{"id":16806,"date":"2026-04-14T09:28:34","date_gmt":"2026-04-14T16:28:34","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=16806"},"modified":"2026-04-14T09:31:05","modified_gmt":"2026-04-14T16:31:05","slug":"congress-mandated-the-backdoors-that-got-hacked-and-is-trying-to-demand-more","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/04\/14\/congress-mandated-the-backdoors-that-got-hacked-and-is-trying-to-demand-more\/","title":{"rendered":"Congress Mandated the Backdoors That Got Hacked and Is Trying to Demand More"},"content":{"rendered":"\n

The quote below is proof that they purposely sit on vulnerabilities so they can get into your services and devices. Don’t use the routers that come from your ISP, as there are solid alternatives with superior vulnerability updating you control, as well as some routers supporting opensource firmware projects. And make sure you configure your router firewall yourself, as well as securing machines that have an open port to the internet. And as general rule, setup a Wireguard VPN to your network so you don’t expose SSH or other services unnecessarily. <\/p>\n\n\n\n

\n

The vulnerabilities they exploited were not mysterious. Some had been publicly known for years, with patches available the entire time. CVE-2023-20198, a Cisco IOS XE vulnerability, carried a perfect 10.0 severity score and had a patch sitting available for over a year before telecoms applied it.<\/p>\n<\/blockquote>\n\n\n\n

And the following quote proves this is really about leaving routers vulnerable so they can be hacked by the government. <\/p>\n\n\n\n

\n

There\u2019s also a hidden expiration buried in the FCC\u2019s public notice: all currently authorized routers may continue to receive software and firmware updates only until March 1, 2027.<\/p>\n<\/blockquote>\n\n\n\n

You might find yourself needing a VPN so you can change your country of origin so you can get security updates. Like now, I like to use Fixed Float<\/a> to convert cryptocurrencies as they generally have the best rates, but they’re not allowed in the United States, so I change my VPN to another country and use the service anyway. But it’s another sign that spying on users for the mark of the beast system is being ramped up as the time is growing near.<\/p>\n\n\n\n

https:\/\/reclaimthenet.org\/congress-mandated-the-backdoors-that-got-hacked-and-is-trying-to-demand-more<\/a><\/p>\n\n\n

<\/div><\/div><\/div>\n\n\n
\"\"<\/figure>\n\n\n\n
A backdoor doesn’t check credentials. Once it exists, it’s a target for anyone with the skill to find it.<\/h5>\n\n\n\n

By Ken Macon<\/p>\n\n\n\n

Thirty years ago, Congress told every phone company in America to build a surveillance backdoor into its systems. Chinese state hackers found those exact backdoors and walked right through them, accessing the calls and messages of over a million people, including a sitting president.<\/p>\n\n\n\n

The government\u2019s response to the worst telecom breach in American history was not to hold the companies accountable, or to patch the holes, or to rethink mandatory surveillance architecture. It was to ban you from buying a foreign-made router.<\/p>\n\n\n\n

The Law That Built the Backdoor<\/strong><\/p>\n\n\n\n

The Communications Assistance for Law Enforcement Act, or CALEA, became law in 1994 under the Clinton administration. It required every telecommunications carrier to design its network so that law enforcement could intercept calls with a court order. The justification was the usual roster: drug dealers, terrorists, organized crime. The government promised that access would be controlled, warranted, and limited.<\/p>\n\n\n\n

What CALEA actually did was force private companies to build surveillance infrastructure at their own expense. Every phone network in the country had to include a mechanism for government access baked into its architecture.<\/p>\n\n\n\n

In 2005, the FCC expanded CALEA to cover broadband internet and VoIP, meaning every single internet service provider now had to build the same kind of wiretap capability into its network.<\/p>\n\n\n\n

Security researchers warned from the start that this was a structural mistake. A backdoor is a backdoor. It doesn\u2019t check credentials. It doesn\u2019t verify intentions. Once it exists, it\u2019s a target for anyone with the skill to find it.<\/p>\n\n\n\n

The FCC had the authority to make telecom companies secure these systems. It never did. The telecom companies lobbied against security requirements, and the agency that was supposed to regulate them listened to the lobbying instead.<\/p>\n\n\n\n

It Already Happened Once Before Anyone Noticed<\/strong><\/p>\n\n\n\n

In 2004 and 2005, someone exploited<\/a> the lawful intercept system built into Vodafone\u2019s network in Greece to tap the phones of the Prime Minister, members of his cabinet, senior military officials, and over 100 other targets for approximately ten months. The surveillance used the exact wiretapping infrastructure that telecom regulations required Vodafone to maintain.<\/p>\n\n\n\n

