Security Now 1073: The FCC Bans New Consumer Routers - LinkedIn's JavaScript Bombshell

Podcast: Security Now
Hosts: Steve Gibson & Leo Laporte
Date: April 8, 2026
Episode: 1073
Main Theme:
A deep dive into the FCC’s sudden ban on new consumer routers and explosive revelations about LinkedIn’s privacy-invading JavaScript. Steve and Leo also unpack major updates in age verification, supply chain attacks, open-source security, and tech privacy.

Episode Overview

Steve Gibson and Leo Laporte dissect two major stories dominating the security world:

1. The FCC’s “ban” on new foreign-manufactured consumer routers—what it really means, why it happened, and why it’s so controversial.
2. LinkedIn’s massive, privacy-invasive JavaScript “super-fingerprint”—what it’s doing, why it matters, and the technical and legal ramifications.

They also cover:

• Apple’s age verification rollout
• High-profile supply chain attacks (Trivy/GitHub/Cisco)
• Cloudflare's new WordPress competitor
• Security implications of new AI models discovering vulnerabilities

The episode is laced with technical deep-dives, policy analysis, privacy concerns, and classic Security Now skepticism and humor.

Key Discussion Points & Insights

1. Apple’s Age Verification & Privacy (12:30–27:00)

• What happened:
  Apple’s iOS 26.4 and iPadOS 26.4 triggered mandatory age verification popups in the UK ("Sundays confirm your 18+"). This ties to new UK age-related online regulations.

• Listener reactions: Mixed. Some couldn’t verify age even as adults due to lack of credit cards/passports. Some expressed privacy and usability frustrations.

• Steve’s take:

  • Apple’s approach is well-intentioned, enabling platforms to make age assertions globally and anonymously.
  • Annoyance for some users is "a relatively small price we need to pay" for protecting children online.
  • Points listeners to privacy.apple.com for comprehensive Apple data downloads (including account age).

"Apple is finally stepping up to this challenge. Having our platforms able to make these assertions for us globally and anonymously is the way to go."
—Steve Gibson (21:50)

2. LinkedIn's JavaScript “BrowserGate” Bombshell (30:15–73:35)

What is “BrowserGate”?

• LinkedIn deploys a 2.7MB JavaScript blob on its website, which:
  • Scans user computers (not just browsers!) for over 6,000 specific browser extensions.
  • Collects 48 pieces of device and system info—CPU, RAM, screen resolution, time zone, battery status, etc.
  • Serializes and reversibly encrypts this data, then attaches it as a unique identifier (a “super fingerprint”) to every API request during the user’s session.
  • Ships all this to LinkedIn—even if the user is a named, logged-in professional.

Why does it matter?

• Privacy:
  This goes far beyond traditional “pixels” or cookies—LinkedIn collects potentially sensitive data (extensions for religion, politics, neurodiversity, job hunts).
• Consent:
  None of this is disclosed to users; nothing in the privacy policy. No opt-out.
• Potential Misuse:
  Identifies competitor tool usage, potentially mapping entire companies' internal software.
• Legal questions:
  Almost certainly violates GDPR for EU users.

“It is, in fact, rummaging around inside users’ computers… Maybe we should be asked if we consent to having it do that. That just seems like crazy behavior.”
—Steve Gibson (72:36)

Technical Details

• Runs only on Chromium-based browsers (Chrome, Edge). Firefox fares better.
• Tries to access files tied to specific browser extension IDs.
• The “super fingerprint” approach lets LinkedIn track users even as some device/browser details change.
• Grew from 38 extensions scanned in 2017, to over 6,000 by February 2026.

Independent Confirmation

• Bleeping Computer and other researchers have verified the scanning is real and ongoing.

LinkedIn’s response:

• Claims practice is for monitoring scraping or violation of LinkedIn terms; denies usage to infer sensitive data.
• Deflects criticism, accuses reporters of being disgruntled former extension developers.

Regulatory & Policy Implications

• Steve predicts lawsuits and regulatory follow-up, especially in the EU.
• The hosts call for browsers to offer visible controls and warnings for this type of access.

“Something really bizarre is going on at Microsoft’s LinkedIn property.”
—Steve Gibson (70:57)

3. FCC Ban on New Foreign-Made Consumer Routers (119:45–163:33)

What Happened?

• On March 23, 2026, the FCC—at the direction of a White House security determination—added all foreign-manufactured consumer routers to its “covered list,” prohibiting new device approvals.
• Practically all consumer routers (Asus, Linksys, Netgear, TP-Link, Ubiquiti, etc.) are foreign-made; no significant U.S. manufacturer exists.
• The ban only applies to new models. Existing routers, and their sales, continue as before.
• Supposed rationale: supply chain and cyber risk from Chinese state-sponsored hacking (Volt Typhoon, Salt Typhoon, Flax Typhoon).

Steve & Industry Analysis

• Policy criticized as overbroad, arbitrary, and counterproductive.
• No transition period, public comment, or technical scoping.
• Existing (potentially vulnerable) routers remain in place; only future improvements are banned.
• The FCC previously handled Huawei/ZTE with much more deliberation, nuance, and aid for affected carriers.
• Policy appears to be more about U.S. industrial onshoring, not actual security ("That is not a security audit. It is industrial policy masquerading as a national security framework." —TPI report).
• Likely to freeze innovation and lead to lawsuits.

