FCC bans new routers made outside the USA over security risks

Summary

The Federal Communications Commission has added all consumer routers manufactured outside the U.S. to its Covered List, effectively banning new foreign-made router models from the U.S. market under the Secure and Trusted Communications Networks Act. The decision follows a National Security Determination citing supply-chain risks and citing Volt Typhoon, Flax, and Salt Typhoon attacks that exploited foreign routers to target U.S. critical infrastructure. Foreign manufacturers may seek conditional approval by disclosing ownership, manufacturing details, and plans to onshore critical component production.

Full text

FCC bans new routers made outside the USA over security risks By Bill Toulas March 24, 2026 04:41 PM 0 The Federal Communications Commission has updated its Covered List to include all consumer routers made in foreign countries, banning the sale of new models in the U.S. The Covered List, created under the Secure and Trusted Communications Networks Act of 2019, is an FCC-maintained list of communications equipment and services that the U.S. government has determined to pose an unacceptable risk to national security or the safety of Americans. The list previously included specific products and companies tied to security concerns, such as Kaspersky, Huawei, ZTE, Hikvision, and Dahua. Adding all routers manufactured abroad to the Covered List follows a National Security Determination issued on March 20 by an Executive Branch interagency body. According to the assessment, foreign-produced routers carry a supply-chain risk "that could disrupt the U.S. economy, critical infrastructure, and national defense." The agency determined that these devices could also be used "to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons." In support of the decision, the FCC highlights that foreign-made routers helped the Volt, Flax, and Salt Typhoon hackers carry out attacks that targeted vital U.S. infrastructure. Exemptions and alternative approval path Conditional approval has been granted to certain routers used in the U.S. Department of War (DoW) or the Department of Homeland Security (DHS) for drone systems, which have been determined not to constitute a security risk. Also, the new rules do not bar foreign consumer-grade router makers from seeking approval in the U.S., as long as they transparently disclose: Corporate and ownership structure, including any foreign government financial support and influence. Manufacturing and supply chain details, including bill of materials, country of origin for all components, IP ownership details, manufacturing and assembly locations, and origin of software/firmware. Plan to move critical components manufacturing to the United States, and provide a description of existing U.S.-based manufacturing or assembly processes. Consumer impact For regular consumers in the United States, the new rules are expected to have no immediate effect, as all existing routers will continue to be sold in the country. In what concerns Unmanned Aircraft Systems (UAS) and their critical components, the FCC noted that it will allow software and firmware updates until at least January 1, 2027. Access to new router models for U.S.-based consumers may become more difficult, and the devices may also become more expensive, as the regulatory approval process adds extra complications and costs. Given that testing, approvals, and FCC certification typically take a couple of months, even when all conditions are met. In some cases, this might lead to a delay in entering the U.S. market. Some manufacturers may also decide that the alternative certification pathway is not worth the effort - particularly due to the onshoring requirement - and exit the U.S. market, reducing model availability. Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. Download The Report Related Articles: US disrupts SocksEscort proxy network powered by Linux malwareZero Trust: Bridging the Gap Between Authentication and TrustVaronis Atlas: Securing AI and the Data That Powers It How CISOs Can Survive the Era of Geopolitical Cyberattacks7 Ways to Prevent Privilege Escalation via Password Resets

Indicators of Compromise

• malware — Volt Typhoon
• malware — Flax Typhoon
• malware — Salt Typhoon