The United States Federal Communications Commission (FCC) has announced a prohibition on the importation of new foreign-made consumer routers, citing significant cybersecurity and national security threats. This decision aims to protect U.S. citizens and the essential communication networks they depend on. FCC Chairman Brendan Carr emphasized this in a statement on X, revealing that newly manufactured foreign routers are no longer eligible for sale or marketing in the U.S., following a national security review by Executive Branch Agencies.
Scope of the Foreign Router Ban
This measure adds all consumer-grade routers made outside the U.S. to the FCC’s Covered List unless they receive Conditional Approval from the Department of War (DoW) or the Department of Homeland Security (DHS), ensuring these devices pose no risks. Currently, the approved list is limited to drone systems and software-defined radios (SDRs) from companies like SiFly Aviation, Mobilicom, ScoutDI, and Verge Aero. While producers can apply for Conditional Approval, Starlink Wi-Fi routers, manufactured in Texas, are exempt from this policy.
According to the FCC, foreign-made routers are seen as a ‘supply chain vulnerability’ that threatens the U.S. economy, critical infrastructure, and national defense. Additionally, these devices are deemed a cybersecurity threat capable of causing immediate and significant disruptions to U.S. critical infrastructure and directly harming individuals.
Cybersecurity Threats Posed by Foreign Routers
The FCC has identified that both state-sponsored and independent threat actors exploit vulnerabilities in small and home office routers to infiltrate American homes, disrupt networks, and commit cyber espionage. These routers can also be commandeered into large networks to facilitate unauthorized network access, password spraying, and act as proxies for espionage activities. Notably, Chinese-linked attackers such as Volt Typhoon, Flax Typhoon, and Salt Typhoon have used botnets made of foreign routers to target critical U.S. infrastructure sectors like communications, energy, transportation, and water.
In particular, Salt Typhoon attacks involve state-sponsored hackers using compromised routers to embed themselves and gain long-term access to networks, shifting to different targets as needed. The U.S. government has also spotlighted a botnet named CovertNetwork-1658, or Quad7, involved in evasive password spray attacks, attributed to a Chinese threat actor known as Storm-0940.
Implications and Future Outlook
The FCC’s update does not affect the continued use of routers already purchased by consumers, nor does it restrict retailers from selling, importing, or marketing models previously approved through the FCC’s equipment authorization process. However, the agency underscores that foreign-manufactured routers remain prime targets for cyber attackers, facilitating network breaches and critical infrastructure compromises. Given their role as the main internet access point, compromised routers can lead to network surveillance, data exfiltration, and malware distribution.
As the FCC continues to tighten regulations to safeguard U.S. networks, the emphasis remains on mitigating the risks introduced by foreign-manufactured routers and ensuring the security of national communications infrastructure.