“All routers purchased by and available to U.S. consumers are manufactured elsewhere. The FCC's surprise inclusion of every consumer router to the covered list means Asus, Linksys, Netgear, Eero, TP Link, D Link, and Nest have all suddenly joined Huawei and ZTE. … Nothing the FCC is attempting to do will fix anything that is now broken.”
—Steve Gibson (123:51; 130:35)

Practical Implications for Consumers

• No meaningful improvement to security—real risk comes from unpatched, end-of-life devices.
• Encourages DIY routers: Steve recommends OpenSense or pfSense on fanless PCs as robust alternatives, though notes even these hardware platforms are made abroad.

Memorable Quote:

"This just says we’re banning any new foreign made routers. Crazy. I mean, it absolutely does nothing."
—Steve Gibson (160:11)

4. Other Major Security News

Supply Chain/Security Attacks (83:27–94:41)

• Trivy open-source scanner compromise used to attack Cisco and others; led to source code theft and AWS key compromise.
• GitHub Actions is accelerating new security features in response.
• Conclusion: Attackers now immediately exploit stolen credentials—attack windows are short; speedy response is critical.

Proton “Meet” Launch (94:41–100:33)

• Proton introduces Proton Meet: privacy-first, end-to-end encrypted audio and video conferencing.
• Framed as more private than Zoom, Google, or Microsoft (especially for metadata), though technical specifics are less clear.

Cloudflare’s “M–Dash”—A Secure, Modern WordPress Replacement (106:31–119:03)

• Written in TypeScript, serverless, fully open-source, with a security-focused, sandboxed plugin architecture.
• Designed to fix WordPress’s biggest flaw: plugin security. Each plugin runs in an isolated environment.
• MIT-licensed (unlike WordPress’s GPL), aiming to empower modern content creators and AI-generated sites.

5. AI Finding Security Flaws (73:35–79:27)

• Anthropic’s “Mythos” AI model allegedly able to autonomously discover and chain together severe vulnerabilities—including undisclosed or decades-old bugs in FreeBSD, OpenBSD, Linux, and FFmpeg.
• Mythos to be provided first only to select “good guy” companies due to offensive capabilities.
• Raises specter of a new era of automated exploit discovery and potential arms race.

“Mythos is able to chain exploits as many as six exploits. … The fact that Mythos can do it autonomously, it’s a little scary.”
—Leo Laporte (78:34)

Notable Quotes & Moments

• On LinkedIn's Privacy Invasion:
  “When a user loads the LinkedIn website, the script fires off up to 6,222 simultaneous requests, each one probing for a specific browser extension by attempting to access files on the user's file system.”
  —Steve Gibson quoting and summarizing The Next Web report (49:29)

• On the FCC Router Ban:
  "If the threat were urgent enough to justify bypassing all deliberation, one would expect the FCC to be taking emergency action on the installed base. It is not. The ban addresses only future models, making this a forward-looking regulatory action for which a deliberative process was both feasible and appropriate.”
  —Scott Walston, Technology Policy Institute (148:25, summarized by Steve)

• On Browser Control:
  "It would be nice if some sort of alert came up and said whoa, do you realize that the website you have just gone to has made 6,232 queries of your file system? ... We users need control over this completely out-of-control behavior."
  —Steve Gibson (65:05)

• On DIY Routers:
  "It is just not a problem any longer to get a little fanless PC and use actually OpenSense… If somebody were just starting out, start with that."
  —Steve Gibson (161:26)

Timestamps for Important Segments

| Segment | Timestamp | |---------------------------------------------|---------------| | Show intro and lineup | 00:00–03:28 | | Picture of the Week (path “resistor”) | 09:55–12:30 | | Apple Age Verification news | 12:30–27:00 | | LinkedIn JavaScript / “BrowserGate” | 30:15–73:35 | | Anthropic Mythos AI Security model | 73:35–79:27 | | Windows Forced Updates / “In Control” | 83:27–87:56 | | Trivy, Cisco, Github supply chain woes | 87:56–94:41 | | Proton Meet announcement | 94:41–100:33 | | Cloudflare DNS privacy reaffirmed | 100:33–106:31 | | Cloudflare’s M–Dash vs WordPress | 106:31–119:03 | | FCC Router Ban—Deep Dive | 119:45–163:33 | | DIY Routers & Final Recommendations | 161:14–163:33 |

Summary Takeaways

• The FCC’s new consumer router ban is an overbroad, ill-considered policy that will freeze innovation and do little to improve real cybersecurity. Nearly all consumer routers are now in regulatory limbo, with no meaningful “home-grown” alternatives.
• LinkedIn’s privacy-invading JavaScript bundles represent a stunning escalation in corporate tracking, breaking new ground in super-fingerprinting and software surveillance—a likely violation of GDPR, if not U.S. law.
• DIY router solutions (OpenSense, pfSense) remain a viable and increasingly attractive alternative for security-conscious users.
• Regulation and transparency are lagging far behind technical and commercial developments in both consumer devices and online platforms—individual vigilance, browser control, and community reporting are vital.
• AI-driven vulnerability discovery will change both offensive and defensive security practices, for better and for worse.

For additional technical details, code samples, and referenced research, visit GRC’s show notes or listen to the full episode.