GHOSTPORT
← Back to Dev Log

Why Open-Source Hardware Is the Only Hardware You Can Trust

You can't audit what you can't see.
March 28, 2026 • GhostPort Technologies

The FCC's March 2026 ban on foreign-made consumer routers was framed as a national security decision. Volt Typhoon. Salt Typhoon. Flax Typhoon. Chinese state-sponsored hackers had been found inside American infrastructure, using compromised networking equipment as their entry point.

The ban was the right call. But it only solved half the problem.

The Problem Isn't Where It's Made

The FCC focused on country of origin. If it's manufactured in China, it's suspect. If it's manufactured domestically or by allied nations, it's presumably safe. But this framing misses the deeper issue: closed-source hardware has the same trust problem regardless of where it's manufactured.

You can't verify what closed-source firmware does. You can't audit it. You can't inspect it. You take the manufacturer's word that it doesn't contain backdoors, telemetry, or undocumented "management" interfaces. And that word has been wrong — repeatedly.

A History of Domestic Router Backdoors

This isn't a foreign problem. American and allied manufacturers have been caught with backdoors and vulnerabilities in their router firmware for years:

  1. Arris (2015): Modems shipped with hardcoded credentials — username "technician" with a hardcoded password, plus a secondary backdoor that used passwords derived from the device's serial number. ISPs deployed millions of these. The backdoor allowed remote root access to any affected device.
  2. Netgear (2016-2023): Multiple models found with unauthenticated command injection vulnerabilities. Netgear's Nighthawk routers were found to have a hidden telnet service with hardcoded default credentials.
  3. D-Link (2013): Firmware contained a hardcoded backdoor string ("xmlset_roodkcableoj28840ybtide") that granted admin access. The string read backwards: "edit by 04882 joel backdoor." A developer literally named it.
  4. Cisco (2019): Cisco's Small Business RV Series routers had a command execution vulnerability in their web management interface that allowed authenticated attackers to run arbitrary commands with root privileges. Disclosed as CVE-2019-15271.
  5. ISP Router Firmware (ongoing): Routers provided by ISPs routinely contain carrier-mandated remote management tools (TR-069/CWMP) that allow the ISP to remotely access, reconfigure, and update your router without your knowledge or consent.
  6. The common thread: all closed-source. All unauditable.

When the firmware is a proprietary black box, finding these backdoors requires reverse engineering — which is illegal under the DMCA in many contexts. The manufacturer controls the code, the update process, and the documentation. You have no visibility into what runs on the device sitting in your living room.

What Open Source Means (And Why It Matters)

Open-source hardware and software means the design files, schematics, and source code are publicly available for anyone to inspect, modify, and distribute. In the context of a router, this means:

Auditable Code Every line of firmware is public. Security researchers can (and do) review it. Backdoors can't hide in plain sight.
No Hidden Blobs Proprietary firmware "blobs" — compiled binary code with unknown function — are identified and documented. You know what's running.
Community Review Thousands of developers worldwide review, test, and improve the code. Vulnerabilities are found and patched faster than in proprietary systems.
User Control You decide what runs on your hardware. No forced updates, no remote management, no ISP-mandated telemetry.
Documented Hardware Open hardware designs mean the PCB schematics are public. You can verify there's no hidden radio, no coprocessor phoning home.
Long-Term Support When the manufacturer stops updating firmware, the community continues. Open-source routers get security patches years after commercial end-of-life.

The Raspberry Pi 5 as a Platform

GhostPort runs on the Raspberry Pi 5. This wasn't an arbitrary choice. The Pi platform has specific properties that make it suitable for a privacy router:

ARM architecture with open documentation. The Broadcom BCM2712 SoC at the heart of the Pi 5 has publicly available documentation for its peripheral interfaces. While the GPU firmware contains some proprietary elements (an ongoing point of discussion in the open-source community), the networking stack, CPU, and I/O are well-documented and run on mainline Linux.

No wireless baseband processor. Unlike commercial routers with integrated WiFi chipsets running proprietary firmware, the Pi 5's networking is handled by external, well-documented components. The USB 3.0 and PCIe interfaces allow connection to open-source-friendly WiFi adapters.

Massive community. Over 60 million Raspberry Pi units have been sold. The developer and security community around the platform is enormous. Vulnerabilities get found and patched quickly because millions of people are running the same hardware.

American-assembled. Raspberry Pi boards are manufactured by Sony's facility in Pencoed, Wales (UK) and by approved facilities in Japan. The Raspberry Pi Foundation is a UK non-profit. While not American-made, they are produced by allied nations with no supply chain dependency on countries flagged by the FCC.

To be transparent: "American-assembled" for GhostPort means we source Pi boards from authorized distributors and assemble the complete router unit (case, storage, software, configuration) domestically. The board itself is manufactured overseas by Sony UK.

The Firmware Blob Problem

No platform is perfectly open. The Raspberry Pi includes a proprietary GPU firmware blob (the VideoCore VII firmware) that runs on the GPU during boot. This is a legitimate criticism, and we won't pretend it doesn't exist.

However, for a router application, this blob is largely irrelevant. GhostPort doesn't use the GPU for any networking, encryption, or privacy functions. All routing, DNS, VPN, and firewall operations run on the ARM CPU cores using open-source Linux kernel code. The GPU firmware handles display output — which matters if you're using GhostPort as a desktop computer, but has no role in network traffic handling.

Fully open alternatives exist (RISC-V platforms like the VisionFive 2), but they lack the Pi's ecosystem maturity, community support, and performance. We chose the pragmatic option: a platform that's open where it matters for networking and privacy, with well-documented closed components in areas that don't affect the security model.

Trust Through Transparency

The core argument for open-source hardware isn't that it's perfect. It's that when something is wrong, you can find it. Closed-source firmware has a structural incentive to hide problems. Open-source has a structural incentive to fix them.

The FCC banned foreign routers because the supply chain couldn't be trusted. But trust isn't about geography — it's about visibility. An open-source router manufactured in Wales is more trustworthy than a closed-source router manufactured in Texas, because you can verify what the Welsh router does.

The question isn't where your router was made. It's whether you can see what it's doing.

Related Articles

→ The FCC Just Signed Advertisers' Death Warrants → What a VPN Actually Does (And What It Doesn't) → Data Brokers Know More About You Than Your Doctor

A router you can actually inspect.

ghostporttechnologies.com
Open source. Open hardware. Nothing to hide.
GHOSTPORT TECHNOLOGIES • 2026 • YOUR NETWORK. YOUR RULES.
🎨
ACCENT COLOR
A+
TEXT SIZE