It’s reported that all the routers given to you by your ISP are compromised, allowing government backdoor entry, and with poor security updating possibly connected to the previous point. Consequently, some foreign made routers do regular security updates for even old hardware, as well as being able to run opensource firmware projects. So is this all to get people running their own purchased and maintained routers in the US onto routers compromised and vulnerable like those ISP routers? You’d have to conclude that is the case, but still interesting they pushed the date of cutting off updates out a couple years. It could also be that the US approved router manufacturers need more time for whatever spyware capabilities the US government wants in the devices, and just look at what a spyware nightmare they’ve turned new vehicles into, especially starting next year with your car watching you and capable of restricting your ability to drive.
https://www.darkreading.com/endpoint-security/fcc-softens-foreign-router-ban
The Federal Communications Commission eased some restrictions and pushed back deadlines for foreign router manufacturers, but the ban is still in place.
By Jai Vijayan
The Federal Communications Commission (FCC) has eased some of its recent restrictions on foreign-made consumer routers and will now allow vendors of these products to continue issuing software and firmware updates for already-deployed devices in the US through at least January 2029.
The decision modifies a March 2026 FCC ruling that prohibits foreign manufacturers from selling new consumer router models in the US, except for those the agency had already approved. The FCC cited national security concerns as its primary justification for adding foreign-made small office and home office routers to its list of prohibited equipment and noted how adversaries, including nation-state groups, have used routers to facilitate attacks against US organizations.
A Major Reprieve for Router Owners?
Under the original FCC ruling, foreign manufacturers were permitted to provide only limited maintenance and security patches to US customers through March 2027.
In a public note on May 8, the FCC extended that deadline to at least January 2029 and also expanded the scope of permissible updates. The FCC will now allow foreign manufacturers to provide not just minor security fixes and changes, but also more major software and firmware updates that could affect router functionality, which previously required additional FCC review. The agency described the revisions as intended to ensure the continued safety of already deployed foreign-made consumer routers in the US.
The agency’s decision is a major reprieve for the millions of US consumers and small and medium-sized businesses currently using the affected class of devices, because it buys them more time to find alternatives. Analysts have noted how almost all consumer grade routers currently available in the US are made by foreign manufactuers.
Infosec professionals have expressed concern over how the FCC’s ban would essentially leave users of these devices with no choice but to continue using aging and unsupported devices for the foreseeable future, ironically making them more vulnerable to attacks and compromise, not less. Many have also noted how the real issues with router security are not really about where the devices are manufactured but more about operational risks, such as using default passwords and configurations, and not keeping up with security patches.
“The FCC likely issued this revision in response to the operational realities of network security and the slow pace of equipment replacement,” says Jason Soroko, senior fellow at Sectigo. “Replacing millions of embedded devices across national infrastructure requires immense time and capital, and abandoning existing systems to a completely unpatched state would create an immediate vulnerability.”
Pragmatic Compromise for FCC Ban
The FCC’s adjusted policy appears to be a pragmatic compromise. Permitting vendors to issue vital security patches and compatibility updates acknowledges that an unpatched router presents a more urgent cybersecurity threat than the broader risks associated with the hardware origins, Soroko notes.
While the extension through 2029 by itself does not significantly alter the mandate prohibiting import of foreign-made consumer routers, it does give users more breathing space. “This waiver significantly alleviates the most pressing fears tied to the initial ban by preventing a sudden and dangerous security vacuum,” Soroko says.
Shane Barney, chief information security officer (CISO) at Keeper Security, urges organizations using the affected class of devices to keep the FCC’s latest revision in perspective. A hard prohibition on updates would have left already-deployed devices without a path to receive security patches or vulnerability fixes and put vendors and end users in an untenable position. Fron that standpoint, he says, “extending the waiver through January 2029 is the more defensible call.”
But organizations should be clear-eyed about what this decision does and does not accomplish, Barney says. The revision alleviates concerns about already deployed foreign-made routers being frozen in place, unable to receive critical updates. However, it does not resolve the underlying concern about foreign-manufactured hardware operating in sensitive network environments.
“It shouldn’t give enterprises a false sense that the broader risk calculus has changed. The threat surface those devices represents remain,” he says. “The right response to this revision is the same as it was before: enforce zero-trust principles, require strong identity verification, apply least-privilege access and treat every remote connection as potentially hostile, regardless of what hardware it originates from.”