A recent edict from the Federal Communications Commission has security experts bracing for the worst. On March 23, the agency announced a sweeping ban on all new “consumer-grade” routers produced outside the United States. The decision sent shockwaves through boardrooms and living rooms alike: Because no major wireless router brands manufacture in the U.S. – including those headquartered stateside, such as Netgear – a ban on foreign routers is difficult to differentiate from a ban on routers, period.
But while the logistics will likely be worked out, security experts have more concerns. As pointed out in a Technology Policy Institute (TPI) white paper, the ban is ostensibly meant to improve national cybersecurity, preventing incidents such as the Volt Typhoon attack, which saw Chinese state-sponsored threat actors gain access to the networks of U.S. agencies such as the DoE, EPA, and TSA. It’s worth noting that Volt Typhoon primarily targeted routers from Netgear and Cisco, both American companies. Moreover, that attack was made possible not because of any meddling or intentional backdoors, but rather because Netgear and Cisco did not maintain a timely security update schedule for routers they had deprecated.
Wi-Fi is much less secure than many people assume, and a router with known vulnerabilities that have not been patched is like putting a sign on your front door that says, “The spare key is under the mat.” Here’s why the FCC has cyber experts flummoxed, and how these issues might affect your own network security.
The FCC is allowing updates for now, but security could degrade over time
There’s an inherent contradiction in the FCC’s ban on new foreign-made routers. These routers are now on the agency’s Covered List of products and equipment, which allegedly pose severe risks to national security. If it is indeed the case that foreign-made routers pose a clear and present danger to national interests, then why has the FCC stated that existing routers already installed in businesses and homes are exempt? “If the threat were urgent enough to justify bypassing all deliberation, one would expect the FCC to be taking emergency action on the installed base,” wrote the TPI’s Scott Wallsten. Instead, the ban seems set to create a looming cybersecurity catastrophe.
The FCC is currently allowing updates to existing routers for one year, but there’s no telling what will happen when that grace period expires in 2027. As noted above, a lack of security updates creates significant vulnerabilities in a router over time. Thorin Klosowski, a security and privacy expert at the Electronic Frontier Foundation, told Wirecutter, “While it’s true that consumer routers have had some issues in the past, those often proliferate because router manufacturers don’t issue patches or they don’t bother to notify people when their router is end of life and no longer receiving security updates.”
If you’re like the average consumer, you probably use the router that your internet service provider provided, and you’ve likely never thought about voluntarily upgrading it. When the grace period ends, millions of routers will stop receiving updates, and many owners will never notice. That means an untold number of networks will become easy targets for the exact sort of attacks the ban is ostensibly intended to prevent.
Should you worry about the routers in your home and workplace?
One of the things they don’t teach you about Wi-Fi is that it’s an inherently vulnerable technology, like any wireless standard. For all but the most security-hardened networks, the only thing stopping pretty much anyone with a Raspberry Pi and some free time from hacking your network is the fact that you’re probably not a very tempting target.
In the long term, it’s unclear whether the average internet user will face increased security threats as a result of the FCC’s ban. It is also unclear whether American manufacturing can ramp up to meet the national demand for new routers in time for the FCC’s one-year deadline. Although companies can apply for “Conditional Approval” from the FCC to continue selling routers, it requires companies to disclose manufacturing and financial details to the U.S. government and outline plans to start building routers in the U.S. It would be unsurprising if many router makers declined to participate in such a process. It’s hard to imagine a scenario in which the new policy does not lead to fewer choices and higher prices for American consumers.
Scarcity could compound the security dilemma described above, as noted by antimalware software company Malwarebytes. If American-made routers cannot be produced affordably or at the necessary scale, and if new routers from companies like TP-Link and Asus are not available in the U.S., users could end up holding onto old routers past the end of their support cycles. For now, make sure you’ve secured your network with a unique password and that none of the devices on your network have known vulnerabilities.
