FCC Softens Ban on Foreign-Made Routers TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20265 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryEndpoint SecurityCyber RiskThreat IntelligenceRemote WorkforceNewsFCC Softens Ban on Foreign-Made RoutersThe Federal Communications Commission eased some restrictions and pushed back deadlines for foreign router manufacturers, but the ban is still in place.Jai Vijayan,Contributing WriterMay 11, 20263 Min ReadSource: Casezy idea via ShutterstockThe Federal Communications Commission (FCC) has eased some of its recent restrictions on foreign-made consumer routers and will now allow vendors of these products to continue issuing software and firmware updates for already-deployed devices in the US through at least January 2029.The decision modifies a March 2026 FCC ruling that prohibits foreign manufacturers from selling new consumer router models in the US, except for those the agency had already approved. The FCC cited national security concerns as its primary justification for adding foreign-made small office and home office routers to its list of prohibited equipment and noted how adversaries, including nation-state groups, have used routers to facilitate attacks against US organizations.A Major Reprieve for Router Owners?Under the original FCC ruling, foreign manufacturers were permitted to provide only limited maintenance and security patches to US customers through March 2027.Related:VoidStealer Malware Darts Past Google Chrome's EncryptionIn a public note on May 8, the FCC extended that deadline to at least January 2029 and also expanded the scope of permissible updates. The FCC will now allow foreign manufacturers to provide not just minor security fixes and changes, but also more major software and firmware updates that could affect router functionality, which previously required additional FCC review. The agency described the revisions as intended to ensure the continued safety of already deployed foreign-made consumer routers in the US.The agency's decision is a major reprieve for the millions of US consumers and small and medium-sized businesses currently using the affected class of devices, because it buys them more time to find alternatives. Analysts have noted how almost all consumer grade routers currently available in the US are made by foreign manufactuers. Infosec professionals have expressed concern over how the FCC's ban would essentially leave users of these devices with no choice but to continue using aging and unsupported devices for the foreseeable future, ironically making them more vulnerable to attacks and compromise, not less. Many have also noted how the real issues with router security are not really about where the devices are manufactured but more about operational risks, such as using default passwords and configurations, and not keeping up with security patches."The FCC likely issued this revision in response to the operational realities of network security and the slow pace of equipment replacement," says Jason Soroko, senior fellow at Sectigo. "Replacing millions of embedded devices across national infrastructure requires immense time and capital, and abandoning existing systems to a completely unpatched state would create an immediate vulnerability."Related:Silver Fox Springs Tax-Themed Attacks on Orgs in India, RussiaPragmatic Compromise for FCC BanThe FCC's adjusted policy appears to be a pragmatic compromise. Permitting vendors to issue vital security patches and compatibility updates acknowledges that an unpatched router presents a more urgent cybersecurity threat than the broader risks associated with the hardware origins, Soroko notes.While the extension through 2029 by itself does not significantly alter the mandate prohibiting import of foreign-made consumer routers, it does give users more breathing space. "This waiver significantly alleviates the most pressing fears tied to the initial ban by preventing a sudden and dangerous security vacuum," Soroko says.Shane Barney, chief information security officer (CISO) at Keeper Security, urges organizations using the affected class of devices to keep the FCC's latest revision in perspective. A hard prohibition on updates would have left already-deployed devices without a path to receive security patches or vulnerability fixes and put vendors and end users in an untenable position. Fron that standpoint, he says, "extending the waiver through January 2029 is the more defensible call." Related:WhatsApp Leaks User Metadata to AttackersBut organizations should be clear-eyed about what this decision does and does not accomplish, Barney says. The revision alleviates concerns about already deployed foreign-made routers being frozen in place, unable to receive critical updates. However, it does not resolve the underlying concern about foreign-manufactured hardware operating in sensitive network environments. "It shouldn't give enterprises a false sense that the broader risk calculus has changed. The threat surface those devices represents remain," he says. "The right response to this revision is the same as it was before: enforce zero-trust principles, require strong identity verification, apply least-privilege access and treat every remote connection as potentially hostile, regardless of what hardware it originates from."About the AuthorJai VijayanContributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The Federal Communications Commission (FCC) has issued a revised policy regarding foreign-made consumer routers, effectively softening its previous, stricter stance. This adjustment, spearheaded by the FCC, was driven by concerns surrounding national security and the potential for adversarial nations, including nation-state groups, to utilize routers for cyberattacks against U.S. organizations. Originally, the FCC prohibited the sale of new foreign-made small office and home office routers, but this has been modified to allow continued software and firmware updates for existing devices through January 2029. This change reflects a pragmatic approach, acknowledging the operational realities of network security and the difficulties associated with rapidly replacing millions of embedded devices.

The revised regulation allows manufacturers to provide more substantial updates beyond minor security patches, a previously restricted area requiring FCC review. This decision was motivated by the need to maintain the safety of currently deployed foreign routers, particularly in light of the slow pace of equipment replacement. Jason Soroko, a senior fellow at Sectigo, highlighted the acknowledgment of realistic network security challenges and the operational constraints related to replacing embedded devices across extensive infrastructure. Shane Barney, CISO at Keeper Security, emphasized that allowing updates is a more defensible position than a hard prohibition, acknowledging the potential vulnerability of unpatched devices.

Despite this reprieve, the FCC’s action doesn’t fundamentally alter the restriction on importing new foreign-made routers. However, it offers a crucial grace period, mitigating the immediate risks associated with a frozen landscape of unsupported devices. Experts, such as Barney and Soroko, stressed the continued importance of robust cybersecurity practices – zero-trust principles, strong identity verification, least-privilege access, and treating remote connections with suspicion – regardless of the device’s origin. Jai Vijayan notes that the operational realities of network security demand a pragmatic response.

The FCC’s decision follows concerns from infosec professionals who worried about leaving users with no viable solutions and increased vulnerability. The delay also provides the opportunity to monitor the current state of devices and assess longer-term plans for replacement. The decision represents a compromise between security concerns and the practicalities of managing existing technology infrastructure, acknowledging that a sudden policy shift could introduce greater vulnerabilities.