The head says it. On March 23, 2026, in an unexpected move, the Federal Communications Commission (FCC) announced it would ban all new consumer-grade routers manufactured abroad for national security reasons. This applies to hardware made in all other countries, regardless of the manufacturers’ nationality.
In a way, this new development is a surprising end to the years-long saga in which the US government mulled banning TP-Link routers for the same reasons.
Dong’s note: On March 30, the FCC published a comprehensive FAQ on its router ban. As a result, I updated this post, which was originally published on March 25, to add more information, including the FCC’s take on firmware updates for existing foreign-made routers.
FCC router bans: The specifics
Routers are essential and ubiquitous equipment—each home or office network needs one. The FCC defines routers as “consumer-grade network devices” that “forward data packets, most commonly Internet Protocol (IP) packets, between networked systems.”
Generally, whoever controls the router owns the traffic passing through it and can dictate what happens behind the scenes, far beyond what you see on your screens.
On this front, the FCC shared a National Security Determination regarding the unacceptable risks posed by routers produced in foreign countries that, among other things, read:
“Recently, malicious state and non-state sponsored cyber attackers have increasingly leveraged the vulnerabilities in small and home office routers produced abroad to carry out direct attacks against American civilians in their homes. From disrupting network connectivity to enabling local networking espionage and intellectual property theft, foreign-produced routers present unacceptable risks to Americans. Additionally, routers produced abroad were directly implicated in the Volt, Flax, and Salt Typhoon cyberattacks, which targeted critical American communications, energy, transportation, and water infrastructure. Routers in the United States must have trusted supply chains so we are not providing foreign actors with a built-in backdoor to American homes, businesses, critical infrastructure, and emergency services.”
And that’s the premise behind this FCC router ban, which took effect on March 23, 2026. Specifically, starting that day, any routers produced in a foreign country will automatically be added to the existing ban list (called Covered List), which includes all previously banned networking hardware.
According to the announcement, “new devices on the Covered List, such as foreign-made consumer-grade routers, are prohibited from receiving FCC authorization and are therefore prohibited from being imported for use or sale in the US”.
This new development is surprising because it’s much broader than the FCC’s previous plan to ban only TP-Link routers due to alleged tie to the Chinese government. Most importantly, virtually all routers I’ve worked with are made outside the US—primarily in China, Indonesia, Taiwan, Thailand, or Vietnam.
The only US-made routers I’m aware of (and have limited experience with) are those from StarLink, as they carry no country-of-origin marking required for US imports.
So the question is, does this ban mean US consumers can no longer buy new routers? Not necessarily.
Exceptions and Conditional Approval
The ban applies only to new routers that have not yet been authorized or even manufactured.
The FCC states clearly in its ban announcement:
- The (updated) Covered List does not prohibit the import, sale, or use of any existing device models the FCC previously authorized.
- This action does not affect any previously purchased consumer-grade routers. Consumers can continue to use any router they have already lawfully purchased or acquired.
- Producers of consumer-grade routers that receive Conditional Approval from the Department of War (DoW) or the Department of Homeland Security (DHS) can continue to receive FCC equipment authorizations.
Here are a couple of finer points I learned from the newly published FAQ:
- Routers made in the US with foreign components are not automatically added to the Covered List unless the “covered” component is a modular transmitter under the FCC’s rules.
- Foreign-made routers (those on the Covered List) can be imported in small batches for product development purposes, provided they are not marketed or sold.
- The Covered List is not enforced retrospectively. Specifically, consumers can continue to use their existing legally acquired router, whether or not it’s currently on the updated Covered List.
- Consumers are not allowed to buy a router on the Cover List abroad and bring it home to use. (This has been the case with any router not approved by the FCC.)
- The ban also applies to hardware installed by professionals for residential use, including SP-provided residential gateways.
Considering that there are already plenty of routers, including those supporting the latest Wi-Fi 7 standard, that have been authorized, this ban has no immediate effect on the US networking market.
