The hidden cost and quiet vulnerabilities of cheap routers
31 Jul 2025|

While headlines warn about the risks of dodgy e-commerce and questionable supply chains, a quieter vulnerability has taken root in our digital infrastructure. In May, researchers at GreyNoise uncovered a stealthy backdoor campaign targeting Asus routers. These devices are common in Australian homes and small businesses.

The attack, likely state-aligned, was technically advanced but strategically ordinary. These routers aren’t outliers. They are the default target.

Australia has built its connectivity on low-cost consumer hardware issued by internet service providers, chosen for affordability over security. Vendors such as Asus and TP-Link supply millions of devices in homes that double as offices and remote access points. These devices often go unpatched and unmanaged, yet they’re trusted to sit on the edge of critical networks.

The average Australian didn’t choose his or her modem. It came bundled with the internet plan, selected by the provider for cost and convenience. But this is a national policy blind spot.

In many homes and businesses, broadband modems act as essential infrastructure, providing the front door to Australia’s connected economy. Rarely given security patches, minimally monitored and often overlooked in threat models, they are ideal targets not just for cybercriminals but for state-backed actors seeking long-term access. As noted during the 2025 ASPI Defence Conference, cyber threats today are cyber dynamite, and that dynamite may already be prepositioned across more of the country than we’d like to admit.

So how did we end up here?

It’s not that we abandoned a domestic alternative. The reality is more uncomfortable. While Australia produces capable firms and attracts international interest, these efforts have not led to a scaled industrial base or lasting market presence. Unlike the United States, Britain or North Asia, Australia never developed a consumer hardware ecosystem capable of shaping procurement norms or dominating local supply. Instead, we defaulted to what was cheapest. Over time, security was quietly pushed aside.

There are echoes here of Australia’s water policy. Take cotton in the Murray-Darling Basin:  it was introduced for short-term economic gain, but placed unsustainable pressure on a fragile river system. Likewise, cheap consumer tech has saturated homes and small businesses with little thought for future cost. And when consequences emerge, as they now are, we find ourselves dependent on equipment that is difficult to replace and harder to secure.

Banning these vendors outright is tempting but unrealistic. Millions of devices are already deployed. Replacing them would carry financial and political cost, and there are few viable domestic or trusted foreign alternatives. More importantly, this is not just about specific devices; it’s about the procurement logic that enabled this exposure. Doing nothing is a strategic decision that adversaries are already exploiting.

Australia needs a policy reset, driven not by fear but by sound economic and security logic.

There are practical steps we can take. A national certification scheme for consumer-grade networking equipment could set minimum standards for patching, firmware transparency and support lifecycles. Internet service providers could be required to disclose this information and commit to automated updates as part of their licensing conditions. Procurement policies could favour secure-by-design equipment through weighted scoring or tax incentives, even when it costs more upfront.

Other countries are already moving. Britain’s Product Security and Telecommunications Infrastructure Act sets minimum standards for connected devices. Australia could lead by prioritising resilience over short-term cost.

Australia needs its ‘Slip, Slop, Slap’ moment for cyber. The ‘Act Now. Stay Secure’ campaign of the Department of Home Affairs is a good first step, but greater effort is needed to ensure it resonates. As National Cyber Security Coordinator Lieutenant General Michelle McGuinness has noted, we need something catchier to reach Australians who are fatigued by cyber messaging or feel it is too technical to act on.

There is also an accessibility challenge. Even when patches are available, many Australians simply cannot apply them. What does router patching look like for a retiree, a busy carer or someone in a rural area with limited support? When was the last time you updated your router? For most Australians, the answer is ‘never’. And that is not neglect. It may simply reflect how the system was built.

Securing our digital infrastructure will require a more inclusive approach, one that ensures no Australian is left behind simply because they lack the tools, knowledge or support to protect themselves.

We’ve normalised a digital environment where critical risk is quietly embedded in the devices we trust most and manage least. This threat is already plugged in.

If Australia wants to secure its digital future, it must start with the devices we hand out by default. Because the quietest risks often carry the loudest consequences.

Author

Jason Van der Schyff is a fellow with ASPI’s Cyber, Technology & Security program. His research focuses on sovereign industrial capability, secure hardware, and the resilience of critical technology supply chains.

 

Image: Misha Feshchak/Unsplash.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2025