ALERT The FCC Just Banned the Sale of New Wi-Fi Router Models Made Outside US

@chris_c_: Not sure how you reach your conclusion that the "FCC ban is forcing router vendors to be transparent on their supply chains and beef up their security." Every existing home router is exempted from the new FCC mandate including all of the TP-Link and MicroTik routers which were compromised. So, if anything, this gives home users a false sense of security and not much else.
I believe the reason the FCC didn't ban existing installed routers, and new unopened routers already imported and stocked in warehouses inside the USA, is because banning them would cause an unfair and immediate huge financial cost, and burn a lot of capital, because there would be a rush on buying new routers, yet the FCC has not approved any new routers yet.

It's only fair for the FCC to impose these strict new security and transparency rules on new routers that have not yet been imported, with the strong encouragement to build them inside the USA so that chain of custody and source code can be more easily reviewed, scanned, and approved. And when a costly security incident using US SOHO routers as a botnet next happens, all parties - SOHO router manufacturers, SoC vendors, and firmware developers - will be located inside the jurisdiction limits of the USA, for potential federal legal consequences and class action lawsuits for cybersecurity claims.
 
It's only fair for the FCC to impose these strict new security and transparency rules on new routers that have not yet been imported, with the strong encouragement to build them inside the USA so that chain of custody and source code can be more easily reviewed, scanned, and approved.
You do realize that before anything can be sold like this in the US, regardless of where it is made, it must first have FCC approval? The whole "new unopened, imported and stocked" has nothing to do with it. Any devices that already has an FCC approval certification will continue to **keep it**. So that means all the routers these reports (like the one you posted) will continue to be sold and used by US consumers. It also means all the existing outdated and compromised devices that are already in play are in play.
And when a costly security incident using US SOHO routers as a botnet next happens, all parties - SOHO router manufacturers, SoC vendors, and firmware developers - will be located inside the jurisdiction limits of the USA, for potential federal legal consequences and class action lawsuits for cybersecurity claims.
You seem to not include the biggest factor in a lot of these issues, the PEBCAK (Problem Exists Between Chair And Keyboard) factor. It seems you're all for the US to go after the manufacturer over a a major security bot attack but you seem to ignore the actual "admins" of those networks who may not have updated their software with the proper patch/fix/update to stop against said bot attack. They may have added a rule to their firewall they didn't understand because of AI or you know, forums/chat rooms giving bad advice which exposed them. There are "admins" out there that haven't touched or updated their routers in **years upon years** as the use the "install and forget" logic or always have a "but my config is so complicated I can't upgrade" (which means its a horrible config). The human factor is used more these days then 0-day or brute force attacks because it's easier.

Perhaps they should take the same approach they did with the 9-1-1 laws. If you are the installer and/or admin of the router and your router isn't properly maintained/configured and ends up be compromised or part of a botnet then you get a $10K fine each violation and at some point be disallowed from being an installer/admin due to too many violations.
 
It would be safe to assume that the new SOHO routers will probably default to having "Install security patches automatically?" to ON, this would put the burden of getting it flawless on the shoulders of the manufacturers, SoC vendors, and firmware developers. Could they get it perfect, with AI's help to find the holes fast? Probably yes, and more so now than 2000-2025.
 
It would be safe to assume that the new SOHO routers will probably default to having "Install security patches automatically?" to ON
Except that something like that can interfere with a businesses SOP or logic on how they handle updates. I just don't run out and throw an update on production equipment that hasn't been tested based on what the router does at the location.

An update can fix a known problem but also cause unknown problems. All of this must be considered and reviewed on an ICB basis.

Because no one loves the "well it auto updated to patch something we don't even have enabled and it broke our multi ISP routing logic" after a 4am auto update.
 
I agree, to accommodate businesses and others with budgets and advanced configs like mutli ISP routing logic, I'm sure the Automatic Security Updates will be default to ON but you can turn if OFF. But then your company's cyber liability insurance company could be held partially liable when you leave exploits unpatched and allow your router to get remotely taken over and added to a botnet that wreaks economic havoc.