However, going forward, new routers, especially those supporting the upcoming Wi-Fi 8, will need to be manufactured in the US or granted Conditional Approval, which is determined on a case-by-case basis via an application process. Additionally, it’s safe to say that fewer new router models will be introduced in 2026 than in previous years.
Banned routers and firmware updates
The most interesting question on the FCC’s recently published FAQ page concerned firmware updates for currently authorized foreign-made routers, which, again, are virtually all standard Wi-Fi routers sold in the US.
The FCC linked to a waiver document that, among other things, reads:
“All routers authorized for use in the United States may continue to receive software and firmware updates that mitigate harm to U.S. consumers at least until March 1, 2027. These include all software and firmware updates to ensure the continued functionality of the devices, such as those that patch vulnerabilities and facilitate compatibility with different operating systems.”
From the looks of it, if you buy a new router now, you’ll have only about one year of “authorized” firmware support. That brings up a big question: what if these routers have a vulnerability that needs to be patched after March 1, 2027?
The “at least” language of the waiver suggests that the authorized routers will be allowed to receive firmware updates beyond that date, but it’s unclear whether that’d require a further extension or a specific permit.
Firmware is what dictates the function of hardware, similar to an operating system in a computer. For this reason, it makes sense that the FCC wants to regulate or restrict firmware updates to prevent the potential weaponization of the hardware. However, entirely banning firmware updates would surely make the router less secure when a vulnerability needs to be patched.
My take is that on this front, we’ll need to wait until next year to find out.
Reactions from hardware vendors
I contacted a few popular networking vendors about the new ban, and none, seem overly concerned. So far, only three have offered their official responses.
TP-Link Systems Inc., the popular Chinese-yet-not-so-Chinese hardware vendor, once the heart of the whole router-ban saga, seems to take solace in the fact that the new FCC router ban put all hardware vendors under the same scrutiny. Here’s its spokesperson’s statement:
“This action from the FCC appears to affect virtually all new consumer-grade routers seeking authorization to be sold in the United States. Because nearly every manufacturer in this sector produces hardware abroad or relies on a global supply chain, this new requirement will set a bar for the entire industry. Placing all manufacturers and their supply chains under the same scrutiny is a positive step in the direction of making the router industry more secure.
We are confident in the security of our supply chain. TP-Link has been committed to making further investments in America and has already been planning to establish U.S.-based manufacturing to complement our existing company-owned facilities in Vietnam. TP-Link is well-positioned — in fact, possibly better positioned than any of its competitors — to succeed under the new guidelines and maintain its position as the leading U.S. vendor of secure network devices.”
NETGEAR, TP-Link’s perceived biggest US competitor, also appears to cheer the FCC on making the new ban via this statement, offered by its spokesperson:
“We commend the Administration and the FCC for their action toward a safer digital future for Americans. Home routers and mesh systems are critical to national security and consumer protection, and today’s decision is a step forward. As a U.S.-founded and headquartered company with a legacy of American innovation, NETGEAR has long invested in security‑first design, transparent practices, and adherence to government regulations, and we will continue to do so.“
ASUS, a Taiwanese company popular in the networking realm, among other things, offered this public statement regarding the FCC router ban:
“ASUS has proudly served U.S. customers since 1991, with a long-standing commitment to trusted innovation and strong product security. We are confident in the integrity of our supply chain and the security of our networking products. This FCC action has no impact on existing ASUS router users, software updates, and customer support.”
The final thoughts
As mentioned, the role of routers in online security is real, and, therefore, so are their potential risks. In electronics, supply chain security risks are also very real: among other things, a third party can add extra components without the manufacturer’s knowledge, as demonstrated by the extreme example of the 2024 Lebanon electronic device attacks.
So, the new FCC router ban makes sense, at least on the surface. Still, its effectiveness at keeping Americans and the US safe depends on the process by which a foreign-made router is granted Conditional Approval. There’s a lot of gray area in this process, to put it mildly, on the fate of new routers and firmware updates for existing ones.
