ALERT The FCC Just Banned the Sale of New Wi-Fi Router Models Made Outside US

Just a little reality check from the Google machine:

1. Routers "In Use" (The Legacy Problem)​

  • The Scale: Estimates suggest there are over 130 million households in the U.S., almost all of which utilize at least one SOHO router.
  • Compliance Status: Effectively 0% of routers installed before 2026 meet the new strict "domestic-only" production and design requirements.
  • The "Grandfather" Clause: These routers are still legal to use, but they hit a "security wall" on March 1, 2027. After that date, the FCC has mandated that manufacturers cannot issue new firmware or security patches for foreign-produced devices unless they undergo a rigorous federal audit. This effectively renders millions of devices "end-of-life" for security purposes in less than a year.

2. Routers "Available for Sale" (The Inventory Gap)​

  • The Foreign Manufacturing Dominance: Prior to this rule, roughly 85% to 90% of the SOHO router supply chain (including major brands like TP-Link, ASUS, and parts of Netgear’s lineup) was based in China, Vietnam, or Taiwan.

  • The "Authorized" Backlog: Retailers are currently allowed to sell through their existing inventory of models that received FCC authorization before March 23, 2026. However, new models (like the latest Wi-Fi 7 and emerging Wi-Fi 8 units) produced abroad are now blocked from entering the market.



  • The Exemptions: Currently, Starlink is one of the few major providers whose hardware is largely exempt due to its domestic production focus. Most other consumer brands are scrambling to onshore their assembly lines to meet the new "U.S.-produced" definition.

 
And how many of those 130 million existing routers will be retired before or after March 1, 2027? Simply stated, the retirement deadline all but guarantees that we will have a country full of insecure routers after March 1, 2027.

Estimated Retirement Timeline

Retirement WindowEstimated UnitsDriver of Replacement
Before March 1, 2027~35–45 MillionNatural "Tech Refresh" (Upgrading to Wi-Fi 7/8, hardware failure, moving).
After March 1, 2027~85–105 Million"The Security Laggards" (Devices that still physically work but no longer receive patches).
 
How I look at it: After March 1, 2027, the FCC has mandated that manufacturers CAN ONLY issue new firmware and security patches for foreign-produced devices IF they undergo a rigorous federal audit - which I interpret that as an AI powered source code review screening for zero days, combined with active verification the manufacturer downloads are fingerprint matched, to keep out zero days inserted after FCC approval.

Of course, this FCC firmware review/approval process is subject to modification and improvement in time.

I agree it probably require adjusting to. And, It's worth it get regulated mandated improvement to the security of US SOHO routers. Botnet-enabled cyber theft using new US routers, with unregulated anything goes as long as it works firmware, so weak against hacks it's a joke, should drop close to zero.
 
"I'm from the government and I'm here to help you."

Expecting the FCC or any portion of the government to actually check firmware or even enforce the EOL for consumer grade routers is a pipe dream. Even with new firmware, the human idiot factor cannot be regulated for people who don't change passwords, open closed firewalls, or never upgrade firmware.

It is a nice idea but it wasn't thought out well and will be impossible to implement to correct the existing issues.
 
I agree it probably require adjusting to. And, It's worth it get regulated mandated improvement to the security of US SOHO routers. Botnet-enabled cyber theft using new US routers, with unregulated anything goes as long as it works firmware, so weak against hacks it's a joke, should drop close to zero.
You do realize that the actual incidents being used by the FCC to justify this were not because of firmware or hardware vulnerabilities? It was do the human factors as in the human didn't change their passwords, the human left firewall/NAT rules open, the human downloaded malware without thinking about it. The majority of the bot-net issues and other problems we've had in the last 5-6 years have been human issues more than it's being a 0-day or bugged software or hardware exploits.