The engineer who appears to have discovered the unauthorized wiretap, Kostas Tsalikidis, Vodafone Greece\u2019s network planning manager, was found dead in his apartment on March 9, 2005, the day after his boss ordered the rogue software removed.<\/p>\n\n\n\n

His death was initially ruled a suicide, but his family disputed that conclusion for years.<\/p>\n\n\n\n

The European Court of Human Rights later ruled that Greece had failed to adequately investigate his death, finding his broken hyoid bone and other inconsistencies left critical questions unanswered.<\/p>\n\n\n\n

Greek investigators eventually linked the wiretapping operation to the US Embassy in Athens and issued an arrest warrant for an alleged NSA operative. The United States has not turned him over.<\/p>\n\n\n\n

Congress watched all of this play out. And then forced American telecoms down the exact same path anyway.<\/p>\n\n\n\n

Salt Typhoon: The Breach That Proved Everyone Right<\/strong><\/p>\n\n\n\n

Starting as early as 2022, Chinese state-sponsored hackers known as Salt Typhoon infiltrated at least nine major US telecommunications companies, including AT&T, Verizon, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream.<\/p>\n\n\n\n

They targeted the exact CALEA wiretap systems that Congress mandated, the portals that telecom companies maintain for law enforcement surveillance requests. Senator Mark Warner called it \u201cthe worst telecom hack in our nation\u2019s history.\u201d<\/p>\n\n\n\n

The hackers accessed metadata from over a million users in the Washington, DC area alone, including call records showing who spoke to whom, when, for how long, and from where.<\/p>\n\n\n\n

In some cases, they obtained actual audio recordings of phone calls from high-profile targets, including staff from both presidential campaigns in 2024 and phones belonging to Donald Trump and JD Vance. Deputy National Security Advisor Anne Neuberger confirmed that many of the individuals whose data was directly accessed were classified as government targets of interest.<\/p>\n\n\n\n

In at least one documented case, Salt Typhoon maintained access to a compromised telecom network for three years before anyone noticed.<\/p>\n\n\n\n

The vulnerabilities they exploited were not mysterious. Some had been publicly known for years, with patches available the entire time. CVE-2023-20198, a Cisco IOS XE vulnerability, carried a perfect 10.0 severity score and had a patch sitting available for over a year before telecoms applied it.<\/p>\n\n\n\n

CVE-2018-0171, another Cisco bug, was seven years old when the hackers walked through it. Congressional aides familiar with the investigation confirmed that patches had been issued for many of the exploited vulnerabilities, but telecom companies simply never implemented them.<\/p>\n\n\n\n

One provider\u2019s management system was protected with a basic numeric password.<\/p>\n\n\n\n

These companies hold the most sensitive communications data in the country. They failed to apply basic security patches for years. And the system Congress built gave foreign intelligence agencies a single point of failure to target.<\/p>\n\n\n\n

Volt Typhoon and Flax Typhoon: The Broader Picture<\/strong><\/p>\n\n\n\n

Salt Typhoon wasn\u2019t operating alone. Volt Typhoon, another Chinese state-sponsored group, had been sitting inside American water systems and energy grids for at least five years before anyone noticed.<\/p>\n\n\n\n

Volt Typhoon built its infrastructure on compromised Cisco RV320 and RV325 routers, Netgear ProSAFE firewalls, DrayTek Vigor routers, and Fortinet VPN appliances. SecurityScorecard found that 30% of all visible Cisco RV320 and RV325 devices were compromised in just 37 days of observation.<\/p>\n\n\n\n

Those are American-designed, American-branded routers that Cisco stopped selling in January 2020 and ended security support for by January 2025.<\/p>\n\n\n\n

Hundreds of thousands of them remain deployed across the country with known vulnerabilities that will never be patched because Cisco chose to abandon them.<\/p>\n\n\n\n

Flax Typhoon, a third Chinese operation, built a botnet of 260,000 compromised devices. The FBI found 1.2 million records of infected systems, 385,000 of them in the United States.<\/p>\n\n\n\n

The botnet was constructed from ASUS routers, TP-Link routers, Synology devices, and similar consumer hardware, exploiting 70 different known vulnerabilities dating back to 2015.<\/p>\n\n\n\n

Every single one of those bugs had been published, catalogued with CVE numbers, and had patches available. Manufacturers and device owners had simply never applied the fixes.<\/p>\n\n\n\n