Ultimately, only time will tell.
In the meantime, my take is that there’s no need for US consumers to fret: the ban doesn’t apply retroactively—no hardware is being recalled because of it—and there are plenty of routers already authorized by the FCC that they can bring home today.
That said, you don’t need to do anything differently. As usual, keep your current router as long as it works for you, and if you need a replacement, these top-five options will help.
Thank you for this. Interesting turn of events regarding FCC’s role today.
Interesting indeed…
Very interesting, I particularly enjoyed the responses from the company spokespeople representing the router companies, I would very much like to hear from others as well. I think they probably feel the need to appear to be on-board to not spook the FCC or DoW/DHS so that they can get their applications approved.
This makes me wonder about Asus and how this could potentially change their firmware. At the moment it’s open-source which is great for extended support beyond just Asus (Merlin etc..), it would be a shame if it became closed-source because of all this, though I’m sure there would still be community projects, it would slow their progress.
I’m not particularly worried myself, I’m not in the US but I do wonder how this may change the industry for everyone around the world. Not immediately, but over time. On one hand it could be positive in terms of security features (possibly even hardware-based security modules), but on the other hand this may also lead to a reduction in user choice and control.
An interesting time to be observing the tech industry in general.
Like all US policies, this is a fluid matter. Things can vary greatly from one administration to another. We’ll see.
I would hope that firmware updates are continued beyond next March. If they don’t, I think it would make virtually every device obsolete within a year and could kill the device market as it would be pointless to buy a device only to get a year or less out of it. Wifi 7 devices aren’t exactly cheap if you want a capable one that could last several years.
I hope they regularly evaluate the impact of the regs and make adjustments as necessary to not kill devices prematurely with the lack of firmware updates. I just put a nice chunk of change into Ubiquiti hardware and it would really suck to only get a year out of it.
I’m pretty that will be the case, Tosan. The languge seems purposely ambiguous as if somebody just wanted more time to figure things out.
One thing NOT so obvious: Routers that do NOT contain Wi-Fi, Bluetooth or other RF technologies — i.e., WITHOUT a “modular transmitter” — SHOULD not be affected as they do NOT require the level of FCC authorization (i.e., an FCC ID is required for all devices that intentionally transmit RF signals) that is restricted by the Covered List. An FCC ID is NOT required for products that merely receive RF signals (like AM/FM radios & non-smart TVs that don’t support Wi-Fi or Bluetooth), or that only have to comply with the “digital device” (Class A & B) rules to avoid interference. However, as broadly as other parts of the order are written, don’t be surprised if that gets misinterpreted & wrongly applied to non-Wi-Fi routers, switches, etc.
Also, the FCC ID requirements for “intentional emitters” of RF signals aren’t as strictly enforced by U.S. Customs as the FCC would like. I still use a Chinese Android radio in my car (imported via AliExpress over a year ago) that has Wi-Fi & Bluetooth support, yet apparently has no FCC ID (I looked & researched) and is unlikely to get one. I wouldn’t be surprised if some foreign Wi-Fi routers make it thru U.S. Customs despite this order putting them on the Covered List.
It’s not a question of should, it’s whatever the FCC deems “safe”. 🙂
The FCC is now tasked with cyber-security arbitration, but last I knew they police RF noise and interference. Did they recently add a cadre of cyber- sleuths to pen test the latest “foreign-made” routers from the likes of Cisco, Juniper, Arista, Fortnet, HP, Dell, etc. If this is about “cyber-security” what about the hundreds of billions of iot devices with all kinds of wireless access and limited or no security?
As noted, this applies to ALL foreign-made routers. IoT devices are less of a threat than routers—they need to connect to a router to work in the first place.
Do you think the TP link switches are safe? Is there any way to check safety?
Thanks for all the work you put in to keep us informed.
That depends on the type of switch, Michael. Routers and switches are essentially the same things.
