FCC Reverses Course, Allows Software Updates for Foreign-Made Drones and Routers Until 2029 — Agency Says Blocking Security Patches Could Create Cybersecurity Risks

The FCC’s recent policy tweak stems from the 2025 revision of equipment‑authorization rules that created a “Covered List” of foreign‑origin drones and routers. By classifying these products as covered, the agency effectively froze any post‑certification software changes, a move intended to curb potential espionage vectors. However, the blanket restriction ignored the reality that many of these devices are already embedded in critical infrastructure, commercial fleets, and home networks, where ongoing firmware updates are essential for security and interoperability.

Recognizing the unintended fallout, the commission issued an extended waiver that permits manufacturers to push security patches, bug fixes, and compatibility updates through early 2029. This targeted relief applies solely to units authorized before their inclusion on the Covered List, ensuring that the waiver does not undermine the broader national‑security objective of limiting new foreign hardware. Industry groups have welcomed the decision, noting that without it, millions of drones used in agriculture, logistics, and public safety could become easy targets for cyber‑attacks, while consumers would face obsolete routers vulnerable to ransomware and data interception.

The episode illustrates a growing regulatory tension: safeguarding the communications ecosystem while avoiding the creation of new attack surfaces. As the FCC works toward a permanent framework, manufacturers are likely to lobby for clearer guidelines that separate high‑risk hardware from routine software maintenance. For U.S. users, the extended waiver offers a short‑term safety net, but it also signals that future policy will need to accommodate the fast‑moving nature of IoT and unmanned‑aircraft technology without compromising security objectives.