I remember in 2018 Mikrotik reported an RCE flaw in their Samba services for RouterOS. If you had Samba enabled and exposed to the public Internet unprotected someone could force their way in. Mikrotik had a patch within 30 days of the report (before the details were fully released by the reporter). At the time, almost no one was hit by it except for the few with exposed firewall rules. Now flash forward about 18 months later which means 5 major version releases (6.X) and almost 20 some minor releases (6.X.x) and that exploit starts being used and turns out there were thousands upon thousands of Mikrotik devices **that never updated! They still ran the pre-patched versions of RouterOS**.

In the 10+ years I've been using Mikrotik and the 100+ devices I have out in the field, I have yet to have any device be hit by an exploit, bug or anything because A: I keep my stuff secured and B: I actually make sure things are updated to avoid things like this.

Sorry but "Made in the USA" isn't going to be this super secure improvement you keep thinking it's going to be.
 
You do realize that the actual incidents being used by the FCC to justify this were not because of firmware or hardware vulnerabilities? It was do the human factors as in the human didn't change their passwords, the human left firewall/NAT rules open, the human downloaded malware without thinking about it. The majority of the bot-net issues and other problems we've had in the last 5-6 years have been human issues more than it's being a 0-day or bugged software or hardware exploits.

I remember in 2018 Mikrotik reported an RCE flaw in their Samba services for RouterOS. If you had Samba enabled and exposed to the public Internet unprotected someone could force their way in. Mikrotik had a patch within 30 days of the report (before the details were fully released by the reporter). At the time, almost no one was hit by it except for the few with exposed firewall rules. Now flash forward about 18 months later which means 5 major version releases (6.X) and almost 20 some minor releases (6.X.x) and that exploit starts being used and turns out there were thousands upon thousands of Mikrotik devices **that never updated! They still ran the pre-patched versions of RouterOS**.

In the 10+ years I've been using Mikrotik and the 100+ devices I have out in the field, I have yet to have any device be hit by an exploit, bug or anything because A: I keep my stuff secured and B: I actually make sure things are updated to avoid things like this.

Sorry but "Made in the USA" isn't going to be this super secure improvement you keep thinking it's going to be.
The human factor is going to be removed from the equation. What this means is, automatic updates are going to be ON bu default. And, default passwords that you can search for online, for new routers, are going to be forbidden. Every new router owner gets assigned a unique admin password, or passwordless and they access it via the app, similar to an Authenticator app.

No longer will bad actors and foreign adversaries get to botnet a million routers in an hour. They're going to have a costly frustrating uphill battle for every single router they want to add to their evil botnet.
 
What this means is, automatic updates are going to be ON bu default.
You keep stating this with no actual proof. Also, as I pointed out people can just turn that off so it doesn't interfere with their configurations.

There is no requirement in this new regulation for all the parts to be made in the US just the router itself. The FCC was clear that having foreign made parts in the router will not make it classified as "foreign made". So even if Netgear was assembling routers in the US the board could be from Taiwan, the SOC from China and software from all over the place unless everything was 100% proprietary which will be a huge expense.

Assembling routers/AP in the US isn't an automagical sekuritee solution. Poorly configured devices, exposing things you shouldn't, never updating the firmware/drivers to fix bugs and exploits, people downloading malware on their PC that attacks the router from the LAN side. All of these things are not solved by "Made in the USA" labels.

Let's also not forget about those that will go out buy the hardware so they can flash it and install OpenWRT or PFSense on it because "those are better than the router companies, they just need the hardware".

There's also the whole predictions of companies like D-Link et al just releasing a new line of low-cost "Small Business/Enterprise" models instead of consumer models. Since SMB/Enterprise equipment is free of this regulation.
 
Just about every other popular consumer big tech made device with an operating system and and internet connection are made to automatic self update for security fixes that their manufacturer deems to be critical: iPhone iOS, MacBook MacOS, Apple WatchOS, Android, Windows PC. And users cannot turn it off without making some effort, 99.999% of people have no interest in doing that. It'll update in the middle of the night while you're sleeping, if your device is in use.

