Key takeaways:
- The FCC has banned the sale of new foreign-made routers in the US, and this sweeping order applies to virtually every Wi-Fi router currently available in the US market.
- My expert advice is to hold off on purchasing a new router if you can.
- Under the current rules, banned routers will no longer receive essential security firmware and software updates after March 1, 2027.
- The FCC’s action has effectively frozen the entire market while router companies scramble to gain approval.
- More specific information on which router companies will be subject to the ban is expected to become clearer within the next month or two.
In my eight years of writing and reviewing broadband and routers, I’ve rarely seen news that I would describe as unprecedented. The FCC’s recent decision to ban foreign-made routers is absolutely unprecedented.
The sweeping order applies to any router in which any stage of “manufacturing, assembly, design and development” occurs outside the US — in other words, just about any router you can buy right now. The FCC order says that foreign-made routers pose “unacceptable risks” to national security.
The ban doesn’t apply to routers that were already authorized by the FCC — that is, every router that’s currently for sale in the US — and will only impact new models that haven’t been approved yet. That means every router that was available before the order is still available today, and router companies can still restock them using their existing manufacturing processes.
Essentially, the FCC is freezing the entire router market. As William Budington, a technologist for the digital rights nonprofit Electronic Frontier Foundation, put it to me, “This is using an extremely blunt instrument.”
Where previous FCC bans have been limited to specific companies, such as last year’s push to ban TP-Link routers, this one affects an entire industry. So where does that leave someone who needs a new Wi-Fi router? Should you buy a model you’ve had your eye on in case it sells out? Or is it better to wait and see which companies the FCC considers foreign-made?
I know what I would do, but I gut-checked my advice with some industry experts. Turns out, we agree.
My advice: Hold off on buying a new router for now
When I first saw the FCC’s announcement, I couldn’t stop thinking about how much chaos this would introduce to the US router market. As I tried to tease out which manufacturers would count as “foreign-made,” it quickly became clear how deeply international the supply chains for routers are.
Understanding the scope of the ban
Take Netgear. While it’s a US-founded and headquartered company, it manufacturers routers in Vietnam, Thailand, Indonesia and Taiwan. With the exception of Starlink — the company says its newer routers are made entirely in Texas, according to the BBC — I couldn’t find a single router brand that’s homegrown.
I don’t have any issues recommending routers that were manufactured abroad. After all, they’d already gone through the FCC’s authorization process, and I haven’t seen convincing evidence that any one router brand has more hardware vulnerabilities than another.
Thomas Pace, CEO of cybersecurity firm NetRise, told me last year during an interview about the potential TP-Link ban: “We’ve analyzed an astonishing amount of TP-Link firmware. We find stuff, but we find stuff in everything.”
I just finished testing, reviewing and rating over 30 routers, and after years of resistance, I finally concluded that Wi-Fi 7 routers are worth the money for the speeds you get. While I stand by my recommendations, with this ban in place, the router you buy today may not be any good in a year.
The future-looking security risk
Then I saw the FCC’s Public Notice on the ban, which specifies that manufacturers can continue providing software and firmware updates “at least until March 1, 2027.” That means if you own a foreign-made router — if you own any router, in other words — it won’t be able to get security patches after that deadline.
That’s why I think the wise move here is to wait on buying one if you can. Keeping your router’s firmware up-to-date is an essential part of securing your home network. If you buy from a router company that doesn’t get an exemption from this ban, you risk having an unsecured device a year from now.
It’s an ironic side effect of an order that is ostensibly designed to keep Americans safer: They may no longer be able to get the latest security fixes.
“If you’re limiting the ability of people to get security updates, then you’re making the problem worse, not better,” Alan Butler, senior counsel at the Electronic Privacy Information Center, told me. “A lot of those routers are going to turn into pumpkins in a year unless they extend this waiver.”
By saying you can update your firmware “at least until March 1, 2027,” the FCC does leave some wiggle room for an extension. But until we know more about which companies the FCC considers foreign-made and which will be exempt, I wouldn’t feel comfortable recommending spending money on a new router right now.
Advice for immediate router needs
If your old router stopped working, I’m not going to tell you to wait for clarity from the FCC to get back on Wi-Fi — the timeline for concern is more in years than months. A good compromise might be to buy an older budget router rather than the latest Wi-Fi 7 model you’ve had your eye on. But if you can afford to wait a month or two, it’s worth exercising some caution.
“I do think this is going to become a mess very quickly,” Butler said.
This is the messiest point in the process we’re likely to see. As the dust settles in the coming weeks, we’ll likely have better information on which routers will still be safe to use a year from now.
TP-Link is one of the most popular router brands in the US, and the subject of several 2025 government investigations.
Gianmarco Chumbe/CNETExpert opinion: Is your current router still safe to use?
When I polled four cybersecurity experts, I was surprised to find that they were generally in favor of the FCC taking action to protect router security in theory, but critical of the execution.
“It’s going to impact many harmless products in order to stem a real problem,” Budington said. “It’s also not particularly well-targeted, since routers are only one part of the problem, along with IoT devices.”
The concern for national security risk
The FCC says that routers produced abroad were “directly implicated” in the Volt, Flax and Salt Typhoon cyberattacks. These attacks aren’t necessarily targeting an average person’s data, but they can turn your router into a tool to be used in malicious attacks.
“The individual user who owns the router probably doesn’t even know anything about it,” Butler said. “It’s happening in the background without their knowledge, and it’s not necessarily affecting them directly in any way that they can notice.”
In the Salt Typhoon attack, hackers gained access to data from millions of people through their internet providers, aiming to gain access to information from court-authorized wiretaps. It was a particularly bold instance of a tried-and-true hacker approach called “spray and pray”: Find default login credentials and try them on as many connected devices as you can.
“It can be only one router out of 5,000, but that one can be a bingo,” Sergey Shykevich, a threat intelligence manager at Check Point Research, told me about these types of attacks. “It’s mostly just easy. In many cases, you don’t have to be a very sophisticated actor, or even nation-state, in order to be successful.”
How you can secure your router right now
It’s just as easy for hackers to gain access through a router’s default credentials as it is for you to change your own settings. Most routers have an app that lets you update your login credentials from there, but you can also type your router’s IP address into a URL. These are different from your Wi-Fi name and password, which should also be changed every six months or so. It’s also a good idea to keep your firmware updated, which you can do automatically in your router’s settings or by manually downloading updates in your router’s app or web portal.
When will we know more?
I wish I could point to another time when the FCC ordered a blanket ban on an entire category of consumer products, but nothing like this has happened before. Manufacturers can apply for “Conditional Approval,” and they are likely scrambling behind the scenes to make the cut. When I reached out to the FCC for more clarity on the order, I was referred to the commission’s “Covered List” FAQ page.
My best guess is that we’ll learn more specifics on which companies are banned in the next month or so — an estimate that was echoed by two industry observers I spoke with. But the wait could be even longer. Budington told me he thinks router companies might wait until the ban is lifted rather than hustle to try to move their entire supply chains to the US.
No matter how it shakes out, we’ll likely look back on this as the most chaotic chapter of the router ban story. Unless you need a new router immediately, there’s a good chance you’ll be able to make a more informed decision a month from now.
