Three experts from Ohio-based Finite State have commented on the US FCC’s banning of the authorisation and import of new consumer-grade routers manufactured outside the USA.

Finite State’s autonomous product security platform is built to secure connected devices, IoT and embedded systems. Its platform analyses firmware and source code to identify risks, generate SBoMs, and provide actionable security metrics. Its mission in part is to help the teams building connected devices secure every release and continuously prove it, without scaling manual effort, with automated, evidence-backed workflows.

“Effectively, the FCC would ban all new routers, because there are no domestic routers that meet that standard today,” said Matt Wyckhouse, Finite State CEO. “There’s no one who can clear the bar right now.”

He said the country where a device was manufactured did not necessarily determine the security of that product.

“There’s a pretty large global supply chain involved from chipsets to software to final assembly,” said Wyckhouse. “There are no domestic suppliers for all products involved in router manufacturing. This will definitely increase prices. Companies will have to invest in US manufacturing or retool existing operations, and that’s a major cost shift.”

Sharon Hagi, Finite State chief security officer, added: “Many organisations still lack strong governance over remote access to their business applications and SaaS platforms. As a result, these systems are often accessible from virtually any device, not just managed corporate laptops or mobile devices where security controls may be enforced. For example, employees can frequently access email, cloud storage and other sensitive resources from personal home computers using standard corporate credentials and MFA.”

He said this was a concern because the security of that access path mattered.

“A compromised home router or intermediary wifi, router or modem device between a personal computer and a corporate application can enable a man-in-the-middle attack,” he said. “In some cases, attackers may even undermine TLS protections, exposing sensitive data and credentials. Once obtained, these credentials can be used to directly target enterprise systems. This type of approach aligns with known tactics used by advanced nation state actors such as Volt Typhoon.”

And Eric Greenwald, general counsel at Finite State, said: “The biggest issue is the users’ failure to implement patches and updates issued by the OEMs and continued use of devices that have already reached end of life. The vast majority of threat actors that use routers as an attack vector rely on known vulnerabilities for which patches have long ago been issued. Nation-state attackers simply do not need to rely on supply-chain attacks to compromise routers because the ecosystem is littered with devices that are child’s play to commandeer.”

He said this definitely translated into a risk to enterprises.

“But most companies do not insist that their employees adhere to any security standards with respect to their home networks,” he said, adding that they relied on other measures to protect the traffic, such as end-point detection and encryption.

“But it still creates a risk,” he said

Finite State (finitestate.io) says it works with many router manufacturers.