The US Federal Communications Commission (FCC) has moved to ban consumer-grade routers made outside the US following a determination that such hardware poses an unacceptable risk to the security of the country and its citizens and residents.
The determination – made by an interagency body convened by the White House – highlighted the potential for the introduction of supply chain vulnerabilities that could cause downstream disruption, and severe cyber security risks that “could be leveraged to immediately and severely disrupt US critical infrastructure and directly harm US persons”.
This backs up president Trump’s National Security Strategy which seeks to end a perceived US dependency on other countries for core components, whether they are raw materials, parts or finished goods that are necessary to its defence or economy.
The FCC said malicious actors had long exploited security gaps in router hardware to conduct cyber attacks against various targets, and noted their use in intrusions attributed to the likes of Salt and Volt Typhoon, known Chinese state agents, against critical infrastructure.
“I welcome this Executive Branch national security determination, and I am pleased that the FCC has now added foreign-produced routers, which were found to pose an unacceptable national security risk, to the FCC’s Covered List,” said FCC chairman Brendan Carr.
“Following president Trump’s leadership, the FCC will continue do our part in making sure that US cyber space, critical infrastructure and supply chains are safe and secure.”
The addition of non-US routers to the so-called Covered List means any equipment produced outside the US will not be able to receive equipment authorisation from the FCC prior to importation, marketing or sale.
In this instance, the word “produced”, by the FCC’s definition, covers “any major stage of the process through which the device is made including manufacturing, assembly, design and development”.
The US ban includes an exemption for equipment that either the Department of Defense (DoD) – renamed the Department of War (DoW) by the Trump administration – or the Department of Homeland Security (DHS) have granted conditional approval.
The FCC said it “encouraged” producers of consumer-grade routers to apply for conditional approval to continue importing their products into the US. The change also does not apply to any routers that have already received equipment authorisation, which can continue to be imported and sold as before, or any equipment that has already been acquired.
Unanswered questions
As such, the introduction of new restrictions is a highly significant change for global supply chains, US communications services providers (CSPs), and businesses and consumers.
Ryan McConechy, principal security architect at Barrier Networks, said the FCC’s latest policy raised a number of questions. Perhaps the most pressing of these concerns is the fact that, with one notable exception – the routers supplied for Elon Musk’s Starlink service are made in Texas – there are essentially no consumer-grade routers manufactured within the US.
“Many of the major router manufacturers, including American companies like Cisco, assemble their products in countries like Taiwan and Vietnam, and a blanket ban like this could cause huge disruption,” said McConechy.
“Moving large manufacturing operations into new countries is a task that can take years and may not even be viable if costs prove too high, not to mention the lack of wider regional supply chains that manufacturing industries may be dependent on and which are often impossible to shift. At best, and in the short term, basic assembly of routers could move to the US.”
McConechy said that while some might argue that the ban seems reasonable – given the state of global geopolitics and the influence states such as China are inclined to exercise over their tech sectors – it does not really address the underlying security allegations about routers built outside the US.
“Without a wholesale shift of entire supply chains to the US, backdoors and spyware can still be integrated into networking technology, and security vulnerabilities will exist in router products regardless of where they’re manufactured,” he said.
Rik Ferguson, vice-president of security intelligence at Forescout, said that the FCC’s action only partially addressed the problem at hand. “The risk isn’t just where a router is made, it’s the millions already deployed, running outdated software, exposed to the internet and rarely patched,” he told Computer Weekly.
“Adding foreign-made consumer-grade routers to the Covered List … doesn’t magically secure the millions of routers already deployed, many of which will stay in homes and small offices for years,” he added.
“That installed base matters because it’s where so many attackers already live, in exposed management interfaces, abusing weak or reused admin creds, and slow patching cycles, or end-of-life equipment that still works. These are still the day-to-day drivers of router compromise. Regular users don’t simply throw away a router that still works.”
Living on the edge
Though arguably somewhat extreme in its application, the FCC’s determination is nevertheless backed by a growing amount of evidence that network edge devices such as routers are, by their very nature, at high risk of attack.
Data released this week by Forescout’s Vedere Labs analysts revealed that routers have now overtaken traditional PCs as the devices most at risk of compromise by cyber criminals and other threat actors, accounting for a third of the most critical vulnerabilities unearthed last year.
“Routers are the riskiest devices we see nowadays, both in enterprise and consumer environments … Routers account for roughly a third of the most dangerous vulnerabilities in organisational networks, with these devices having an average of 32 vulnerabilities each in monitored networks,” said Daniel dos Santos, Forescout senior director and head of research.
“Our 2025 Threat roundup report also identified network infrastructure devices as a rapid-growth exploitation category: 19% of exploits we observed in 2025, up from 14% in 2024, and 11% in 2023.”
In compiling their report, titled The riskiest connected devices in 2026, Verdere’s experts identified a “surge” in newly identified high-risk device types, with 11 appearing on the list for the first time – such as serial-to-IP converters, time clocks, RFID readers, BACnet routers and medical image printers.
The team said this diversification continued a significant shift that it observed for the first time in 2025 – 40% of the riskiest device types did not factor on the list in 2025, and 75% did not in 2024.
This risk creep is a challenge for security teams, as such devices are often harder to harden, inventory or patch.