Yes, we can think of 10 other ways where a single device can get pwned for a botnet. The intention of this regulation is to make it very hard for a nation state or transnational criminal organization to pwn 10 million devices, like they used to be able to do, and cost the people billions of dollars in preventable losses.
 
Just about every other popular consumer big tech made device with an operating system and and internet connection are made to automatic self update for security fixes that their manufacturer deems to be critical: iPhone iOS, MacBook MacOS, Apple WatchOS, Android, Windows PC. And users cannot turn it off without making some effort, 99.999% of people have no interest in doing that. It'll update in the middle of the night while you're sleeping, if your device is in use.
You need to take your tin foil hat off. How many devices are going to be nuked by a faulty automatic update? I certainly don't allow my iPhone iOS to update immediately it is released. I'll let some other early adopters take the risk.
Who is going to vet new updates for data centres so that automatic updates can happen and who will take the flack when a data centre goes off line due to a faulty update?
The whole scheme is a brain fart by some politician who probably has no idea what he's doing.
 
Last edited:
Who is going to vet new updates for data centres so that automatic updates can happen and who will take the flack when a data centre goes off line due to a faulty update?
If your data center, and I can't stress this enough, is buying their network infrastructure gear from the Electronics section (in between Sporting Goods and Pet Supplies) of a big box store or any type of consumer level equipment. Run away from that data center. Someone should get flack for putting in under performing hardware in the data center infrastructure.

I remember in 2022 just before I moved from Windows to Mac an automatic update broken L2TP VPN connections, which at the time broke our VPN access into our network. Since it happened the same day as the update, I had to spend almost 24 hours without VPN access and before I could determine (based on user reports) that yes the update that was automatically installed was the culprit and I had to rollback my update. I turned off automatic updates after that, good thing too because the same thing happened again in 2022. Two updates in a year both with the same breaking issue.

Same thing happened in 2024 but this time it was multiple VPN protocols that were broken which took down numerous business VPN networks since this time the update was Win10, Win11 and all Win server versions.

Automatic updates are not a security measure they are a convenience measure.
 
I do appreciate everyone's perspectives. Yes, in real life, problems happen with auto self updates, we are fallible, I'm not saying under the new regulations, there would be no problems anymore. Before, under the old way, which was totally unregulated, anyone could sell a SOHO router certified by the FCC for the consumer market, and to get FCC certification, the router had to not break the law by polluting the RF spectrum transmitting on frequencies it wasn't allowed to transmit on, e.g., outside the 2.4 and 5 GHz ranges. And 50% of routers were easily pwned because the consumer just left the factory set default login username and password, meaning any javascript in the browser could login to it and modify its settings or firmeware for the benefit of malicious transnational criminal organizations and their theft of IP crypto logins bank and financial crimes.

Now, the goal is, closer to 0.0001% of US SOHO routers would be easily pwned due to user negligence, the bar is raised, to get FCC certified, the router must ALSO be made in the USA and therefore the manufacturer is now subject to criminal and civil claims under US cyber liability laws, or get a temporary waiver with plan to onshore production, and the firmware must pass AI screening for security norms: not allowed to have the same default password on all units sold, and generally, not so easily pwned and botnetted. The internet inside the USA is now classified as a US national security issue and we are beginning to protect it in the way such an asset deserves to be protected. Makes sense, the level of competition between nations has increased substantially, and cyber warfare is top on every country's ways to attack, it's extremely low cost and can cause crippling damages to any adversary dumb enough to allow their infrastructure to be easily pwned.
 
I do appreciate everyone's perspectives. Yes, in real life, problems happen with auto self updates, we are fallible, I'm not saying under the new regulations, there would be no problems anymore. Before, under the old way, which was totally unregulated, anyone could sell a SOHO router certified by the FCC for the consumer market, and to get FCC certification, the router had to not break the law by polluting the RF spectrum transmitting on frequencies it wasn't allowed to transmit on, e.g., outside the 2.4 and 5 GHz ranges. And 50% of routers were easily pwned because the consumer just left the factory set default login username and password, meaning any javascript in the browser could login to it and modify its settings or firmeware for the benefit of malicious transnational criminal organizations and their theft of IP crypto logins bank and financial crimes.

