US: FCC Relaxes Foreign-Made Router Ban to Allow for Security Updates

The FCC’s 2026 ban on consumer‑grade routers manufactured abroad was a direct response to growing concerns that foreign hardware could embed backdoors or vulnerabilities exploitable by hostile actors. By labeling these devices an "unacceptable risk" to national security, the agency forced manufacturers to seek conditional approvals from the Department of Defense or Homeland Security, effectively tightening the U.S. telecommunications supply chain. This move echoed earlier restrictions on Chinese‑origin telecom gear and set a precedent for broader hardware scrutiny.

The recent extension of the security‑update deadline to January 2029 provides a pragmatic bridge for users still operating legacy equipment. While the ban prevents the sale of new foreign routers, the FCC recognizes that many enterprises and households rely on existing units that lack vendor support. By allowing only firmware and software patches—excluding new functionality—the agency balances the need for ongoing protection against the risk of re‑introducing vulnerabilities through feature additions. The same policy now applies to foreign‑made drones, reflecting a holistic approach to critical infrastructure that spans both networking and aerial platforms.

For businesses, the announcement underscores the importance of proactive asset management and inventory audits. Unpatched routers have been linked to high‑profile campaigns such as Volt Typhoon and Salt Typhoon, which leveraged outdated firmware to gain persistent, low‑visibility access to corporate networks. Companies should prioritize replacing banned devices, implement strict patch management, and consider zero‑trust architectures to mitigate residual risk. The FCC’s stance also hints at future regulatory actions that could further restrict foreign‑origin hardware, making supply‑chain resilience a strategic priority for U.S. firms.