The US Federal Communications Commission (FCC) has imposed a ban on all new routers manufactured overseas being imported into and sold within the United States.
Foreign-made routers added to FCC Covered List
The move follows a determination by a White House-led interagency group that consumer-grade routers produced outside the United States pose what officials described as an “unacceptable risk” to national security and public safety.
Under the decision, all foreign-made consumer routers have been added to the FCC’s Covered List, a regulatory mechanism that prevents certain equipment from receiving authorization required for sale in the US. Without that approval, new models cannot enter the market.
CISA encourages organizations to incorporate the Covered List into their risk management analysis for regulatory compliance.
“This announcement from the FCC raises many unanswered questions, a notable one being the fact that essentially no consumer-grade routers are manufactured domestically in the US,” Ryan McConechy, Principal Security Architect at Barrier Networks, told Help Net Security.
“Many of the major router manufacturers, including American companies like Cisco, assemble their products in countries like Taiwan and Vietnam, and a blanket ban like this could cause huge disruption.”
The findings point to concerns around supply chain exposure and cybersecurity threats. Authorities said foreign-produced routers could introduce vulnerabilities that disrupt infrastructure, the economy, and defense systems.
Shifting production poses long-term challenges
“Moving large manufacturing operations into new countries is a task that can take years and may not even be viable if costs prove too high, not to mention the lack of wider regional supply chains that manufacturing industries may be dependent on and which are often impossible to shift. At best, and in the short term, basic assembly of routers could move to the US.”
Officials linked these risks to past cyber operations, noting that foreign-made routers have been exploited in attacks involving espionage, intellectual property theft, and network disruption.
“While this ban seems reasonable from some perspectives, given heightened geopolitical tensions and the influence foreign nations have over their technology sectors, at no stage does it fundamentally address the underlying security allegations about foreign-made routers.”
“Without a wholesale shift of entire supply chains to the US, backdoors and spyware can still be integrated into networking technology, and security vulnerabilities will exist in router products regardless of where they’re manufactured.”
“This latter point is key, because most prior attacks on routers and networking technology have involved this type of vulnerability. Rather than being the result of coordinated state-level espionage, much of the risk around routers arises from basic problems, like manufacturers and end users failing to update firmware regularly, and firmware running on exploitable and outdated platforms,” added McConechy.
Restrictions target new devices entering the US market
The restrictions apply only to new devices. Routers that already hold FCC authorization can continue to be imported, sold, and used, and consumers may keep using devices they have already purchased.
Manufacturers may still seek approval through an exemption process. The update expands the scope of the Covered List, which already includes telecommunications and surveillance equipment flagged by national security authorities.
Risks also extend beyond where devices are built.
“Router manufacturers themselves can also be targeted, and the infrastructure used for managing routers and providing firmware updates make for easy targets, a problem which exists regardless of the country where manufacturers reside.”
“Without targeted policies aimed at tackling these specific problems, this ban will do nothing to improve router security, and without further support from the US government, it’s not realistic for manufacturers to shift their supply chains in a timely enough fashion to avoid disruption to the consumer market,” concluded McConechy.
