The FCC added all foreign-made consumer routers to its Covered List on March 23, 2026. No new model manufactured outside the United States can receive equipment authorisation. Without it, a device cannot legally be imported, marketed, or sold. China holds an estimated 60% of the American consumer router market, according to Reuters.
A White House-convened interagency body issued the National Security Determination (NSD) on March 20. The document names three Chinese state-sponsored campaigns as justification. Volt Typhoon hijacked hundreds of end-of-life SOHO routers to penetrate US energy, transportation, and water infrastructure. Salt Typhoon breached AT&T and Verizon through compromised routers, reportedly hiding for over 18 months while harvesting metadata on tens of millions of Americans.
Flax Typhoon built a botnet of at least 126,000 hijacked US devices. The FBI, Cyber National Mission Force, and NSA documented the operation in September 2024.
The NSD identified two unacceptable risks. Foreign-produced routers introduce a supply chain vulnerability that could disrupt the US economy and national defence. They also pose what the document calls a "severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure."
Existing devices in homes are not affected. Retailers can continue selling previously authorised models. Manufacturers can seek an exemption through DHS or the Department of War by certifying their products do not pose risks. NIST Internal Report 8425A defines the scope as consumer-grade networking devices primarily intended for residential use. Enterprise equipment from Cisco, Juniper, and Arista is excluded.
Salt Typhoon's most damaging operations targeted Cisco enterprise routers, not consumer devices.
Virtually all routers are made outside the United States, including those produced by U.S.-based companies like TP-Link, which manufactures its products in Vietnam. It appears that the entire router industry will be impacted by the FCC's announcement concerning new devices not previously authorized by the FCC.
— TP-Link spokesperson
Volt Typhoon used Cisco and NetGear routers. Both are American brands that had reached end of life without patches. Flax Typhoon targeted US-made and foreign-made hardware alike. The FCC provided no evidence that domestically manufactured routers are more secure than those built overseas. Unpatched firmware enabled Volt Typhoon. That condition exists regardless of where the hardware is assembled.
SpaceX's Starlink router is manufactured in Texas. It is one of the few consumer models that clears the new requirement without an exemption. Every other major brand (TP-Link, Netgear, Asus, Linksys, D-Link, Ubiquiti) assembles outside the US. Netgear's stock rose 16% in after-hours trading.
The NSD mandates no firmware audits for routers already on the market. It sets no patching requirements, no end-of-life support obligations, and no open-source firmware standards. If unpatched software is what Volt Typhoon, Salt Typhoon, and Flax Typhoon exploited, a country-of-origin restriction addresses where the hardware is assembled, not whether it receives updates.
FCC Chairman Brendan Carr welcomed the determination.
I welcome this Executive Branch national security determination, and I am pleased that the FCC has now added foreign-produced routers, which were found to pose an unacceptable national security risk, to the FCC's Covered List.
— Brendan Carr, Chairman, FCC
Carr voted in November 2025 to scrap telecom cybersecurity rules. Those rules would have required operators to secure their lawful intercept infrastructure from unauthorised access. Salt Typhoon exploited exactly those entry points to breach US carriers.
Ken Paxton, the Texas Attorney General, sued TP-Link in February 2026. The lawsuit alleges TP-Link allowed Chinese state-backed hackers to exploit consumer devices. TP-Link denied the allegations and said it "is confident in the security of our supply chain."
The ban follows the December 2025 FCC ban on foreign-made drones, which primarily hit DJI. Both decisions use the same Covered List mechanism. The NSD aligns with President Trump's National Security Strategy. That document states the US "must not be dependent on any other country for core components necessary to the nation's defense or economy."
American consumers do not need to act now. Existing routers keep working. A TP-Link router made in Vietnam and a Netgear router assembled in a future US factory will both remain vulnerable if neither receives firmware updates. The ban changes the supply chain. It does not change the patch cycle.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
