In an unprecedented move, the Federal Communications Commission (FCC) has issued a sweeping order to ban foreign-made routers in the United States. This decision marks a first in the FCC's history, as it applies broadly to any router where any stage of "manufacturing, assembly, design and development" occurs outside the US. Given the global nature of router supply chains, this effectively covers nearly all routers currently available in the market.
The FCC's rationale for the ban centers on national security concerns. The commission asserts that foreign-made routers pose "unacceptable risks" to the country's cybersecurity infrastructure. However, the new rule only affects routers that have not yet received FCC authorization. All routers that were approved before the order remain authorized for sale and can continue to be restocked using existing manufacturing processes. This means that the current crop of routers on the shelves is not immediately impacted, but future models face significant hurdles.
Industry experts describe the FCC's approach as an extremely blunt instrument. William Budington, a technologist at the Electronic Frontier Foundation, characterizes the ban as "freezing the entire router market." Unlike previous FCC bans that targeted specific companies-such as last year's efforts against TP-Link-this order affects an entire industry, creating uncertainty for both manufacturers and consumers.
For people in need of a new Wi-Fi router, the ban raises difficult questions. Should consumers rush to buy their preferred models before they potentially disappear from the market, or is it wiser to hold off until the FCC clarifies which products will be allowed? Cybersecurity experts and the author of this analysis largely agree that caution is the best course of action for now.
One of the biggest challenges in understanding the ban is determining what counts as a "foreign-made" router. Router supply chains are deeply international. For example, Netgear, a US-founded and headquartered company, manufactures routers in countries including Vietnam, Thailand, Indonesia, and Taiwan. Starlink is an exception, reportedly producing its newer routers entirely in Texas. However, finding a truly homegrown router brand that manufactures exclusively in the US is rare.
The author notes no inherent issue with recommending routers manufactured overseas, as these devices have been vetted through the FCC's authorization process. Moreover, cybersecurity analyses reveal that vulnerabilities are present across all brands, not concentrated in foreign-made devices. Thomas Pace, CEO of cybersecurity firm NetRise, commented last year that although they found issues in TP-Link firmware, similar vulnerabilities exist in many other products.
Having recently tested and reviewed over 30 routers, including new Wi-Fi 7 models, the author acknowledges the appeal of the latest technology-especially given the faster speeds these devices offer. Yet, with the new ban in place, any router purchased today might become less secure or unsupported within a year.
The FCC's Public Notice accompanying the ban sheds light on why this is a concern. It states that manufacturers can continue to provide software and firmware updates for affected routers "at least until March 1, 2027." After that date, routers that fall under the ban may no longer receive vital security patches. This raises a paradoxical situation: a ban intended to enhance national security could inadvertently leave consumers with outdated and vulnerable devices.
Alan Butler, senior counsel at the Electronic Privacy Information Center, warns that limiting access to security updates "makes the problem worse, not better." Without ongoing patches, routers could become easy targets for hackers, potentially turning into liabilities rather than safeguards. While the FCC's wording allows for possible extensions beyond March 2027, the current uncertainty discourages buying new routers until more details emerge.
For those whose routers are still functioning well, waiting before purchasing a new device is advisable. If a replacement is absolutely necessary-because an older router has failed, for instance-the recommendation is to buy an older, budget-friendly model rather than jumping on the latest Wi-Fi 7 device. Experts suggest that the timeline for widespread impact is likely measured in years rather than months, so there is some leeway for cautious consumers.
Alan Butler predicts the situation will "become a mess very quickly," highlighting the complexity and potential market disruption ahead. As the FCC clarifies which manufacturers are considered foreign-made or eligible for exemptions, consumers will gain better insight into safe choices. This process may take weeks or even months.
One prominent example is TP-Link, one of the most popular router brands in the US. The company is currently under several government investigations slated for 2025. While experts generally support the FCC's goal of improving router security, they criticize the broad scope and blunt execution of the ban.
William Budington explains that many "harmless products" will be caught in the crossfire, even though routers are only one part of a much larger security challenge that includes Internet of Things (IoT) devices. The FCC cites foreign-produced routers as being "directly implicated" in notable cyberattacks such as Volt, Flax, and Salt Typhoon. These attacks do not typically seek to steal data from individual users but aim to co-opt routers as tools in wider malicious campaigns.
Alan Butler elaborates that average users often remain unaware when their routers are exploited in the background. For instance, the Salt Typhoon attack enabled hackers to access data from millions of people via internet service providers, targeting information collected through court-authorized wiretaps. Such "spray and pray" attacks use default login credentials to infiltrate vast numbers of connected devices indiscriminately.
Sergey Shykevich, threat intelligence manager at Check Point Research, describes the simplicity of these attacks: "It can be only one router out of 5,000, but that one can be a bingo." Many attackers do not need sophisticated tools or nation-state resources to succeed; default or weak credentials make infiltration easy.
Users can protect themselves by changing default router login credentials, which are distinct from Wi-Fi network names and passwords. Most routers allow users to update these settings via an app or a web portal accessed through the router's IP address. Regularly updating router firmware-either automatically or manually-is another critical security practice.
This FCC ban on foreign-made routers is unprecedented in scope. Manufacturers now have the option to apply for "Conditional Approval," and industry insiders believe many are scrambling to adapt their supply chains or seek exemptions. When the author contacted the FCC for clarification, they were directed to a "Covered List" FAQ page, which provides limited details.
Industry observers estimate that more specific information about which companies and models are banned will emerge within the next month or so. However, some experts, including Budington, speculate that router companies might prefer to wait out the ban rather than overhaul their manufacturing processes entirely.
Regardless of how the situation unfolds, this period will likely be remembered as the most chaotic chapter in the evolving story of the router ban. For consumers not urgently needing a new router, waiting a few weeks to make a more informed decision is the prudent approach.
In summary, the FCC's decision to ban foreign-made routers is a historic and wide-reaching move motivated by national security concerns but fraught with unintended consequences. While existing routers remain available and supported for now, the ban casts uncertainty over the future of the router market and the long-term security of home networks. Consumers are advised to exercise caution, maintain good security hygiene, and stay tuned for further updates as the FCC and industry stakeholders navigate this challenging transition.