Key takeaways:
- The Federal Communications Commission has banned the sale of new routers made in other countries in the US. The sweep command works on almost every Wi-Fi router currently available in the US market.
- After talking to seven industry experts, I recommend holding off on buying a new router if you can.
- Under current rules, blocked routers will no longer receive critical security firmware and software updates after Jan. 1, 2029.
- The FCC’s action effectively shut down the entire market while router companies fought to gain approval.
- More information about which router companies will be subject to the ban is expected to become clearer within the next month or two.
In my eight years of writing and reviewing broadband and routers, I have never seen a story that I would describe as unprecedented. The FCC’s March 23 decision to ban foreign-made routers is unprecedented.
The sweeping order applies to any router where any stage of “manufacturing, assembly, design and development” takes place outside the US — in other words, almost any router you can buy right now. The argument is that they pose “unacceptable risks” to national security. Ironically, the order also prevents routers made in other countries from receiving important security updates after Jan. 1, 2029, an extension of the original deadline of March 1, 2027.
The ban doesn’t apply to routers that have already been approved by the FCC — only newer models that haven’t yet been approved. That means every router that was available before the order is still available today, and router companies can still recycle them using their existing manufacturing processes. So far, both Eero and Netgear have received exemptions from the ban, and will be able to sell new models in the US going forward.
Basically, the FCC is freezing the Wi-Fi router market. As William Budington, an expert at the digital rights nonprofit Electronic Frontier Foundation, put it to me, “This is using an extremely blunt tool.”
Where previous FCC bans have been limited to specific companies, such as last year’s push to block TP-Link routers, this affects the entire industry. So where does that leave someone who needs a new one Wi-Fi router? Should you buy a model you’ve had your eye on just in case it goes on sale? Or is it better to wait and see what companies the FCC thinks are foreign made?
I know what I would do, but I checked my advice with four cybersecurity experts. It turns out, we agree.
My advice: Hold off on buying a new router just yet
When I first saw the FCC announcement, I couldn’t stop thinking about how much chaos it would introduce to the US router market. As I tried to tease out which manufacturers might be considered “outsiders,” it quickly became clear how deep the routers’ supply chains run.
Understanding the scope of the ban
Take Netgear. Although it is a US-based and headquartered company, it builds routers in Vietnam, Thailand, Indonesia and Taiwan. According to a recent report by the trade group Global Electronics Association, “Almost no consumer electronics are manufactured entirely in the United States.”
I have no problems recommending routers manufactured abroad. After all, they just went through the FCC approval process, and I haven’t seen any conclusive evidence that any router type has more hardware risks than another.
Thomas Pace, CEO of cybersecurity firm NetRise, told me last year during an interview about the possibility. TP-Link Restrictions: “We analyzed an incredible amount of TP-Link firmware. We find things, but we find things in everything.”
I’ve just finished testing, reviewing and rating over 30 routers, and after years of resistance, I’ve finally concluded. Wi-Fi 7 routers cost money at the speed you get. While I stand by my recommendations, with this restriction, the router you buy today may not be as good in a year.
A visible security risk
Then I saw the FCC’s Public Notice about the ban, which specifies that manufacturers can continue to provide software updates and firmware updates “until at least March 1, 2027,” which has been extended to at least Jan. 1, 2029. That means if you own a router made in another country — if you own any router, in other words — it won’t get the security deadline.
That’s why I think the smart move here is to wait and buy one if you can. Keeping your router’s firmware up to date it is an important part of securing your home network. If you buy from a router company that doesn’t get an exemption from this ban, you risk having an unprotected device a year from now.
It’s an ironic side effect of an order ostensibly designed to keep Americans safe: They may no longer be able to get the latest security fixes.
“If you limit people’s ability to get security updates, you’re making the problem worse, not better,” said Alan Butler, senior counsel at the Electronic Privacy Information Center. “Most of those routers will turn into pumpkins in a year unless you extend this waiver.”
By saying you can update your firmware”at least until Jan. 1, 2029,” the FCC is leaving some wiggle room for extension, and the Commission has suggested it may remove the deadline altogether. But until we know more about which companies the FCC thinks are foreign-made and which will be exempt, I don’t feel comfortable recommending spending money on the new route just yet.