The through-line across all three campaigns is identical: state-sponsored hackers exploiting known, patchable vulnerabilities in equipment that companies had abandoned and regulators had never forced anyone to secure.<\/p>\n\n\n\n

The Response: Ban Your Router<\/strong><\/p>\n\n\n\n

On March 23, 2026, the FCC added every foreign-made consumer router to its Covered List, effectively banning the import, marketing, or sale of any new router model manufactured outside the United States. FCC Chairman Brendan Carr framed this as addressing \u201can unacceptable national security risk.\u201d<\/p>\n\n\n\n

Nearly every consumer router sold in America is manufactured overseas. TP-Link, which holds somewhere between 37% and 65% of the US consumer market, depending on the estimate, manufactures in Vietnam. Netgear builds in Taiwan, Thailand, and Vietnam. ASUS builds in Taiwan and China. Google Nest, Amazon Eero, and virtually every other consumer brand assemble their products abroad. With the exception of some newer Starlink routers, an estimated 60% of routers in the US are manufactured in China alone.<\/p>\n\n\n\n

The ban doesn\u2019t affect routers already on store shelves or in your home. But new models can\u2019t receive FCC authorization without a \u201cConditional Approval\u201d that requires manufacturers to submit detailed plans to establish or expand US manufacturing. That approval lasts up to 18 months.<\/p>\n\n\n\n

Industrial estimates put the timeline for building a purpose-built electronics assembly plant at 15 to 40 months, and that\u2019s just the assembly line. The Wi-Fi 7 chips inside modern routers come from MediaTek and Qualcomm, designed in the US or Taiwan but fabricated at TSMC plants in Taiwan. Nobody in the United States manufactures router chips in the relevant volumes.<\/p>\n\n\n\n

\u201cMade in America\u201d router manufacturing means shipping foreign components to a US address and snapping them together domestically, then charging significantly more for the privilege.<\/p>\n\n\n\n

There\u2019s also a hidden expiration buried in the FCC\u2019s public notice: all currently authorized routers may continue to receive software and firmware updates only until March 1, 2027.<\/p>\n\n\n\n

After that date, a router that can\u2019t update its firmware becomes a security liability, exactly the kind of unpatched device that Volt Typhoon and Flax Typhoon exploited to build their botnets in the first place.<\/p>\n\n\n\n

Follow the Money<\/strong><\/p>\n\n\n\n

Here is where the story gets uncomfortable.<\/p>\n\n\n\n

TP-Link has six entries on CISA\u2019s Known Exploited Vulnerabilities list. Cisco has 86. The attacks the FCC cited to justify the router ban, Salt Typhoon, Volt Typhoon, and Flax Typhoon, were carried out primarily through American-made equipment: Cisco routers, Netgear firewalls, and Fortinet VPN appliances.<\/p>\n\n\n\n

The surveillance backdoors that Congress forced telecom companies to build were compromised through Cisco infrastructure. The foreign-made consumer routers now being banned were not the primary attack vector.<\/p>\n\n\n\n

Wall Street understood this immediately. Netgear\u2019s stock surged as much as 16% on the announcement, not because Netgear routers are more secure (they are manufactured in the same countries as everyone else), but because the market read the ban as eliminating competition.<\/p>\n\n\n\n

Budget routers from TP-Link, the ones that cost consumers $40 to $80, are about to either disappear or spike in price. The companies positioned to fill that vacuum are the ones with US headquarters and lobbyists in Washington.<\/p>\n\n\n\n

The FCC ran an almost identical play with drones. In December 2025, it added foreign-made drone components to the Covered List. DJI, which controlled roughly 96% of the US consumer drone market, was completely blocked. A few months later, the FCC granted exceptions to four drone models, all from non-Chinese companies. The drone market is now in a supply crisis.<\/p>\n\n\n\n

The telecom sector spent $585.7 million on lobbying in 2024. It got what it paid for: no accountability for its own security failures and a ban on the cheap competition that threatened its margins.<\/p>\n\n\n\n

The congressman who sponsored the ROUTERS Act<\/a> that laid the groundwork for the ban, Bob Latta, has taken over $320,000 from the communications sector, with AT&T, Verizon, Comcast, and NCTA among his top donors. Latta has also introduced legislation to block net neutrality and ban municipal broadband, both of which directly benefit those same donors.<\/p>\n\n\n\n

Kill the Fix, Then Ban the Competition<\/strong><\/p>\n\n\n\n

The timeline tells the real story.<\/p>\n\n\n\n

In November 2025, the FCC voted two-to-one to rescind the cybersecurity rules that had been adopted specifically because of Salt Typhoon.<\/p>\n\n\n\n

