shut down one of these botnets in 2024. The FCC's National Security Determination names all three operations explicitly as justification for the ban.
I've been running OPNsense on a fanless mini-PC as my home router since 2022. It runs on an Intel N5105 with dual NICs, 8GB RAM, and a 250GB NVMe drive. The hardware cost about $200. The software is open source and BSD-licensed. There is no cloud account in the chain, no manufacturer firmware to trust or distrust, and no update process I didn't initiate. It routes packets and does exactly what the configuration specifies.
The FCC's concern is about foreign firmware as an attack surface for nation-state actors. My concern in 2022 was simpler: I wanted to know what was on my own network without a consumer device deciding that for me. The concerns are identical, and so is the fix.
Full writeup: It Turns Out My Router Was a National Security Decision
Top comments (0)