On March 23, the FCC added all foreign-made consumer routers to its Covered List, and if you only read the headlines, you might think your Wi-Fi was about to go dark. The coverage was understandably everywhere, with allegations of national security threats, Chinese espionage, a looming router shortage, and the end of cheap networking equipment as we know it being the main talking points. It's easy to assume you should be worried when the very technology that runs your home network is portrayed as if it's under siege.
To be honest, I'm not here to tell you that this doesn't matter at all, because it will matter, probably a lot, in the coming years. But if you already own a router, or you're planning to buy one that's on shelves right now, this ban changes practically nothing for you today. The panic is premature, and the actual rules aren't really doing anything for the products on the market today.
The backstory that led to this
Years of escalating threats
First, to get it out of the way, this ban didn't come out of nowhere. The FCC's Covered List has been building for years, starting with Huawei and ZTE telecommunications equipment back in 2021, then adding Hikvision and Dahua surveillance cameras, and eventually Kaspersky security software in 2024. Each addition comes in a similar way to the last: a national security determination is made that the equipment poses an unacceptable risk, followed by a ban on new authorizations while grandfathering anything already in the field.
The router ban is the latest addition, but it's also the broadest thus far. Instead of targeting a single company, the FCC went after all foreign-made consumer routers. The justification leans heavily on a series of cyberattacks suspected to be sponsored by the Chinese government. These attacks have collectively been some of the most alarming cybersecurity incidents in recent American history.
Volt Typhoon was the first major one to make headlines. In early 2024, the FBI and CISA revealed that alleged Chinese state hackers had been quietly compromising small office and home office routers since at least 2021, building a botnet called KV Botnet. They hijacked hundreds of end-of-life Cisco and Netgear routers and used them as launch points for attacks on American critical infrastructure, including water treatment facilities and power grids. The FBI took the botnet down in January 2024, but the underlying problem that consumer routers are soft targets didn't go away.
Then came Salt Typhoon, which was worse. Starting in mid-2024, a different alleged Chinese state group breached a series of major US telecoms, including AT&T, Verizon, and T-Mobile. They accessed call metadata from millions of users, and, most alarmingly, compromised the systems ISPs use to execute court-authorized wiretaps. The FBI and CISA later confirmed the group had seemingly expressed interest in over 600 companies across 80 countries. By August 2025, Salt Typhoon was still active, targeting unpatched Cisco edge devices.
And running alongside all of this was a separate concern about TP-Link specifically. In May 2023, Check Point Research published findings on a Chinese APT group called Camaro Dragon that had built a custom firmware implant called "Horse Shell" designed specifically for TP-Link routers. The implant gave attackers persistent access and the ability to relay traffic through compromised home networks, and it wasn't targeting high-value networks specifically. Instead, it was infecting ordinary residential routers to build anonymous infrastructure. Later that year, Microsoft reported tracking a network of compromised TP-Link devices that multiple Chinese state-sponsored groups had been abusing since 2021.
TP-Link's market position made this especially uncomfortable for regulators. The company reportedly grew from roughly 10% of the US home router market in 2019 to around 65% by 2025, alleged to be because it was undercutting competitors on price. The Department of Justice opened a criminal antitrust investigation into whether that growth involved predatory pricing, and the Departments of Commerce and Defense launched their own national security probes. TP-Link has denied all of it, calling the allegations inaccurate. This includes the allegations regarding its market share, as it claims to only have 10% of the US market.
Asus has its own history, too. In 2016, the FTC settled with the company over security flaws in its routers that left hundreds of thousands of consumers exposed. The default login credentials on every Asus router were "admin" and "admin," and a vulnerability in its cloud storage feature led to hackers accessing over 12,900 consumers' connected storage devices. Asus agreed to 20 years of independent security audits as part of the settlement.
So when the FCC dropped the router ban in March, it wasn't a sudden move, but rather a culmination of years of escalating incidents, investigations, and increasing regulatory scrutiny.
What the ban actually does
And, more importantly, what it doesn't do
The FCC's Covered List works by blocking new FCC equipment authorizations, and if a router already has an FCC ID, which every router legally sold in the US does, it's grandfathered in. In other words, you can keep using it, retailers can keep selling it, and new stock of that same model can still be imported.
For example, if you bought a TP-Link Archer or an Asus RT-AX router last year, nothing changes. Walk into Best Buy tomorrow and pick up a model that was certified before March 23, and that's perfectly legal. The FCC's own FAQ says that "foreign-produced routers that have previously received FCC authorization may continue to be imported, sold, and used in the U.S."
What is blocked is any brand new model that hasn't gone through FCC authorization yet. If TP-Link had a next-generation Wi-Fi 7 router ready to launch in April, that device can't get certified and can't be sold here. That might be a problem for certain industries, but it's not for someone who needs a working router today.
