The FCC’s decision to add foreign-made home routers to its prohibited imports list is drawing sharp pushback from cybersecurity researchers. Critics argue the agency is using national security language to advance industrial protectionist policy.
The ruling, announced Monday, bars all new foreign-produced router models from receiving FCC equipment authorization, effectively shutting them out of the U.S. market.
The hardest hit will be Chinese-brand routers, which dominate the U.S. consumer and small-office/home-office (SOHO) segment. Chinese-manufactured routers sold under a range of labels — hold a commanding position on the shelf at Best Buy, Amazon, and Costco.
Market research firm Circana said TP-Link held a 36.6% unit share of the U.S. consumer router market in 2024. Dell’Oro Group, counting ISP-supplied devices, put TP-Link’s share of North American residential Wi-Fi router sales at under 10%.
On March 20, a White House-convened interagency said foreign-produced (PDF) routers pose supply chain vulnerabilities that could disrupt the U.S. economy, critical infrastructure and national defense. The panel also found the devices establish what it called “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons,” according to reporting by CyberScoop.
Conditional Approval Loophole
The FCC included a Conditional Approval process. Manufacturers must apply to the agency, which then sends requests to national security agencies for review. Applicants must disclose their management structure and supply chain and submit a plan to move manufacturing to the United States. Under the FCC’s FAQ, the rule applies only to new models. Routers that already have FCC authorization can still be imported, sold and used.
Critics expect the router market to mirror the FCC’s recent drone restrictions. Since December 2025, four systems have received conditional approval, all from non-Chinese manufacturers. DJI and Autel remain blocked, and DJI is suing.
Rooting Out the Threat of Compromised Routers
The FCC tied the rule to the Volt Typhoon, Flax Typhoon and Salt Typhoon campaigns, arguing foreign-made routers have been used against American networks. But some of the clearest examples involved Western hardware.
In January 2024, the Justice Department said the FBI disrupted a network of hundreds of hijacked small-office and home-office routers, most made by Cisco and Netgear, that Volt Typhoon had infected with KV Botnet malware. The group used a “living off the land” tactic, installing a VPN module on infected routers so traffic appeared to originate inside U.S. networks. FBI Director Christopher Wray said the campaign was designed to position China to “destroy or degrade the civilian critical infrastructure that keeps us safe” in a conflict over Taiwan.
Salt Typhoon went further. In late 2024, U.S. officials said the group accessed nine U.S. telecom companies, including Verizon, AT&T, T-Mobile and Lumen, and targeted core network equipment, including Cisco routers. Cisco Talos later said Salt Typhoon gained initial access to Cisco devices and blended into normal operations by moving through trusted infrastructure. Federal officials said the group stole metadata, geolocated millions of people and targeted the communications of about 100 people involved in government or politics.
The Catch: It Wasn’t Just Chinese Hardware
“American-made products are far from immune to foreign hacking,” a report published in CyberScoop noted. Major Chinese campaigns like Salt Typhoon, the outlet pointed out, succeeded not through backdoors in Chinese-made tech but by exploiting known vulnerabilities in U.S. and Western products.
The Volt Typhoon botnet incident in early 2024 underscore that U.S. make for juicy targets. Cisco and Netgear routers, both U.S. firms — were the primary hardware exploited by Volt Typhoon hackers, according to the U.S. Justice Department. The router weakness, both router companies had stopped providing security patches for targeted legacy models.
Salt Typhoon’s February 2025 attack is similar. According to Cisco’s own Cisco Talos research, the campaign exploited known vulnerabilities in routers made by Cisco, based in San Jose, Calif.
Witnesses at a House Select Committee hearing claimed TP-Link routers were used by Volt Typhoon, Salt Typhoon, and Flax Typhoon to create botnets and infiltrate U.S. critical infrastructure. But a TP-Link executive pushed back, saying witnesses “didn’t present a shred of evidence that TP-Link is linked to the Chinese government.”
Independent cybersecurity researchers have largely backed that position.
Researchers at GreyNoise Intelligence called the decision “fundamentally flawed,” telling Cybersecurity Dive that the ruling ignores a basic reality: there is virtually no U.S. production capability for consumer-grade routers. GreyNoise pointed out that “the vast majority of internet routers are assembled or manufactured outside the US, often in Taiwan or China,” and that products labeled ‘made in the U.S.’ are most likely only assembled domestically, with printed circuit boards manufactured elsewhere.
A Rule That Bans What?
The ambiguity at the heart of the ruling could complicate enforcement.
The FCC didn’t define whether the ban applies to foreign companies that make routers, domestic router companies with manufacturing operations overseas, or companies that use foreign contract manufacturers.
U.S.-headquartered brands including Netgear and Linksys manufacture their devices overseas. Netgear uses contract manufacturers including Foxconn in Taiwan, according to its 2025 10-K filing.
A former FCC official told CyberScoop the rule could create “a new federal program of conditional approvals” and require a broad federal effort to remove bad actors from the supply chain. Critics also question whether a blanket restriction on foreign-made routers would survive a legal challenge.
TP-Link, which moved its global headquarters to Irvine, California, in 2024, has also rejected the idea that it is a foreign company. A spokesperson said virtually all routers are made outside the United States, including those sold by U.S.-based companies, and that TP-Link manufactures in Vietnam.
Cybersecurity Theatre?
If the goal were to address actual cybersecurity risk on installed networks, critics argue, the FCC would be mandating firmware audit requirements or patching attestation standards for the millions of foreign-made routers already operating in American homes.
None of the above is in the FCC ruling.
Not everyone is dismissive. “While the rule doesn’t name China, the direction of travel is pretty clear, and it raises the stakes for how the U.S. approaches connected devices going forward,” said Craig Singleton, a senior China fellow at the Foundation for Defense of Democracies.
Critics say that if the FCC’s goal were to reduce real-world risk, it would require firmware audits or patch-attestation standards for the millions of foreign-made routers already installed in American homes. The rule does not do that. Still, not everyone is dismissive. Craig Singleton, a senior China fellow at the Foundation for Defense of Democracies, told 5Gstore that while the rule does not name China, “the direction of travel is pretty clear.”
CyberScoop also noted that Chinese national security law requires companies to disclose vulnerabilities to the government before making them public, an advantage Beijing retains even if no specific device has been compromised.
Chris McGuire, a senior fellow at the Council on Foreign Relations, told Intelmarketresearch the FCC may ultimately apply the rule the way it handled foreign drone restrictions: blocking Chinese companies while allowing firms from allied countries.
FCC Chair Brendan Carr defended the move, saying the agency would “continue to do our part in making sure that U.S. cyberspace, critical infrastructure and supply chains are safe and secure.”
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in the cybersecurity field.
Image Courtesy of DLX Media
