The FCC has announced a ban on the importation of new foreign-made consumer routers, citing severe risks to national security and critical infrastructure. New models will be prohibited from the U.S. market unless they receive specific conditional approval from federal agencies after a rigorous safety determination.

The Federal Communications Commission recently declared that new consumer-grade routers manufactured abroad will no longer be allowed into the United States due to significant cybersecurity concerns. FCC Chairman Brendan Carr emphasized that this measure is necessary to protect the domestic communications networks that modern society depends on. This policy follows an official determination from executive branch agencies stating that these devices create vulnerabilities that could disrupt the economy and national defense. Currently, only a small number of specific aviation and radio systems have bypassed these restrictions, while American-made products like Starlink equipment remain unaffected.

According to the official determination, foreign routers are viewed as primary targets for both state-sponsored and independent hackers who exploit security flaws to infiltrate American homes and businesses. These compromised devices are often used to build large botnets capable of launching massive cyberattacks, stealing intellectual property, or conducting wide-scale espionage. By controlling these routers, adversaries can gain a persistent foothold in networks, allowing them to pivot toward more sensitive targets within the nation's critical infrastructure.

Specific threat groups associated with foreign interests, such as Volt Typhoon and Salt Typhoon, have already been observed utilizing these hardware vulnerabilities to target energy, water, and transportation sectors. Government reports indicate that these actors use the routers as proxies to hide their activities and maintain long-term access to vital systems. Other sophisticated operations have used similar hardware to coordinate evasive password-cracking attacks, proving that unsecure routers serve as ideal launching pads for broader digital warfare.

Despite the ban on new imports, the update to the covered list does not require individual consumers to stop using routers they already own. Retailers are also permitted to continue selling and importing existing models that received FCC authorization prior to this new mandate. The policy is specifically aimed at preventing the introduction of new, unverified hardware that could further compromise the integrity of the American digital supply chain.

Routers remain a high-value target for intelligence agencies and cybercriminals because they manage all incoming and outgoing internet traffic for a household or office. Access to these devices allows for seamless data exfiltration and the delivery of malware directly to connected users. While the current focus is on foreign threats, historical reports have suggested that various global powers have sought to manipulate router hardware for surveillance purposes, highlighting the long-standing security challenges inherent in networking equipment.

Source: https://www.fcc.gov/document/fcc-updates-covered-list-include-foreign-made-consumer-routers