Firmware updates aren't going away either, at least not yet. The FCC's Office of Engineering and Technology issued a blanket waiver allowing manufacturers to keep pushing security patches and software updates to previously authorized routers until March 1, 2027. The FCC has indicated this deadline may be extended. In practice, and this isn't a good thing in the slightest, most consumer routers already fall off the update cycle well before a year has passed anyway.
So, if a router model doesn't have an FCC ID, it can't be imported or used in the US, regardless of whether it's a commercial shipment or something you tossed in your suitcase while traveling abroad. This has always been the rule for any wireless device, aside from the personal allowances that apply to specific exemptions. The new restrictions don't change that mechanism but rather expand what can't get authorized in the first place. Previously authorized models are still fair game if you're buying abroad, but new hardware that was never certified for the US market is off the table.
The security argument has some uncomfortable contradictions
Your smart devices are unharmed
What bothers me about the framing of this ban is that, for all the talk of national security threats, nobody has published evidence of an intentional backdoor in a TP-Link router. Or in any other major consumer router that would be affected by this ban. Not the FBI, not CISA, not any independent security researcher. When Check Point discovered the Horse Shell implant on TP-Link devices in 2023, the researchers themselves noted that the malware was "firmware-agnostic" and could have been deployed on routers from other vendors just as easily. The vulnerability wasn't something TP-Link built in, but rather something attackers found and exploited, the same way they exploit bugs in Cisco, Netgear, and Fortinet hardware.
Brian Krebs made the same point when covering the proposed ban back in 2025: TP-Link's security posture more or less mirrors its competitors, and its competitors source components from the same factories in China and Taiwan. What's more, former Federal Communications Commissioner Michael O’Rielly actually disagrees with the point that lawmakers tried to make using the Hudson Institute paper that he co-authored. He said that his paper "makes no accusation that TP-Link has done anything wrong. Likewise, there is no evidence to suggest negligence or maliciousness with regard to past vulnerabilities or weaknesses in TP-Link's security." Even the DOJ's own botnet takedown in January 2024, the one tied to Volt Typhoon, targeted Cisco and Netgear routers. Not TP-Link.
That doesn't mean there's no risk. But the theoreticals are doing a lot of heavy lifting when the actual attacks we've seen exploited the same kinds of bugs that plague the entire router industry: default credentials, unpatched firmware, and management interfaces exposed to the internet. The controversies surrounding TP-Link pale in comparison to what you'd think the company had been up to, given how often it's in the news. For example, the company had a partnership with Avira that saw it sending tens of thousands of requests in 24 hours. However, the context here matters, as Avira is a German company it worked with to power some of its security features. Was it a good look? Probably not, but it's hard to frame that as malicious.
But it gets even weirder than that. The entire justification for this ban is built on cyberattacks alleged to be state-sponsored from China: Volt Typhoon, Salt Typhoon, and Camaro Dragon. But the ban itself doesn't target Chinese-made routers. It targets all foreign-made routers. A router assembled in Japan is banned the same as one assembled in Shenzhen. A router manufactured in a European facility by a European company with no ties to any foreign nation aside from the country it came from can't get new FCC authorization, either. If the threat is specifically Chinese state actors compelling Chinese companies to compromise their hardware, why does the policy treat a router from an allied democracy the same as one from an adversary?
The previous Covered List additions were targeted. Huawei and ZTE were named specifically. Kaspersky was named specifically. This time, the FCC went broad, banning everything foreign-made rather than naming the companies or countries it's actually worried about. A former FCC official called it "a big swing" that lacked "sophisticated implementation." Milton Mueller, a professor at the University of Georgia's School of Public Policy and founder of the Internet Governance Project, put it bluntly: the ban makes sense "if you see it as an exercise in industrial policy disguised as cybersecurity."
Mueller also pointed out something that I think deserves more attention: Netgear, an American-headquartered company that would directly benefit from Chinese competitors being locked out of the US market, actively lobbied for the ROUTERS Act that preceded this ban. That doesn't prove the policy is protectionist, but it doesn't exactly dispel the impression either.
And if state-sponsored hacking via consumer networking equipment is the actual concern, the scope of this ban is oddly narrow. Routers aren't the only devices on your home network with a foreign-made chipset and a firmware stack that could theoretically be compromised. Managed switches, wireless access points, NAS devices, smart home hubs, IoT sensors, all of them run software, all of them connect to your network, and almost all of them are manufactured overseas. If a TP-Link router is a national security risk because it could be compromised by a foreign state, then so is a TP-Link smart plug, a TP-Link security camera, or for that matter, a Hisense TV with a microphone. The FCC didn't touch any of those.
Why are updates allowed?
A national security risk would mean banning the software, too
There's one other major contradiction that I haven't seen many people talking about. The FCC banned new router models from entering the market on the basis that foreign-made routers pose "unacceptable risks to the national security." But at the same time, the FCC issued a blanket waiver allowing those same manufacturers to keep pushing firmware updates to the routers already in people's homes, at least until March 2027.
