FCC Softens Ban on Foreign-Made Routers

ENDPOINT SECURITY CYBER RISK THREAT INTELLIGENCE REMOTE WORKFORCE NEWS FCC Softens Ban on Foreign-Made Routers The Federal Communications Commission eased some restrictions and pushed back deadlines for foreign router manufacturers, but the ban is still in place. Jai Vijayan,Contributing Writer May 11, 2026 3 Min Read SOURCE: CASEZY IDEA VIA SHUTTERSTOCK The Federal Communications Commission (FCC) has eased some of its recent restrictions on foreign-made consumer routers and will now allow vendors of these products to continue issuing software and firmware updates for already-deployed devices in the US through at least January 2029. The decision modifies a March 2026 FCC ruling that prohibits foreign manufacturers from selling new consumer router models in the US, except for those the agency had already approved. The FCC cited national security concerns as its primary justification for adding foreign-made small office and home office routers to its list of prohibited equipment and noted how adversaries, including nation-state groups, have used routers to facilitate attacks against US organizations. A Major Reprieve for Router Owners? Under the original FCC ruling, foreign manufacturers were permitted to provide only limited maintenance and security patches to US customers through March 2027. Related:VoidStealer Malware Darts Past Google Chrome's Encryption In a public note on May 8, the FCC extended that deadline to at least January 2029 and also expanded the scope of permissible updates. The FCC will now allow foreign manufacturers to provide not just minor security fixes and changes, but also more major software and firmware updates that could affect router functionality, which previously required additional FCC review. The agency described the revisions as intended to ensure the continued safety of already deployed foreign-made consumer routers in the US. The agency's decision is a major reprieve for the millions of US consumers and small and medium-sized businesses currently using the affected class of devices, because it buys them more time to find alternatives. Analysts have noted how almost all consumer grade routers currently available in the US are made by foreign manufactuers.  Infosec professionals have expressed concern over how the FCC's ban would essentially leave users of these devices with no choice but to continue using aging and unsupported devices for the foreseeable future, ironically making them more vulnerable to attacks and compromise, not less. Many have also noted how the real issues with router security are not really about where the devices are manufactured but more about operational risks, such as using default passwords and configurations, and not keeping up with security patches. "The FCC likely issued this revision in response to the operational realities of network security and the slow pace of equipment replacement," says Jason Soroko, senior fellow at Sectigo. "Replacing millions of embedded devices across national infrastructure requires immense time and capital, and abandoning existing systems to a completely unpatched state would create an immediate vulnerability." Related:Silver Fox Springs Tax-Themed Attacks on Orgs in India, Russia Pragmatic Compromise for FCC Ban The FCC's adjusted policy appears to be a pragmatic compromise. Permitting vendors to issue vital security patches and compatibility updates acknowledges that an unpatched router presents a more urgent cybersecurity threat than the broader risks associated with the hardware origins, Soroko notes. While the extension through 2029 by itself does not significantly alter the mandate prohibiting import of foreign-made consumer routers, it does give users more breathing space. "This waiver significantly alleviates the most pressing fears tied to the initial ban by preventing a sudden and dangerous security vacuum," Soroko says. Shane Barney, chief information security officer (CISO) at Keeper Security, urges organizations using the affected class of devices to keep the FCC's latest revision in perspective. A hard prohibition on updates would have left already-deployed devices without a path to receive security patches or vulnerability fixes and put vendors and end users in an untenable position. Fron that standpoint, he says, "extending the waiver through January 2029 is the more defensible call."  Related:WhatsApp Leaks User Metadata to Attackers But organizations should be clear-eyed about what this decision does and does not accomplish, Barney says. The revision alleviates concerns about already deployed foreign-made routers being frozen in place, unable to receive critical updates. However, it does not resolve the underlying concern about foreign-manufactured hardware operating in sensitive network environments.  "It shouldn't give enterprises a false sense that the broader risk calculus has changed. The threat surface those devices represents remain," he says. "The right response to this revision is the same as it was before: enforce zero-trust principles, require strong identity verification, apply least-privilege access and treat every remote connection as potentially hostile, regardless of what hardware it originates from." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management More Webinars You May Also Like ENDPOINT SECURITY 2 Separate Campaigns Probe Corporate LLMs for Secrets by Elizabeth Montalbano, Contributing Writer JAN 12, 2026 ENDPOINT SECURITY Pro-Russian Hackers Use Linux VMs to Hide in Windows by Alexander Culafi NOV 04, 2025 ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 ENDPOINT SECURITY Attackers Lace Fake GenAI Tools With Malware by Alexander Culafi, Senior News Writer, Dark Reading MAY 12, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS