On Monday, the Federal Communications Commission (FCC) updated its list of insecure equipment, outlining its reasons for adding all consumer-grade routers made outside the US.
Effectively, this would stop foreign-made routers from being imported unless their manufacturers obtain an exemption, due to what the FCC called an “unacceptable risk to the national security of the United States or the safety and security of United States persons.”
We applaud decisions that make people more secure, but this one raises some serious questions.
Almost all routers
Virtually all consumer-grade routers are produced outside of the US, including those marketed by American companies. This doesn’t pose an immediate problem, because the ban would only apply to future imports. Products already in use or currently on sale could still be used.
But with no US-manufactured routers readily available, people may hold on to older, less secure devices for longer than they normally would due to a lack of alternatives. That means routers that have reached end-of-life (EOL) might remain in use without updates or support.
The real danger
Although it makes sense to scrutinize untrusted routers in government and critical infrastructure environments, I don’t think banning SOHO (small office/home office) routers is likely to have a big impact on national security.
At first glance, you might think this kind of move is aimed at taking down some major botnets which thrived on internet-connected devices like cameras, routers, and video recorders. And the National Security Determination does mention these botnets.
But in most cases, the reason these routers can be used in botnets isn’t because they were made abroad, but because they are shipped with default credentials and unclear directions on how to change them.
Untrusted routers could lead to espionage and denial of service at critical times, especially where countries of origin have laws prescribing mandatory backdoors (like China). In those cases, it makes sense to avoid those routers in organizations that are “critical for maintaining functional communications, critical infrastructure, and emergency services.”
But many routers are manufactured in countries that have no such laws, and where there is little to gain from state-level espionage targeting US consumers.
Alternative safety measures
Before buying a new router, check with your Internet Service Provider (ISP) which models work with their services. Many ISPs publish lists of approved modems, and sometimes gateway devices, but they usually allow customers to use their own standalone router as long as it connects via Ethernet and supports the WAN type (DHCP, PPPoE, VLAN tags, etc.).
In practice, the best router for national security isn’t the one with a “Made in USA” label, but the one that gets patched as soon as a vulnerability is disclosed.
If you can afford it and haven’t already, upgrade to Wi-Fi 7 to help future-proof your setup while current models are still in stores.
You should also:
- Change your router’s default credentials to something less easy to guess.
- Check the vendor’s website for updates and confirm the EOL date.
For technically confident users, replacing vendor firmware with open-source alternatives like OpenWrt or DD-WRT can extend a router’s secure lifespan. But this comes with risks, including voiding warranties or potentially bricking your device. You should only do this, or have it done, if you’re comfortable troubleshooting.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.