“The risk is real,” said Rik Ferguson, vice president of intelligence at cybersecurity firm Forescout. “If you find yourself in a situation where that update pipeline is closed, then you have to consider whether you want to continue using that device.”
“Vulnerability continues to evolve over time, because there is a high probability that there will be a new vulnerability that you cannot fix,” added Daniel Dos Santos, vice president of research at Forescout.
Advice for urgent router needs
If your old router stops working, I wouldn’t tell you to wait for the FCC to give you the all-clear to switch back to Wi-Fi — the timeline for concern is more years than months. A good compromise might be to buy an older budget router than the latest Wi-Fi 7 model you’re looking at. But if you can wait a month or two, it’s worth using caution.
“I think this is going to be a mess very quickly,” Butler said.
This is the worst point in the process that we are likely to see. As the dust settles in the coming weeks, we’ll likely have a better idea of which routers will still be safe to use a year from now.
TP-Link is one of the most popular router brands in the US, and the subject of multiple government investigations in 2025.
What if you rent your router from your ISP?
Where does this order come from? 70% are American who rent their internet equipment from their internet provider? The FCC ban will affect them too, as they rely heavily on routers made in other countries.
Actually, my advice is no different than that of people who own their own routers: Don’t panic, and wait to see how things go. If you haven’t upgraded your equipment in a few years, now might be a good time to call your ISP and ask what options are available. But it’s unlikely they’ll replace them on their own, says Doug Dawson, a veteran broadband analyst and author of the POTs and PANs industry blog.
“I don’t see a lot of these things being replaced, because it’s a lot of money,” Dawson said. “I would guess before any firmware update deadline, they will release those three days before then and cross their fingers that they don’t start seeing problems.”
Expert opinion: Is your current router still safe to use?
When I surveyed four cybersecurity experts, I was surprised to find that they were generally in favor of the FCC taking action to protect network security in theory, but criticized the execution.
“It’s going to impact a lot of harmless products to prevent a real problem,” Budington said. “And it’s not well targeted, because routers are only one part of the problem, as well as IoT devices.”
Concerns about national security risk
The FCC says routers manufactured abroad were “directly affected” by Volt, Flax and Salt Storm cyber attacks. This attack doesn’t necessarily target man-in-the-middle data, but it can make your router a tool to be used in a malicious attack.
“Every user who owns a router probably doesn’t know anything about it,” Butler said. “This is happening behind the scenes without their knowledge, and it doesn’t directly affect them in any way that they can see.”
In the Salt Storm attack, hackers gained access to data on millions of people through their internet providers, with the aim of obtaining information from court-ordered wiretaps. It was a bold example of the tried-and-true hacking method called “pray and pray”: Get the default login information and try it on as many connected devices as possible.
“It could be only one router in 5,000, but that would be bingo,” Sergey Shykevich, manager of threat intelligence at Check Point Research, told me about these types of attacks. “It’s mostly simple. In most cases, you don’t have to be a top actor, or even a country, to be successful.”
How to secure your router right now
It’s just as easy for hackers to gain access to your router’s default credentials as it is for you to change your settings. Most routers have an app that allows it update your login information from there, but you can also type your router’s IP address into a URL. This is separate from your Wi-Fi name and password, which should also be changed every six months or so. It’s also a good idea to keep your firmware updated, which you can do automatically in your router’s settings or by manually downloading updates from your router’s app or web portal.
When will we know more?
I wish I could point to another time when the FCC ordered a blanket ban on an entire category of consumer products, but nothing like this has happened before. Manufacturers can apply for “Conditional Approval,” and may be backstabbing for a decision. When I reached out to the FCC for more clarification on the order, I was directed to the commission’s “Consolidated List” FAQ page.
My best guess is that we’ll learn more about which companies are banned in the next month or so — an estimate borne out by two industry observers I spoke to. But the wait could be even longer. Budington told me that he thinks router companies can wait until the ban is lifted rather than rush to try to move all their chains to the US.
Regardless of how it pans out, we’ll probably look back on this as the most tumultuous chapter in the router ban story. Unless you need a new router right away, there’s a good chance you’ll be able to make a more informed decision a month from now.
