FCC Flushes TP-Link And All Other Foreign Made Consumer Routers

The Statement Was Immediately Followed By TP-Link Releasing Emergency Patches

The FCC has just banned the import of any and all foreign made consumer routers, perhaps a little excessive but hard to completely disagree with.   Foreign made routers provide about 60% of the devices currently being used in American households and we are all to familiar with the frequency at which emergency patches are released to deal with newly discovered vulnerabilities.  The edict does not apply to routers already being used, or that are currently in stock but it does mean no new devices can be imported for sale.  There are apparently some exceptions but they were not listed in the Reuters article nor are they specified in the FCC’s FAQ.

The timing for TP-Link releasing patches for several vulnerabilities couldn’t have been better.  Four new vulnerabilities affecting TP-Link’s Archer NX router series have just been revealed and patches made available,  The most egregious is a hardcoded cryptographic key, which is now known and can be used to decrypt configuration files, modify them and then encrypt them again so that they look perfectly innocent.  Two of the other flaws are command injection vulnerabilities which allow attackers who have guessed your admin password to execute arbitrary commands and the final is a missing authentication check in the HTTP server which allows unauthenticated users access to things they really shouldn’t be able to touch.  Patch ’em if you got ’em!

If you are wondering what routers are made in the US, there is only one and the brand shouldn’t surprise you and may well amuse you; some Starlink Wi-Fi routers are assembled in Texas and are now the and only approved device as of this moment.  TP-Link is in the process of setting up manufacturing in the US, so at least the next set of vulnerabilities will be locally sourced?