The US Federal Communications Commission (FCC) has banned the import and sale of all “consumer-grade” internet routers produced in a foreign country, citing “an unacceptable risk” to the national security of the US.
The ban, announced in an FCC public notice on March 23, means that all such routers made in foreign countries – not just a few select Chinese vendors – are now placed on the FCC’s covered list.
The only exceptions include routers that have been granted a conditional approval by the US Department of Defense (DoD) or Department of Homeland Security (DHS). At the time of writing, the list of exceptions only includes drone systems and online surveillance systems.
The agency highlighted that foreign-made routers “were directly implicated” in the Volt, Flax and Salt Typhoon cyber-attacks which targeted critical American communications, energy, transportation and water infrastructure.
Consumer Routers Under Fire
While the public notice sounds like a blanket ban of all foreign-made routers in the US, the FCC specifically banned “consumer-grade routers” as defined in NIST Internal Report 8425A, which refers to ones “intended for residential use and can be installed by the customer.”
Existing Wi-Fi and wired routers currently in use may continue operating without restriction.
Futher, companies that have previously secured FCC radio authorization for specific foreign-manufactured networking equipment are permitted to maintain imports of those approved models.
However, since nearly all consumer-grade routers are produced outside the US, the FCC’s action effectively prohibits the import of the majority of future consumer router models.
Shane Barney, CISO at Keeper Security, warned that focusing solely on country-of-origin risks oversimplifying a much broader security challenge.
“In enterprise environments, routers and network devices are seen not just as connectivity tools, but as high-value control points that sit outside traditional security oversight. That risk is often compounded through weak governance rather than manufacturing geography,” he said.
“Network infrastructure is frequently under-managed, lacks consistent patching and operates without integration into modern identity and access management frameworks. This creates an ideal foothold for attackers seeking persistent, low-visibility access into corporate environments.”
For instance, in the Volt Typhoon and Salt Typhoon cyber-attacks, Chinese state-backed hackers primarily exploited vulnerabilities in Cisco and Netgear routers which were susceptible because their manufacturers had discontinued security updates for those specific, end-of-life models.
US firm Netgear is understood to manufacture its routers in locations like Taiwan and Vietnam, meaning the firm will likely be heavily affected by the ban.
Two major Chinese router makers, Huawei and ZTE, were placed on agency’s covered list in 2021.
Another Chinese provider, TP-Link, is still widely used in the US. The company has taken recent steps to reduce its association with China, including a 2022 corporate restructuring that separated it from its Chinese parent entity.
In 2024, the company established a global headquarters in California. TP-Link sued US firm Netgear in November 2025 for suggesting that TP-Link had been infiltrated by the Chinese government.
