FCC Softens Ban on Foreign-Made Routers

FCC Softens Ban on Foreign-Made Routers

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryEndpoint SecurityCyber RiskThreat IntelligenceRemote WorkforceNewsFCC Softens Ban on Foreign-Made RoutersThe Federal Communications Commission eased some restrictions and pushed back deadlines for foreign router manufacturers, but the ban is still in place.Jai Vijayan,Contributing WriterMay 11, 20263 Min ReadSource: Casezy idea via ShutterstockThe Federal Communications Commission (FCC) has eased some of its recent restrictions on foreign-made consumer routers and will now allow vendors of these products to continue issuing software and firmware updates for already-deployed devices in the US through at least January 2029.The decision modifies a March 2026 FCC ruling that prohibits foreign manufacturers from selling new consumer router models in the US, except for those the agency had already approved. The FCC cited national security concerns as its primary justification for adding foreign-made small office and home office routers to its list of prohibited equipment and noted how adversaries, including nation-state groups, have used routers to facilitate attacks against US organizations.A Major Reprieve for Router Owners?Under the original FCC ruling, foreign manufacturers were permitted to provide only limited maintenance and security patches to US customers through March 2027.Related:China's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsIn a public note on May 8, the FCC extended that deadline to at least January 2029 and also expanded the scope of permissible updates. The FCC will now allow foreign manufacturers to provide not just minor security fixes and changes, but also more major software and firmware updates that could affect router functionality, which previously required additional FCC review. The agency described the revisions as intended to ensure the continued safety of already deployed foreign-made consumer routers in the US.The agency's decision is a major reprieve for the millions of US consumers and small and medium-sized businesses currently using the affected class of devices, because it buys them more time to find alternatives. Analysts have noted how almost all consumer grade routers currently available in the US are made by foreign manufactuers. Infosec professionals have expressed concern over how the FCC's ban would essentially leave users of these devices with no choice but to continue using aging and unsupported devices for the foreseeable future, ironically making them more vulnerable to attacks and compromise, not less. Many have also noted how the real issues with router security are not really about where the devices are manufactured but more about operational risks, such as using default passwords and configurations, and not keeping up with security patches."The FCC likely issued this revision in response to the operational realities of network security and the slow pace of equipment replacement," says Jason Soroko, senior fellow at Sectigo. "Replacing millions of embedded devices across national infrastructure requires immense time and capital, and abandoning existing systems to a completely unpatched state would create an immediate vulnerability."Related:VoidStealer Malware Darts Past Google Chrome's EncryptionPragmatic Compromise for FCC BanThe FCC's adjusted policy appears to be a pragmatic compromise. Permitting vendors to issue vital security patches and compatibility updates acknowledges that an unpatched router presents a more urgent cybersecurity threat than the broader risks associated with the hardware origins, Soroko notes.While the extension through 2029 by itself does not significantly alter the mandate prohibiting import of foreign-made consumer routers, it does give users more breathing space. "This waiver significantly alleviates the most pressing fears tied to the initial ban by preventing a sudden and dangerous security vacuum," Soroko says.Shane Barney, chief information security officer (CISO) at Keeper Security, urges organizations using the affected class of devices to keep the FCC's latest revision in perspective. A hard prohibition on updates would have left already-deployed devices without a path to receive security patches or vulnerability fixes and put vendors and end users in an untenable position. Fron that standpoint, he says, "extending the waiver through January 2029 is the more defensible call." Related:Silver Fox Springs Tax-Themed Attacks on Orgs in India, RussiaBut organizations should be clear-eyed about what this decision does and does not accomplish, Barney says. The revision alleviates concerns about already deployed foreign-made routers being frozen in place, unable to receive critical updates. However, it does not resolve the underlying concern about foreign-manufactured hardware operating in sensitive network environments. "It shouldn't give enterprises a false sense that the broader risk calculus has changed. The threat surface those devices represents remain," he says. "The right response to this revision is the same as it was before: enforce zero-trust principles, require strong identity verification, apply least-privilege access and treat every remote connection as potentially hostile, regardless of what hardware it originates from."About the AuthorJai VijayanContributing WriterIllinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies. Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders. Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee. See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Cybersecurity for Resource-Constrained OrganizationsAI-Powered Credential Security: Intelligence Without ExposureMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a