NewsTechnical

SN 1073: The FCC Bans New Consumer Routers - LinkedIn's JavaScript Bombshell

Security Now (Audio)2h 52m

Steve Gibson analyzes the FCC's ban on all new foreign-made consumer routers, explaining why it's arbitrary and ineffective. The show also covers LinkedIn's 2.7MB JavaScript surveillance code that scans users' computers for over 6,000 browser extensions, and touches on Apple's new age verification requirements in the UK.

Summary

The main focus is an extensive analysis of the FCC's sudden ban on all new consumer routers manufactured outside the US. Gibson explains how this ban is fundamentally flawed because virtually all consumer routers are manufactured overseas, even those from American companies like Netgear and Eero. The ban only applies to new models while allowing existing 'vulnerable' routers to continue being sold, making it ineffective for actual security. Gibson contrasts this with the deliberative, targeted approach used for the Huawei/ZTE ban in 2019-2022, which followed proper procedures, provided transition funding, and was legally durable. The current ban was implemented in just three days without public comment or analysis. The show also examines LinkedIn's massive JavaScript surveillance operation that downloads 2.7MB of code to scan users' systems for over 6,000 specific browser extensions and collect 48 hardware characteristics. This data is encrypted and sent to LinkedIn servers, potentially violating EU privacy laws. Gibson explains how this differs from traditional fingerprinting by preserving individual data points rather than hashing them. Other topics include Apple's age verification rollout in the UK following new regulations, Microsoft forcing Windows 11 upgrades, the Trivi supply chain attack affecting Cisco, and Cloudflare's new WordPress replacement called M-Dash that promises better security through sandboxed plugins.

About this episode

<p>The FCC has banned all new consumer routers made outside the US, leaving networks stuck with aging, insecure hardware while blocking innovation. Find out why this sweeping move is raising eyebrows and lawsuits—and why it makes zero sense for cybersecurity.</p><ul> <li>Apple's 26.4 age queries catches many by surprise.</li> <li>LinkedIn's 2.7 MB of privacy-invading javascript.</li> <li>Microsoft starts forcing Win11 24H2 to 25H2.</li> <li>Cisco loses source code to the Trivy supply-chain mess.</li> <li>Proton introduces privacy-first voice and video "Meet."</li> <li>GitHub to fix lagging security of its Actions feature.</li> <li>Cloudflare reaffirms the privacy of its 1.1.1.1 DNS.</li> <li>Cloudflare uses AI to re-code better secure Wordpress.</li> <li>The FCC drops a ban on all new consumer-grade routers.</li></ul> <p>Show Notes - <a href="https://www.grc.com/sn/SN-1073-Notes.pdf">https://www.grc.com/sn/SN-1073-Notes.pdf</a></p> <p><strong>Hosts:</strong> <a href="https://twit.tv/people/steve-gibson">Steve Gibson</a> and <a href="https://twit.tv/people/leo-laporte">Leo Laporte</a></p> <p>Download or subscribe to <em>Security Now</em> at <a href="https://twit.tv/shows/security-now">https://twit.tv/shows/security-now</a>.</p> <p>You can submit a question to <em>Security Now</em> at the <a href="https://www.grc.com/feedback.htm" target="_blank">GRC Feedback Page</a>.</p> <p>For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: <a href="https://www.grc.com/securitynow.htm" target="_blank">grc.com</a>, also the home of the best disk maintenance and recovery utility ever written <a href="https://www.grc.com/sr/spinrite.htm" target="_blank">Spinrite 6</a>.</p> <p><strong>Join Club TWiT for Ad-Free Podcasts!</strong><br /> Support what you love and get ad-free audio <em>and</em> video feeds, a members-only Discord, and exclusive content. Join today: <a href="https://twit.tv/clubtwit" rel="payment">https://twit.tv/clubtwit</a></p> <p><strong>Sponsors:</strong><ul> <li><a href="http://meter.com/securitynow" rel="sponsored" target="_blank">meter.com/securitynow</a></li> <li><a href="http://zscaler.com/security" rel="sponsored" target="_blank">zscaler.com/security</a></li> <li><a href="https://material.security" rel="sponsored" target="_blank">material.security</a></li> <li><a href="http://bitwarden.com/twit" rel="sponsored" target="_blank">bitwarden.com/twit</a></li> <li><a href="http://hoxhunt.com/securitynow" rel="sponsored" target="_blank">hoxhunt.com/securitynow</a></li> </ul></p>

Key Insights

  • The FCC banned all new foreign-made consumer routers despite virtually no domestic alternatives existing, making the ban practically meaningless
  • LinkedIn deploys 2.7MB of JavaScript code that scans users' computers for over 6,000 specific browser extensions without disclosure in their privacy policy
  • LinkedIn's scanning expanded from 38 extensions in 2017 to over 6,000 by February 2026, representing a 1,252% increase in two years
  • The FCC's router ban was implemented in three days without public comment, contrasting sharply with the deliberative two-year process for the Huawei/ZTE ban
  • LinkedIn's surveillance system creates 'super fingerprints' by encrypting data instead of hashing it, allowing individual characteristics to remain recoverable
  • The router vulnerabilities exploited by Chinese hacking groups were primarily due to discontinued security updates and weak credentials, not manufacturing origin
  • Apple's age verification system in the UK can verify accounts older than 18 years automatically, but struggles with users lacking traditional identification methods
  • Microsoft is forcing Windows 11 upgrades from 24H2 to 25H2 using 'machine learning-based intelligent rollout' for unmanaged devices
  • The Trivi supply chain attack affected major companies including Cisco, leading to theft of source code and AWS credentials from hundreds of GitHub repositories
  • Anthropic's new Mythos AI model can autonomously find and exploit vulnerabilities, including discovering bugs that have existed for 25+ years
  • Cloudflare's M-Dash WordPress replacement uses sandboxed plugins running in isolated workers to solve WordPress's fundamental security architecture problems
  • The FCC router ban treats devices from all countries identically, making no distinction between routers from Finland versus China
  • LinkedIn's surveillance includes scanning for extensions related to religious practices, political orientation, neurodivergent conditions, and job searching tools
  • The only widely cited exception to foreign router manufacturing is some SpaceX Starlink routers allegedly made in Texas
  • IoT devices inside home networks pose greater security risks than router country of origin, as they maintain persistent connections to foreign servers

Topics

FCC Router BanLinkedIn JavaScript SurveillanceApple Age VerificationCybersecurity VulnerabilitiesWordPress Security

Transcript

It's time for Security Now. Steve Gibson is here, amazed at the large privacy-invading JavaScript blob LinkedIn is forcing on people. We'll talk about that. And what does Steve think of the FCC router ban? Hmm. That's coming up next on Security Now. Podcasts you love. From people you trust. This is Twit. This is Security Now with Steve Gibson, episode 1073, recorded Tuesday, April 7th, 2026. The FCC bans new consumer routers. It's time for Security Now, the show where we cover the latest security, privacy, and other stuff with this guy right here, Mr. Steve Gibson. It is true, my friend. It is true. It is, once again, Tuesday. Yeah. How did that happen? Yeah. Well, I'm here.…

Full transcript available for MurmurCast members

Sign Up to Access

More from Security Now (Audio)

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.