Still, switches that don’t have Wi-Fi, Bluetooth or other intentional RF transmitters SHOULD not be affected by this ban, as I just posted (though there might be some blowback). That said, I’m not that worried about unmanaged switches — I have a couple of those imported from China (not Chinese TP-Link products) via AliExpress, as 2.5GbE switches are much cheaper there than domestically, and their functionality is essentially baked into their chipsets so they don’t have firmware and/or web interfaces that hackers can easily infiltrate. Managed switches, OTOH, generally have firmware and/or web interfaces so they have a significant hacking risk. Still, if it’s a U.S. TP-Link product I wouldn’t be that worried about it; this order seems tailor-made to impose new restrictions industry-wide without undermining TP-Link’s restructuring into legally (if not fully at ownership level) independent Chinese & U.S. companies. (I use a U.S. TP-Link mesh system made in Vietnam myself; one of my Chinese 2.5GbE switches replaced a pre-split, Vietnam-made & U.S.- sold TP-Link gigabit switch.)
A router can do a lot of harm without Wi-Fi or Bluetooth. Switches and routers are basically the same thing and only differeciate by the layers they support.
What is meant by “consumer grade”. Are some of the Omada routers, for instance, exempt because they are commercial grade?
Consumer-grade generally means products for the home and SMB, Jeff. Depeding on the grade, some Omada routers falls into the SMB category. But the ban seems ambiguous in its classification and gives the FCC the option to ban any particular device it wants.
If looking to invest in only those devices (likely) guaranteed to be USA made and (very) unlikely to be approved going forward, who are those companies? Thanks for all you do.
I don’t know, Mitchell, as I have little knowledge on this front, but to be safe, I’d go with Ubiquiti, NETGEAR, and ASUS, as those likely approved, in that order.
Thanks! Great work – as usual. Your site is the first place I research; usually only one due to the depth of detail that you provide and your track record of being an IT honest broker. I was concerned about Starlink (possibly) being the only manufacturer not at risk of getting on the “bad” list; not because of who makes it but rather because of current satellite cloud cover and speed limitations. Having said that, if Starlink gets its download speed up to or above 1GB, that is where my current provider is stuck at, I’ll make the jump.
The chance of getting that speed via statelite is low, Mitch. Depending on the area, I think 5G has a much better chance of giving you Gigabit-class download speeds.
My best guess is that for SOHO gear, Netgear will be one of the first to get approval. Unsubstantiated Rumor on the internet is that the CISO of Netgear is a member of the committee that initiated the tp-link ban and the basis for the FCC ban.
We have the tp-link ER8411 installed at our campground and it has been working flawlessly for 4 years. I have not noticed any unusual activity, for example phoning home to China. In fact, the highest data users are Alexa and Tesla. We average over 200 clients connected on 20 access points distributed across the camp. The only issue we have experienced is with the outdoor SG2005P-PD switches. We seem to have a high failure rate. This may be due to the exposure to Lightning induced EMP as we have lots of thunder storms. I have been trying to get the board to install EMP surge protectors, but no luck so far.
The national security notion, Henry, is not about individual users, but how the vendor can activate the many hardware units at a moment notice to formulate a botnet attack.
For your case, it’s likely the power surges, try using a good surge protector on the original primary PSE unit of your PoE network, that might help. Good luck!
Understand about botnets. We have enabled the Suricata IPS/IDS and it has detected and blocked top level ip addresses both incoming and outgoing. Of course, the admin IDs and passwords are changed periodically. Additionally, we scan for open ports.
All our POE switches and injectors are plugged into AC line surge protectors. In order to convince the board of the need for RJ45 EMP surge protection, I have installed some in the equipment closet on the incoming lines. So far that seems to be doing the job.
👍
The heart of the issue is the industry’s shift away from the days when routers primarily used open-source code. Most modern AX (Wi-Fi 6) and newer hardware rely on proprietary wireless drivers and binary blobs, which effectively locks down the device.
