The US Federal Communications Commission (FCC) has announced a plan to prevent the authorization and import of new consumer routers produced outside the US, adding them to its “Covered List” of items that pose a national security risk.
This decision is a result of a government assessment that found routers produced abroad pose a critical cybersecurity and supply chain risk to US infrastructure, which has, in the past, been used in cyber incidents and could be used for network disruption, espionage, or data theft, similar to previous decisions regarding drones produced abroad.
Consumer routers produced abroad dominate the US market, with an estimated 60% produced in China, which is why this decision is considered a significant ruling for the industry. However, this ruling only applies to new devices that need FCC authorization, not previously authorized devices or routers that are already in use.
Manufacturers have the option of seeking conditional authorization or modifying production to comply with the new regulations as they come into effect.
A Long-standing Warning
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, at Suzu Labs, says: “Supply chain compromise is becoming one of the most serious threat vectors for nation-state and advanced intrusion activity targeting critical infrastructure. The FCC’s decision to add foreign-manufactured consumer routers to its Covered List reflects a risk the security community has been warning about for years.”
He says as endpoint and product security have improved, adversaries have increasingly looked upstream toward manufacturing, firmware, and other supply chain dependencies where compromise can create durable access. “The FCC’s citation of Volt Typhoon, Flax Typhoon, and Salt Typhoon is consistent with that concern. Network devices are especially attractive targets because they sit in the path of every packet entering and leaving an environment, and predeployment compromise can be exceptionally difficult to detect and remediate.
“This ruling applies only to new devices seeking FCC authorization, which shows policymakers are treating this as a structural, long term risk rather than a one off enforcement action. The market impact could be significant, given how much of the consumer router market is manufactured overseas. Public reporting has suggested that at least one newer Starlink Wi-Fi router is manufactured in Texas, but the broader reality is that domestic production capacity appears extremely limited.”
Treat This as a Procurement Signal
Krell adds: “Security leaders should treat this as a procurement signal. If the federal government has concluded that foreign manufactured network hardware can present unacceptable supply chain risk, organizations should be reviewing whether their own vendor diligence, firmware assurance, and hardware sourcing practices reflect that same reality.”
He says every router, switch, and access point in the environment came from a supply chain. “Knowing where that hardware was manufactured, who wrote the firmware, and what visibility exists into that process is no longer a theoretical exercise. The geopolitical environment is making these questions urgent, and this ruling is unlikely to be the last of its kind.”
A Massive Expansion of US Tech Protectionism
Damon Small, Board of Directors, at Xcape Inc, calls this “a massive expansion of US tech protectionism, moving beyond specific Chinese entities like Huawei or ZTE to a blanket ban on all foreign-produced consumer routing hardware.”
By citing the weaponization of SOHO routers by groups like Volt Typhoon and Salt Typhoon, the FCC is treating the humble home router as a primary vector for national-scale pivot attacks against critical infrastructure.
A Long-term Supply Chain Squeeze
“For security leaders, the immediate risk isn’t an overnight “dark start,” but a long-term supply chain squeeze; with over 60% of the market currently dominated by foreign manufacturing, procurement for remote-worker kits and branch offices is about to become significantly more expensive and limited to a handful of “trusted” (likely domestic) vendors,” continues Small.
“Defenders should audit their current fleet of remote-access hardware and prioritize vendors moving toward US-based manufacturing or those actively seeking DHS “Conditional Approval.” While existing hardware is safe for now, expect insurance carriers and federal auditors to eventually move the goalposts from “legal to use” to “compliant to keep. The FCC is finally treating home routers like the Trojan Horses they are, though I’m sure “Made in the USA” will magically add 40% to the MSRP and zero to the patch frequency.”
It Doesn’t Magically Secure Routers Already Deployed
Rik Ferguson, VP Security Intelligence at Forescout, comments: “Adding “foreign-made consumer-grade routers” to the FCC Covered List blocks “new” models from getting FCC equipment authorization (and therefore from being imported for sale or use), but it doesn’t magically secure the millions of routers already deployed, many of which will stay in homes and small offices for years. That installed base matters because it’s where so many attackers already live, in exposed management interfaces, abusing weak or reused admin creds, and slow patching cycles, or EOL equipment that “still works”. These are still the day-to-day drivers of router compromise. Regular users don’t simply throw away a router that still works; many are understandably more worried about the consequences of disconnection by “fiddling with the black box” (if they even know how to access it) to ever even think about logging in!”
Where Ferguson says this gets more interesting (and more useful than a “foreign vs domestic” argument) is what our own research keeps showing about routers as a software supply-chain problem. “In the OT/IoT router firmware analysis with Finite State, we found OpenWrt-derived operating systems are everywhere. Four of five major firmware images we analyzed were based on OpenWrt but heavily modified in ways that make patching and accountability harder. Across 25 common components, the average open-source component was 5.5 years old and 4.3 years behind the latest release, and the same “known old bugs” keep showing up: on average,161 known vulnerabilities in common components (including 24 critical), plus exploitable kernel issues.”
“Made” Does Not Equal “Secure”
So, the point is “ Made in” isn’t the same as “secure”, not even close, he adds.
“Foreign manufacture can raise legitimate governance and supply-chain concerns, but the security outcome still comes down to basics we can measure update cadence, software transparency (SBOMs), hardening (security by design and default), and lifecycle support. For organizations, the home router is now part of the corporate attack surface. Hybrid work means a compromised consumer router can be used for interception, redirection, or as a platform for botnet/proxy activity. What consumers and organizations should be doing right now is simple: replace end-of-life routers, keep firmware current, disable internet-exposed management, turn off UPnP where you can, enforce unique admin credentials (and MFA where supported), and segment IoT away from work devices and router management, because that reduces exploitation risk regardless of who built the box.”
The Riskiest Devices We See Nowadays
Daniel dos Santos, Senior, Director, Head of Research at Forescout, says: “Routers are the riskiest devices we see nowadays, both in enterprise and consumer environments. Our riskiest devices report released yesterday shows that routers account for roughly a third of the most dangerous vulnerabilities in organizational networks, with these devices having an average of 32 vulnerabilities each in monitored networks. This continues a trend we first noted in 2024 and reaffirmed in 2025: network infrastructure devices have overtaken endpoints as the riskiest category of IT devices.”
Our 2025 threat roundup report also identified network infrastructure devices as a rapid-growth exploitation category: 19% of exploits we observed in 2025, up from 14% in 2024 (and 11% in 2023). They are now the second most exploited device category we observe. Beyond vulnerability exploitation, another common attack vector against routers is weak or reused credentials for management interfaces that are often targeted in brute-force attempts.
Threat actors have been exploiting consumer-grade routers to build botnets that are used to proxy attacks or launch distributed denial of service (DDoS) campaigns. What was usually a cybercriminal tactic is now widely employed by state actors against strategic targets. That includes Russia and China.
Possibilities of State Interference
Foreign-made routers are a real concern, says dos Santos. “Although not necessarily running software that is more vulnerable than US-made routers, there are possibilities of state interference to include covert communication channels (something which was discussed in 2024 for cranes at US ports and in 2025 for solar inverters) and, especially in the case of China, there are laws requiring manufacturers and researchers to notify the government of newly-discovered vulnerabilities before anyone else. This obviously gives the Chinese government an advantage in case they want to exploit these vulnerabilities as zero-days.
“TP-link is a major manufacturer of these devices worldwide, including the US. Last October, we disclosed two vulnerabilities affecting certain TP-link models that would allow attackers to take control of devices. We have multiple additional vulnerabilities currently being analyzed and patched by TP-link.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.