Those rules, put in place during the Biden administration, would have required telecom carriers to create and implement cybersecurity risk-management plans, submit annual FCC certifications proving compliance, and treat network cybersecurity as a legal obligation. The rules were the only concrete federal regulatory action taken in response to the breach.<\/p>\n\n\n\n

FCC Commissioner Anna Gomez, the sole dissenting vote, called the rollback \u201ca gift to the CCP\u201d that would \u201cleave Americans less protected than they were the day the Salt Typhoon breach was discovered.\u201d<\/p>\n\n\n\n

She warned that \u201cif voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon.\u201d Senator Maria Cantwell accused Carr of reversing the rules after \u201cheavy lobbying from the very telecommunications carriers whose networks were breached by Chinese hackers.\u201d<\/p>\n\n\n\n

Cantwell had demanded that CEOs at AT&T and Verizon document how they were fixing the vulnerabilities that Salt Typhoon exploited. Neither company provided the information.<\/p>\n\n\n\n

Four months after gutting the cybersecurity rules that would have forced carriers to patch their Cisco equipment and secure their networks, Carr banned foreign routers, citing Salt Typhoon as the justification.<\/p>\n\n\n\n

He killed the fix. He waited four months. Then he replaced it with a ban on cheap competition for the companies whose lobbying got the fix killed in the first place.<\/p>\n\n\n\n

What Security Would Actually Look Like<\/strong><\/p>\n\n\n\n

If the FCC actually cared about router security, the solutions are well understood and have been for years. Mandatory firmware update requirements. Legal liability for manufacturers who abandon devices while customers are still using them. Right-to-repair protections that let people maintain their own equipment. Support for open-source firmware projects like OpenWRT that provide community-driven security updates long after manufacturers walk away.<\/p>\n\n\n\n

Cisco stopped selling the RV320 and RV325 in January 2020 and ended security support by January 2025, while hundreds of thousands of those routers remain in active use across the country, with Chinese hackers walking through them.<\/p>\n\n\n\n

That is an accountability problem, not a country-of-origin problem. The FCC\u2019s Covered List grows every year. It never adds accountability for products that actually got hacked.<\/p>\n\n\n\n

Genuine security would mean treating the problem where it exists: in unpatched vulnerabilities, abandoned hardware, and a telecom industry that lobbies against every security requirement while pocketing the profits from infrastructure it refuses to maintain. Banning foreign routers does nothing about any of that. It removes consumer choice, eliminates price competition, and concentrates more market power in the hands of companies with Washington lobbyists.<\/p>\n\n\n\n

The Pattern<\/strong><\/p>\n\n\n\n

The government mandated surveillance backdoors. Those backdoors got exploited by foreign intelligence services. The government refused to enforce security on the infrastructure it required companies to build. The regulators who were supposed to hold the industry accountable went to work for the industry instead. When the inevitable breach happened, the response protected telecom profits and restricted consumer choice rather than addressing a single root cause.<\/p>\n\n\n\n

The FCC\u2019s router ban is security theater, no different from the TSA, which costs taxpayers billions annually, has never caught a single terrorist, and once failed 95% of its own weapons screening tests. The ban creates the appearance of action while the actual vulnerabilities, mandatory surveillance backdoors, unpatched enterprise equipment, and an industry accountable to no one, remain completely untouched.<\/p>\n\n\n\n

Your security is not going to come from the FCC or any other agency that has spent decades serving the industry it supposedly regulates. It comes from taking ownership of your own equipment, keeping your firmware updated, checking whether your router has reached end-of-life, and considering open-source alternatives that get security updates from a community with no incentive to abandon you.<\/p>\n\n\n\n

The people who built the backdoor that got hacked are now telling you which routers you\u2019re allowed to buy. That should tell you everything about whose security they\u2019re actually protecting.<\/p>\n\n\n\n

The Next Backdoor Is Already Being Built<\/strong><\/p>\n\n\n\n

Salt Typhoon should have killed the encryption backdoor debate permanently. It didn\u2019t. While Chinese hackers were still sitting inside American telecom networks exploiting government-mandated wiretap infrastructure, lawmakers on both sides of the Atlantic were busy drafting legislation that would repeat exactly the same mistake with your private messages.<\/p>\n\n\n\n

The EARN IT Act,<\/a> introduced three times in the US Congress since 2020, doesn\u2019t mention the word \u201cencryption\u201d more than once. It doesn\u2019t need to. The bill strips Section 230 liability protections from platforms that can\u2019t demonstrate they\u2019re scanning for child abuse material. End-to-end encrypted services, by definition, cannot scan content they can\u2019t see. The bill forces platforms into an impossible choice: break encryption by scanning messages before they\u2019re sent, abandon encryption entirely, or accept ruinous legal liability.<\/p>\n\n\n\n