For years, I’ve kept a Wi-Fi 5 router in service specifically to run open-source firmware, but we’ve reached a performance ceiling where that hardware just can’t keep up. With the latest FCC restrictions on foreign-produced hardware entering the ‘Covered List,’ the lack of open-source alternatives becomes a massive bottleneck. Moving to x86 hardware for OPNsense or pfSense is the ‘gold standard’ for trust, but the barrier to entry—both in cost and power consumption—is high.
The Ubiquiti UCG-Fiber 10G is a compelling middle ground for performance, but it highlights the modern dilemma: we’re forced to choose between proprietary ‘black box’ ecosystems or aging, open hardware. While Ubiquiti is NY-based and NDAA compliant, the reality of global manufacturing means ‘trust’ is now something we have to verify through supply chain transparency, not just headquarters location.
Excellent point, Brian! I’d like to add that as hardware becomes more and more powerful and the Internet the commodity worldwide, the level of risk is now much higher than, say, the time of Wi-Fi 5.
And for that matter I hardly think a label made in the USA makes things tamper proof. The USA as great as it is does tend to have the odd thing happen from time to time in factories.
Made in the US means there’s less chance the device can be tempered with during transit. But, no, nothing is guaranteed.
Just installing an Omada system. Wish I’d done it years ago. Just the switch showing what’s connected everywhere is great. Cloud access requires a cloud account. Is it a risk of course it is. So is driving. Every security measure has costs as well as benefits. An economist would aggregate those costs and compare them to the benefits (less security risk)
Omada is great for the price, or you can consider UniFi, David, which does’t force you to use a cloud account though you’ll have that option, too.
I don’t have to have a cloud account. I’m sure I could do it via a cloudflare tunnel, but, and this is the exact point, for me the security risk of a cloud account seems negligible. In these days wher people are letting ai loose on their machines, think clawbot, there are many risks and many benefits. For me a tplink cloud account is not a material risk.
Cheers I like reading here.
👍
laughs in tplink. every router i own from tplink is already eod of life with no new firmware. cuz tplink abandons their products quick. with that said im sure their will be big push back from companies that are usa facing but nothing is actually made here.
Not to take TP-Link side, John, but all companies do that, espeically NETGEAR which makes most of its Wi-Fi 6 and 6E router out of life already.
While the threat is valid and should be dealt with, this seems like a half-baked and poorly thought out solution to the problem.
It doesn’t address a point that you’ve brought up many times before – requiring an account with a third party to access all or part of a device’s functions. When we make those accounts, not only are we trusting the company not to misuse or mishandle our info, we’re giving them the keys to the kingdom.
The other issue I had is that the term router is very vaguely defined. IANAL, but I think it could also apply to switches (particularly L3) and access points to.
This could also, theoretically, ban products from countries friendly to the US, some of which we have very deep relationships with like the UK, Canada, Australia and New Zealand. I find it strange that there aren’t tiered levels of trust where more scrutiny may be given to products from some countries vis others.
I think we’ll find this may be a “road to he** is paved with good intentions” but it will cause more problems than it solves. Especially with the sudden implementation date. It’ll have to be modified at some point as I don’t see the manufacturing of these devices being brought back to the US overnight, if ever. There needs to be a more middle of the road approach to this.
Good points, Tosan. It can also be a way for currupted officials to start a “pay to play” scheme. We’ll see.
Sure hope that doesn’t happen, but I guess anything is possible these days.
I’m just thinking of how these vendors refresh products, like adding more 10 gig ports, for example. There’s been talk of some new Ubiquiti Dream Machines coming out that will be more capable, and it sounds like these upgraded/refreshed versions will be banned even though very similar products that are already on the market will be grandfathered. Just doesn’t make sense.
As you said, I could see it making more sense for WiFi 8, but just re-implementing current tech that’s already been approved? *smh*
It’s unclear but obviously the devil is always in the details. We’ll see. Speaking of Ubiquiti, I recently saw a new gateway to replace the UDM Pro Max with all 10GbE ports and even 20Gbps SFP port. Hang in there!