I believe this is all about removing the current barrier of anonymous foreign manufacturers, SoC vendors, and firmware developers located in China or other far away, legally shielded Asian countries, so they can't be ordered by their military to make products with holes for the Western markets and then hide there to avoid financial and criminal responsibility.

And I'm quite sure US based router companies will have to be good enough at their work to release automatic firmware updates that don't mess with your advanced config settings, the security patches will only fix whatever flaws, cross site scripting, not using prepared statements, un-enscaped raw user input, buffer overflows, remote code executions, whatever the bad guys use to make botnets that cause millions and billions in malicious damages to Western economies.
 
Last edited:
But then your company could be held partially liable when you leave exploits unpatched and allow your router to get remotely taken over and added to a botnet that wreaks economic havoc.
Again, you can have a fully patched router and a very, very poor configuration that leaves things exposed. Not every compromised router was done because of an exploit, they were compromised because of poor setup and configuration by the **ADMIN** and yes that includes not changing default passwords, etc. Why is the human factor constantly being ignored or not held in accountability?

And I'm quite sure US based router companies
Being US based doesn't mean anything, the new FCC rules are about where the router was manufactured. It specifically refers to "foreign made routers" so Google Nest isn't automatically covered because Alphabet Inc is in the US because the Nest is made in a foreign country.

Currently the only company that is US founded, US based and US made is Starlink. No other US founded or based company (Netgear, Linksys, Belkin, etc) actually manufacture their routers in the US, they are all **foreign made** which means all new routers/APs have to go through DoD/DHS approval. No non-US based company is manufacturing consumer routers in the US.

So basically, the consumer/SOHO market for routers/APs will be choked for a period of unknown time, so that you will only be able to buy things that have FCC approval before March 2026. The handful of Wi-Fi 7 router/APs that have approval will be all that you get for now. Don't forget too, this new rule has a "no more firmware updates" after March 2027 though that one may keep pushed back each year due to the pure lack of options within the US.
 
 
About the problem being the user or admin and their weak default admin logins, I would imagine DHS/DoD/FCC will mandate strong complex passwords, no default login password combos that you can just google the model number and find it, probably mandate 2FA with support for Authenticator app to login to it.

It's not a perfect law, however, FCC can amend the regulations to improve it so it works better, by taking in industry feedback. It's certainly way better to have this law, than the previous status quo of letting router manufacturers self-regulate from market competition, because there's too much external incentive from the CCP, GRU, IRGC, and other enemy nation state sponsored groups, to put out easily bot-netted routers, cheap digital picture frames, cheap streaming boxes and sticks, all easily hacked and put to work stealing.
 
I would imagine DHS/DoD/FCC will mandate strong complex passwords, no default login password combos that you can just google the model number and find it, probably mandate 2FA with support for Authenticator app to login to it.
And who is going to police all these regulations? Only a zealot admin, leaving 99% of devices unchecked as there aren't enough FCC etc inspectors to do it.
 
Last edited:
It's not a perfect law, however, FCC can amend the regulations to improve it so it works better, by taking in industry feedback. It's certainly way better to have this law
It's not a law. The FCC doesn't create laws, only Congress can do that. This is an FCC regulation and rule which is completely different than a law.
 
because there's too much external incentive from the CCP, GRU, IRGC, and other enemy nation state sponsored groups, to put out easily bot-netted routers, cheap digital picture frames, cheap streaming boxes and sticks, all easily hacked and put to work stealing.
Have you done actual research on this? The FCC is citing certain incidents as the reason for this new rule yet those incidents had nothing to do with foreign hardware, in fact many of the devices has US made chips in them. It was due to social engineering and the human factor. As in exposed services, default passwords still in place, not updating the software or exploits in the **software**.

See this new FCC rule is focused on the hardware and chips not the fact the OS has no real geographical presence or the Wi-Fi drivers or other drivers being used in the device. The bottom line is this is faux security because it doesn't fix any current security concerns, allows for known/outdated and exploited hardware to stay in place and blocks the newer hardware with the more current and more secure methods and software being used.

Yeah let's block devices that only allow WPA3 with a little WPA2 legacy support but instead let's keep all the devices using WPA (which is highly insecure).
 
It's not a law. The FCC doesn't create laws, only Congress can do that. This is an FCC regulation and rule which is completely different than a law.
I think you missed a few days in Civics class if you think the FCC doesn't make "laws" that can be enforced and lead to penalties for violating them.
 
I think you missed a few days in Civics class if you think the FCC doesn't make "laws" that can be enforced and lead to penalties for violating them.
No, I didn't. Congress is the sole body that makes laws in the US. The FCC makes regulations that have "force of law" meaning they are binding and enforceable by the FCC as it was a law. However, the FCC must work within it's mandate set forth by **Congress** who can strike down any rule the FCC puts in place (remember Net Neutrality? FCC made the rule and Congress say "nope, not happening").

Let's not forget West Virginia v. EPA a few years back which basically said agencies like the EPA, FCC, et al. cannot make certain regulatory mandates or rules without Congressional approval first.

Again, Congress makes the laws of the land (including what the FCC can and cannot do) while agencies like the FCC make regulations and rules in which a **law passed by Congress** (i.e. Telecommunications act of 1934 that made the FCC) allows them to "enforce as law" those regulations and rules.
 
The goal is to push router manufacturers to bring development, specifically firmware and component manufacturing, into U.S. jurisdiction.

Makers of easily pwned routers (and hopefully, also those cheap easily botted digital picture frames, home cameras, and streaming boxes) will risk facing legal claims and money penalties. They'll be required to remove the ability to blame an admin, by making the default setting secure, no default passwords, strong password, 2FA or Authenticator login only.
 
The goal is to push router manufacturers to bring development, specifically firmware and component manufacturing, into U.S. jurisdiction.

Makers of easily pwned routers (and hopefully, also those cheap easily botted digital picture frames, home cameras, and streaming boxes) will risk facing legal claims and money penalties. They'll be required to remove the ability to blame an admin, by making the default setting secure, no default passwords, strong password, 2FA or Authenticator login only.
So this is about forcing manufacturing back to the US and has nothing to do with security. The reason manufacturing left was an economic decision based on cost of production. By forcing manufacturing back the cost of devices will go up substantially and I’m guessing nothing else will change.
 
So this is about forcing manufacturing back to the US and has nothing to do with security. The reason manufacturing left was an economic decision based on cost of production.
Some manufacturers thought they could squeeze an additional $1.00 per router into their own pockets by not hiring American manufacturing base and instead hiring Asian workers, often minority genocide victims and political prisoner slaves and often children, whose governments also forced technology transfer to their countries' antagonist totalitarian regimes, creating unfair clone competition against original US innovation, and further used the routers as Trojan horses to steal billions in further value from the people of the US.

Router manufacturers in the US has everything to do with security. While under US jurisdiction, they'll, practically speaking, be required to make a product with no security holes, or else face fines and eventually legal cybersecurity liability claims, and deservedly so. I believe in them, and trust they'll do the right thing, finally using their AI subscriptions to make routers with flawless firmware for US SOHO customers.
 
Well, here's how well this is moving things back into the US. Netgear is the first company to receive conditional approval from the FCC/DoD/DHS meaning Netgear can now submit new devices for normal FCC certification until Oct 1st 2027. So now what will need to be seen is will Netgear move manufacturing to the US or will they continually resubmit for Conditional Approval annually?
 

Members online

No members online now.

Forum statistics

Threads
26,733
Messages
174,699
Members
20,292
Latest member
Sunnysideup
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Back
Top