FCC blocks import of new foreign-made consumer routers over security concerns

The Federal Communications Commission has issued an order banning the import of new consumer routers manufactured outside the United States, citing concerns over cybersecurity and national security risks.

The directive, released late Monday, states that the restriction applies to all consumer-grade routers produced in foreign countries. However, the FCC clarified that the decision does not impact the use or import of routers already in circulation. New devices could still receive approval on a case-by-case basis if cleared by the Departments of Defence or Homeland Security.

According to the FCC, routers made overseas present “unacceptable risks” to U.S. national security. The agency referenced threats linked to China-backed hacking groups, including Volt Typhoon, Salt Typhoon, and Flax Typhoon, as part of its reasoning for the move.

Reports cited by Reuters indicate that China accounts for roughly 60% of the global consumer router market, underscoring the scale of the decision and its potential impact on supply chains and consumers.

The FCC said it acted after identifying instances where hackers exploited vulnerabilities in foreign-manufactured routers. These weaknesses have reportedly been exploited to target U.S. households, disrupt network operations, and facilitate cybercrime and surveillance.

Routers have long been a key target for attackers because they act as gateways to both home and business networks. Once compromised, they can provide access to sensitive data or be used in larger attacks, such as distributed denial-of-service (DDoS) operations, in which networks are overwhelmed with traffic, causing outages.

Despite its position, the FCC did not present specific evidence demonstrating that routers produced in the United States are inherently more secure than those made abroad. A spokesperson for the agency did not immediately respond to requests for further clarification.

Notably, some of the same hacking groups referenced by the FCC have previously exploited vulnerabilities in equipment made by U.S. companies. Salt Typhoon, for instance, has targeted infrastructure built by American networking giant Cisco. Meanwhile, Flax Typhoon has been accused by U.S. authorities of operating a large botnet involving hijacked devices, affecting at least 126,000 routers in the United States and thousands more globally, regardless of origin.

FCC Chairman Brendan Carr said in prepared remarks that the agency will continue working to ensure the safety and security of U.S. cyberspace, critical infrastructure, and supply chains.

The move comes amid ongoing concerns about foreign cyber threats, though it also follows internal debate within the FCC. Carr was among two commissioners who voted last November to eliminate cybersecurity rules requiring telecom operators to secure their lawful intercept systems against unauthorised access.

The new import restriction highlights the growing tension between national security priorities and global technology supply chains, particularly as governments seek to address evolving cyber risks tied to connected devices.