Johns Hopkins cryptographer Matthew Green called it \u201ca direct attack on end-to-end encryption\u201d that makes encryption \u201ccommercially infeasible for major providers to deploy.\u201d<\/p>\n\n\n\n

The bill has failed to pass three times, but its legislative language sits ready for reintroduction in any future session, and each version has attracted more co-sponsors than the last.<\/p>\n\n\n\n

Across the Atlantic, the EU\u2019s proposed regulation, widely known as Chat Control<\/a>, has spent four years attempting to mandate mass scanning of private messages, including on encrypted platforms like Signal and WhatsApp.<\/p>\n\n\n\n

The original proposal would have required client-side scanning, where messages are analyzed on your device before encryption activates, a technical workaround that preserves the appearance of end-to-end encryption while rendering it meaningless.<\/p>\n\n\n\n

Sound familiar? That\u2019s the same architectural trick that made CALEA wiretap systems vulnerable to Salt Typhoon: build a point of access before the security layer kicks in, then act surprised when someone other than the intended user finds it.<\/p>\n\n\n\n

The EU Parliament voted in late March 2026 to reject extending the temporary derogation that allowed voluntary mass scanning of private messages, and has pushed for targeted surveillance with judicial warrants rather than indiscriminate scanning. But the push is still going.<\/p>\n\n\n\n

Trilogue negotiations between the Parliament, Commission, and Council resume in May, with a target deal by mid-2026. The Council and Commission still want broad scanning powers.<\/p>\n\n\n\n

The EU\u2019s own legal service warned that the proposal risks violating Charter rights on privacy and data protection through \u201cgeneralised automated and systemic screening surveillance.\u201d Even the European Court of Human Rights ruled in February 2024 that requiring degraded end-to-end encryption \u201ccannot be regarded as necessary in a democratic society.\u201d<\/p>\n\n\n\n

None of this seems to matter to the officials pushing these proposals. They use the same playbook every time: wrap the surveillance mandate in a cause nobody can oppose (protecting children, stopping terrorism, fighting crime), promise the access will be controlled and limited, and dismiss security warnings as theoretical. CALEA was theoretical too, until Salt Typhoon proved it wasn\u2019t.<\/p>\n\n\n\n

The technical reality has not changed since 1994. A backdoor is a backdoor. Client-side scanning is a backdoor. A \u201clawful intercept\u201d system is a backdoor. Mandatory decryption capability is a backdoor. Every one of these creates a target that skilled adversaries will eventually find and exploit.<\/p>\n\n\n\n

The only question is how long it takes and how much damage occurs before someone notices. Salt Typhoon\u2019s answer was three years of undetected access to the communications of a million Americans.<\/p>\n\n\n\n

The Greek wiretapping scandal\u2019s answer was ten months of surveillance on a country\u2019s entire political leadership, and a dead engineer.<\/p>\n\n\n\n

If the EARN IT Act passes, or if Chat Control mandates client-side scanning, we will be having this exact conversation again in five or ten years, except the compromised systems will be messaging platforms used by billions of people rather than telecom networks.<\/p>\n\n\n\n

The metadata exposed won\u2019t just be call records. It will be the full content of private conversations, group chats, photos, files, and everything else people share in spaces they believe are private. The attack surface will be orders of magnitude larger, and the consequences will be proportionally worse.<\/p>\n\n\n\n

The people demanding these backdoors are the same people, sometimes literally the same individuals, who built the surveillance infrastructure that just got comprehensively hacked by a foreign government.<\/p>\n\n\n\n

There is no backdoor that only lets in good guys and keeps out bad guys. Salt Typhoon proved it. The question is whether anyone in a position of power is willing to learn the lesson before it has to be taught again.<\/p>\n","protected":false},"excerpt":{"rendered":"

The quote below is proof that they purposely sit on vulnerabilities so they can get into your services and devices. Don’t use the routers that come from your ISP, as there are solid alternatives with superior vulnerability updating you control, as well as some routers supporting opensource firmware projects. And make sure you configure your […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-16806","post","type-post","status-publish","format-standard","hentry","category-tech","category-world"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/16806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=16806"}],"version-history":[{"count":3,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/16806\/revisions"}],"predecessor-version":[{"id":16810,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/16806\/revisions\/16810"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=16806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=16806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=16806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}