US Bans New Foreign-Made Routers
▼ Summary
– The FCC has banned all new foreign-made consumer routers from being imported and sold in the US due to national security risks.
– This ban adds these routers to the FCC’s Covered List, preventing them from receiving the authorization required for sale.
– The restriction applies only to new devices, allowing already-authorized and existing consumer routers to remain in use.
– Security experts note the ban could cause major market disruption, as virtually no consumer routers are manufactured domestically.
– Critics argue the ban does not address core security issues like supply chain vulnerabilities or poor firmware update practices.
A new regulatory action by the US Federal Communications Commission now prohibits the import and sale of all new consumer-grade routers manufactured outside the United States. This decisive step stems from a national security review, with officials concluding that foreign-made routers present an unacceptable risk to public safety and critical infrastructure. By placing these devices on the FCC Covered List, the agency effectively blocks them from receiving the necessary authorization to enter the US market.
The policy, developed by a White House-led interagency group, cites significant concerns over supply chain exposure and potential cybersecurity threats. Authorities warn that routers produced overseas could contain hidden vulnerabilities or backdoors, making them susceptible to exploitation for espionage, intellectual property theft, or disruptive attacks on networks. The FCC encourages organizations to consider the Covered List as part of their risk management analysis for compliance purposes.
However, industry experts highlight substantial practical challenges. Ryan McConechy, Principal Security Architect at Barrier Networks, notes that virtually no consumer routers are currently made domestically. Major brands, including American companies, typically assemble products in countries like Taiwan and Vietnam. A blanket ban could therefore cause huge market disruption, as relocating complex manufacturing operations is a multi-year endeavor that may not be economically viable. In the short term, only basic assembly might feasibly shift to the US.
McConechy also questions the fundamental efficacy of the ban. He argues that simply changing a product’s final assembly location does not inherently eliminate security risks. Backdoors and spyware can still be integrated into components sourced from global supply chains, and security vulnerabilities will exist in router firmware regardless of where the device is built. Many past router compromises resulted not from state-level espionage but from basic issues like unpatched firmware and outdated software platforms, problems this policy does not directly address.
It is important to clarify that the restrictions target new devices seeking authorization. Routers already approved by the FCC can continue to be imported, sold, and used. Manufacturers may also apply for exemptions through a specific review process. This update expands the existing Covered List, which already restricts certain telecommunications and surveillance equipment on national security grounds.
The risks extend beyond physical manufacturing locations. McConechy points out that the infrastructure for managing routers and distributing firmware updates itself presents a target for attackers, a vulnerability independent of a company’s home country. Without more targeted policies to improve overall router security hygiene, such as mandating secure development practices and timely updates, the ban may not achieve its stated security goals. Furthermore, without substantial government support, it is unrealistic to expect manufacturers to reconfigure their global supply chains quickly enough to prevent consumer market shortages.
(Source: Help Net Security)