Key points to remember:
- The Federal Communications Commission has banned the sale of new foreign-made routers in the United States. This radical move applies to virtually all Wi-Fi routers currently available in the US market.
- After speaking with four cybersecurity experts, my advice is to not buy a new router if you can help it.
- Under current rules, banned routers will no longer receive essential firmware and security software updates after March 1, 2027.
- The FCC’s action has effectively frozen the entire market while router companies scramble to gain approval.
- More specific information on which router companies will be subject to the ban should become clearer within the next month or two.
In my eight years of writing and analyzing broadband and routers, I have rarely seen news that I would call unprecedented. The FCC’s recent decision to ban foreign-made routers is absolutely unprecedented.
The general order applies to any router in which any stage of “manufacturing, assembly, design and development” takes place outside the United States – in other words, just about any router you can buy today. The FCC order says foreign-made routers pose “unacceptable risks” to national security. The ironic side effect is this: it could prevent your current router from receiving vital security updates.
The ban does not apply to routers already authorized by the FCC (that is, all routers currently on sale in the United States) and will only affect new models that have not yet been approved. This means that any routers available before ordering are still available today and router manufacturers can still restock them using their existing manufacturing processes.
Essentially, the FCC is freezing the entire router market. As William Budington, a technologist for the Electronic Frontier Foundation, a digital rights nonprofit, told me: “This uses an extremely blunt instrument. »
While previous FCC bans have been limited to specific companies, like last year’s ban on TP-Link routers, this one affects an entire industry. So what about someone who needs a new Wi-Fi router? Should you buy a model you’re interested in in case it sells out? Or is it better to wait and see which companies the FCC considers foreign-made?
I know what I would do, but I checked my advice with four cybersecurity experts. Turns out we agree.
My advice: hold off on purchasing a new router for now
When I first saw the FCC’s announcement, I couldn’t help but think of the chaos this would bring to the US router market. As I tried to determine which manufacturers would be considered “foreign-made,” it quickly became apparent how deeply international router supply chains are.
Understanding the scope of the ban
Take Netgear. Although it is a company founded and based in the United States, it manufactures routers in Vietnam, Thailand, Indonesia, and Taiwan. With the exception of Starlink — the company says its new routers are made entirely in Texas, according to the BBC — I couldn’t find a single local router brand.
I have no problem recommending foreign-made routers. After all, they had already gone through the FCC authorization process, and I haven’t seen compelling evidence that one brand of router has more hardware vulnerabilities than another.
Thomas Pace, CEO of cybersecurity company NetRise, told me in an interview last year about the potential TP-Link ban: “We’ve analyzed an astonishing amount of TP-Link firmware. We find stuff, but we find stuff in everything.”
I just finished testing, reviewing and evaluating over 30 routers, and after years of resistance, I finally concluded that Wi-Fi 7 routers are worth it for the speeds you get. While I stand by my recommendations, with this ban in place, the router you buy today may not be any good in a year.
Forward-looking security risk
Then I saw the FCC’s public notice on the ban, which specifies that manufacturers can continue to provide software and firmware updates “at least until March 1, 2027.” This means that if you have a foreign-made router – if you own a router, in other words – it won’t be able to get security patches after this deadline.
That’s why I think the wise decision here is to wait before buying one if you can. Keeping Your Router Firmware Up to Date is an essential part of securing your home network. If you buy from a router company that doesn’t have an exemption from this ban, you risk having an insecure device in a year.
This is an ironic side effect of an order that is ostensibly designed to keep Americans safer: They may no longer be able to get the latest security patches.
“If you limit users’ ability to get security updates, you’re making the problem worse, not better,” Alan Butler, senior attorney at the Electronic Privacy Information Center, told me. “A lot of these routers are going to turn into pumpkins in a year unless they extend this waiver.”
Saying you can update your firmware »at least until March 1, 2027,” the FCC is leaving some wiggle room for an extension. But until we know more about which companies the FCC considers to be foreign-made and which will be exempt, I wouldn’t feel comfortable recommending spending money on a new router right now.
Tips for Immediate Router Needs
If your old router isn’t working anymore, I’m not going to tell you to wait for clarification from the FCC to go back to Wi-Fi – the worry timeframe is measured in years rather than months. A good compromise might be to buy an older budget router rather than the latest Wi-Fi 7 model you’re considering. But if you can afford to wait a month or two, it’s worth exercising some caution.
“I think this is going to become a disaster very quickly,” Butler said.
This is the most complicated point of the process that we are likely to see. As the dust settles in the coming weeks, we’ll likely have better information on which routers will still be safe to use a year from now.
TP-Link is one of the most popular router brands in the United States and is the subject of several government investigations in 2025.
Gianmarco Chumbe/CNETExpert opinion: Is your current router still safe to use?
When I interviewed four cybersecurity experts, I was surprised to find that they generally supported the FCC taking steps to protect router security in theory, but were critical of their execution.
“This is going to impact a lot of harmless products to stem a real problem,” Budington said. “It’s also not particularly well targeted, because routers are only part of the problem, along with IoT devices.”
Concern about the risk to national security
FCC says foreign-produced routers were ‘directly involved’ in Volt, Flax and Salt typhoon cyberattacks. These attacks don’t necessarily target the average person’s data, but they can turn your router into a tool for malicious attacks.
“The individual user who owns the router probably doesn’t even know anything about it,” Butler said. “It’s happening in the background without their knowledge, and it doesn’t necessarily directly affect them in a way that they can notice.”
In the Salt Typhoon attack, hackers gained access to the data of millions of people through their Internet service providers, in an attempt to access information from court-sanctioned wiretaps. It was a particularly bold example of a tried-and-true hacker approach called “spray and pray”: Find the default login credentials and try them on as many connected devices as possible.
“It may only be one in 5,000 routers, but that one could be bingo,” Sergey Shykevich, director of threat intelligence at Check Point Research, told me of these types of attacks. “It’s usually simple. In many cases, you don’t have to be a very sophisticated actor, or even a nation state, to be successful.”
How to Secure Your Router Now
It’s just as easy for hackers to access a router’s default credentials as it is to change your own settings. Most routers have an app that lets you update your login credentials from there, but you can also enter your router’s IP address in a URL. These are different from your Wi-Fi name and password, which also need to be changed every six months or so. It’s also a good idea to keep your firmware up to date, which you can do automatically in your router’s settings or by manually downloading updates in your router’s app or web portal.
When will we know more?
I wish I could name another time the FCC ordered a blanket ban on an entire category of consumer products, but nothing like this has happened before. Manufacturers can apply for “conditional approval” and they’re probably scrambling behind the scenes to get the cut. When I contacted the FCC for clarity on the order, I was referred to the commission’s “Covered List” FAQ page.
My best guess is that we’ll know more details about the banned companies over the next month or so — an estimate that was echoed by two industry watchers I spoke with. But the wait could be even longer. Budington told me he thinks router companies might wait until the ban is lifted rather than work to move their entire supply chains to the United States.
No matter how it plays out, we’ll probably consider this the most chaotic chapter in router ban history. Unless you need a new router right away, chances are you’ll be able to make a more informed decision within a month.