Now, the goal is, closer to 0.0001% of US SOHO routers would be easily pwned due to user negligence, the bar is raised, to get FCC certified, the router must ALSO be made in the USA and therefore the manufacturer is now subject to criminal and civil claims under US cyber liability laws, or get a temporary waiver with plan to onshore production, and the firmware must pass AI screening for security norms: not allowed to have the same default password on all units sold, and generally, not so easily pwned and botnetted. The internet inside the USA is now classified as a US national security issue and we are beginning to protect it in the way such an asset deserves to be protected. Makes sense, the level of competition between nations has increased substantially, and cyber warfare is top on every country's ways to attack, it's extremely low cost and can cause crippling damages to any adversary dumb enough to allow their infrastructure to be easily pwned.
You really need to do some research on this. The new FCC rules have no mandates for firmware/software security, no requirements for auto updates, no requirements for unique passwords. The new FCC rule isn't a cybersecurity solution it's a "National Security" solution, it's about the country of origin for the devices, not a single thing that changes the FCC certification rules in regards of security measures.

The new FCC rule stops authorization of foreign made routers without a waiver. Netgear, Adtran, Starlink (the only allowed for now) have no requirements of unique passwords, cybersecurity testing or any new security measures from the pre-2026 process.
 
You really need to do some research on this. The new FCC rules have no mandates for firmware/software security, no requirements for auto updates, no requirements for unique passwords. The new FCC rule isn't a cybersecurity solution it's a "National Security" solution, it's about the country of origin for the devices, not a single thing that changes the FCC certification rules in regards of security measures.

The new FCC rule stops authorization of foreign made routers without a waiver. Netgear, Adtran, Starlink (the only allowed for now) have no requirements of unique passwords, cybersecurity testing or any new security measures from the pre-2026 process.
Thanks. Agreed, the first level goal of the current regulations is to onshore production of SOHO routers, with the immediate benefit of US electronic hardware tech production jobs.

Once onshore, the manufacturers become subject to strict enforcement of US laws & regulations. They're free to dare to release a SOHO router with a weak security posture by default, they'll be putting their career and company into serious jeopardy of extinction. With easily enforceable legal liability, it's possible to achieve the second level goal, to motivate the router manufacturers to eliminate, as much as possible within human and AI limits, the historically easy weaponization of SOHO routers into criminal proxy botnets built to aid any foreign cyber criminal organizations to easily, and at very low cost, steal scam and cheat from the US people. The scam party's over, sorry haters, but we're not sorry, go and find someone else to scam.
 
So the hardware box is made in the USA but all the components are imported. Makes perfect sense. :death:
 
Once onshore, the manufacturers become subject to strict enforcement of US laws & regulations.
Please stop. Netgear, D-Link, et al that are US based business are subject to US laws and regulations regardless of where they products are made. As a matter of fact, Mikrotik which is from Lativa is subject to numerous US laws and regulations in order to sell their equipment in the US. Here's some of the laws and regulations non-US based companies are subject to in the US. They have to even put these in their EULA and compliance documentation showing they follow/are subject to these laws/regulations.
  • FCC Part 15 – radio frequency emissions and interference standards
  • OFAC/Export Control – sanctions and trade restrictions
  • Import regulations – new FCC security-based import restrictions on foreign consumer routers
  • US customs and trade law – as a foreign company selling into the US market
Please stop trying to hammer your square peg into the round hole with this.
 
I'll leave these here:



This case is in litigation, with supply chain documentation and firmware security practices expected to be heavily scrutinized:

 

Members online

No members online now.

Forum statistics

Threads
26,733
Messages
174,699
Members
20,292
Latest member
Sunnysideup
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Back
Top