September 30, 2024 | Policy Brief
Consumer Devices Made by U.S. Adversaries Introduce National Security Risks
September 30, 2024 | Policy Brief
Consumer Devices Made by U.S. Adversaries Introduce National Security Risks
The Removing Our Unsecure Technologies to Ensure Reliability and Security Act, or the ROUTERS Act, passed the House earlier this month, marking a step toward securing the U.S. information technology infrastructure. If passed by the Senate and signed into law, the act would require the executive branch to analyze vulnerabilities in routers made by foreign adversaries.
Sponsored by Rep. Robert Latta (R-OH), chair of the House Energy and Commerce Subcommittee on Communications and Technology, the legislation would direct the National Telecommunications and Information Administration (NTIA) to “conduct a study of the national security risks posed by consumer routers and modems,” specifically those produced by entities with ties to foreign adversaries. NTIA would deliver its report to Congress within one year of the bill’s enactment.
The bill coincides with a letter sent by Reps. John Moolenaar (R-MI) and Raja Krishnamoorthi (D-IL), chair and ranking member of the House China Select Committee, respectively, to Commerce Secretary Gina Raimondo that urges the department to investigate security risks in routers manufactured by Chinese company TP-Link. The letter warns that hackers have consistently utilized TP-Link routers due to their “unusual degree of vulnerabilities.” The letter further cites comments by a former commissioner of the Federal Communications Commission that TP-Link routers had far more vulnerabilities than routers made by other companies.
Hackers can exploit router vulnerabilities to hijack these devices and turn them into a botnet — a drone army of malicious devices. In May 2023, for example, a Chinese hacking group called Camaro Dragon used a malicious firmware implant to hijack TP-Link routers, spamming European foreign affairs entities’ websites with garbage traffic, disrupting their services for legitimate users, and disabling their websites.
Unfortunately, hackers also regularly exploit many other internet-connected devices to create botnets. Manufacturers of Internet-of-things (IoT) devices, physical devices that connect to the internet, frequently “prioritize functionality and cost-cutting over robust security features,” according to consulting firm Zinner & Co. As a result, these IoT devices too often lack built-in safeguards, and manufacturers do not regularly issue patches to fix vulnerabilities when they are discovered.
Two weeks ago, for example, the FBI dismantled a massive Chinese botnet known as Raptor Train using routers, internet-connected cameras, DVRs, and network-attached storage devices. This botnet, originally disclosed by Black Lotus Labs, consisted of over 200,000 compromised IoT devices controlled by a Chinese state-sponsored botnet dubbed Flax Typhoon. The Department of Justice noted that the hackers used the botnet to disguise their malicious activity as routine internet traffic.
While understanding the national security risk of foreign-made routers is a useful first step, NTIA should explore the risks posed by all IoT devices manufactured by U.S. adversaries, determining if these devices are also unusually vulnerable. This will be a significant undertaking, as the total number of connected IoT devices globally may reach 18.8 billion by the end of this year. Collaborative research agreements with U.S. national laboratories, academic institutions, and product safety and security firms can multiply NTIA’s capabilities, providing the American people and their elected representatives a better understanding of the cybersecurity and national security risks of purchasing consumer technology and internet equipment from adversarial nations.
Johanna “Jo” Yang is a research and editorial associate at FDD’s Center on Cyber and Technology Innovation (CCTI), where Thomas Carroll is an intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focused on national security and foreign policy.