If the concern is that a foreign manufacturer could be compelled by its government to compromise its hardware, then firmware updates are the single most obvious way to do it, especially as a "last hurrah" given that they've now been banned. A malicious firmware update pushed to millions of routers already inside American homes would be far more damaging than anything a new router model could do on its own. And yet the FCC is explicitly allowing that to continue. It's hard to square "these companies can't be trusted to sell you a new router" with "but they can keep pushing code to the one you already own."
The most charitable reading is that the FCC understands cutting off security patches immediately would leave millions of devices exposed, and that's worse than the theoretical risk of a compromised update. That's probably right. But it also makes me question where the actual risk assessment lands: the FCC itself doesn't seem to believe that these manufacturers are an imminent threat to the devices they've already shipped. But they're a threat to future, theoretical devices?
The attacks that justified this ban overwhelmingly targeted end-of-life devices running unpatched firmware with weak credentials. They weren't exploiting hardware-level backdoors in new routers. The KV Botnet was built on Cisco RV320 and Netgear routers that had been abandoned by their manufacturers years earlier. The Internet Governance Project pointed out that this policy paradoxically "targets the very devices most likely to have modern, auto-updating security features" while allowing "insecure, aging devices that state-sponsored actors are currently exploiting."
The devices that were actually exploited can still be used. The newer, more secure replacements are the ones that can't enter the market. Wi-Fi 7 routers from foreign manufacturers can't get new FCC authorization now, which means anyone who would have upgraded is more likely to stick with their aging Wi-Fi 6 or even Wi-Fi 5 hardware. If you can't easily buy a newer, better-secured router, you're more likely to keep running the old one that's actually at risk.
What even counts as "American-made"?
Can routers even run Linux?
The FCC's definition of "produced in a foreign country" doesn't just mean final assembly. It covers "any major stage of the process through which the device is made, including manufacturing, assembly, design, and development." So a router designed in California but assembled in Vietnam is covered. A router with a PCB fabricated in Taiwan for a US company is covered. The brand's country of origin doesn't matter.
This creates an obvious problem: there are almost certainly zero consumer routers that would pass this test. The entire industry has been offshored for decades. Chips come from Taiwan and South Korea, PCBs are fabricated across Southeast Asia, and firmware often runs on Linux kernels maintained by developers scattered across every continent. Moving final assembly to American soil doesn't meaningfully change the security profile of a device whose hardware and software supply chains span the globe. In fact, if Linux isn't American enough for the FCC's evaluation, and "development" is considered part of the process, then this might require a whole new software stack. And that wouldn't necessarily make routers safer either. If anything, replacing mature, widely scrutinized software with a newer bespoke platform could create fresh security risks of its own.
Funnily enough, the Internet Governance Project also noted that over 90% of the devices compromised in the Typhoon campaigns used US-based processor architectures and were made by American-adjacent vendors like Juniper, Cisco, and Fortinet. Where the box was assembled didn't correlate with whether it got hacked. So... what's the point?
The conditional approval process isn't about security
It's not even mentioned
The FCC has set up a conditional approval process that, on paper, lets manufacturers apply for exemptions. In practice, it's not a security review. The application requires "a detailed, time-bound plan to establish or expand manufacturing in the United States," documentation of "committed and planned capital expenditures" for US-based production, and quarterly status updates on onshoring progress. If you're approved, you get a temporary exemption, typically up to 18 months.
Notice what's not in that list: security testing, independent code audits, vulnerability disclosure requirements, or any technical evaluation of whether the router is actually safe. A manufacturer could build the most thoroughly audited, security-hardened router on the planet, and if it's assembled in Vietnam without plans to be manufactured in the United States, it can't get authorized. A router assembled in Texas with the exact same firmware, the same Chinese-made chipset, and the same global open-source software stack would sail through. The process is asking "are you willing to move production to America?", not "is this router secure?"
The Software Freedom Conservancy pointed out that manufacturing domestically costs at least double what it does in Asia, and that "user freedom can't wait" for US manufacturing capacity to catch up. For budget router makers, this becomes an economic hurdle more than a security one. And as of right now, no conditional approvals for routers have been granted, though a few drone makers cleared a similar process in late 2025.
This will matter
Just not yet
None of this means the security concerns regarding allegations of Chinese state-sponsored hacking are overblown. They're not. Salt Typhoon was one of the worst telecom breaches in American history, and the Camaro Dragon campaign showed that residential routers are being deliberately targeted as infrastructure for espionage. But the policy response is blunt in a way that doesn't map cleanly onto the actual threat, and the contradictions are hard to ignore.
Over time, the ban means fewer new router options and potentially higher prices as domestic manufacturing costs kick in. Brands like TP-Link and Asus will either need to start building in the US, secure conditional approval, or effectively exit the American market for new products. For budget-conscious buyers who relied on TP-Link's sub-$100 mesh systems, the options could thin out considerably.
But for the average home user today, there's nothing to do. Your router still works, everything on shelves is still legal to buy, and firmware updates will keep coming for at least another year. This is a story about where the router industry is headed, not an emergency that demands you do anything right now.