The FCC has banned new foreign-made routers, but existing ones can keep receiving updates until 2029

Skye Jacobs

Posts: 2,012   +59
Staff
In a nutshell: The FCC has extended a deadline that will allow millions of routers and drones already in use in the US to keep receiving software updates for several more years, easing part of its broader national security crackdown. In an order released last week, the agency said foreign-made routers and uncrewed aircraft systems previously approved for use can continue to receive firmware and software updates until at least January 1, 2029. The earlier cutoff had been set for March 2027, raising concerns that devices still widely deployed in homes and businesses could lose access to critical security patches.

The change leaves the FCC's broader policy intact. Rules adopted in March block approval of new consumer routers manufactured outside the United States, part of an effort the commission says targets national security risks in foreign supply chains. That restriction remains in place, with exemptions granted selectively to companies the government deems safe. Netgear and Amazon-owned Eero are among those that have already received approval.

Instead, the FCC adjusted how long devices already on the market can receive software updates. Under the updated waiver, those products can continue to receive updates intended to maintain functionality and address vulnerabilities. That includes security patches and updates needed to maintain compatibility with operating systems and network environments.

The agency also expanded what types of updates are allowed. The original waiver covered only so-called Class I permissive changes, which are modifications that do not alter a device's reported performance characteristics.

The revised policy now includes Class II changes, which may introduce small variations in performance but are still considered acceptable under FCC rules. In practical terms, that expansion removes uncertainty around routine firmware updates that fall outside a narrow definition of "no-impact" changes.

The FCC's engineering office said the change is meant to avoid unintended consequences from its earlier rules. Allowing updates to continue, it said, helps "mitigate harm to US consumers" by ensuring that devices do not become frozen in time with unpatched vulnerabilities. That concern is especially relevant for routers, which are frequent targets if left unmaintained.

The waiver applies to equipment included on the FCC's Covered List, which identifies technologies the agency considers to pose "an unacceptable risk to the national security of the United States or the security and safety of United States persons." Devices on that list are subject to tighter controls, including limits on both import approvals and ongoing software support unless a waiver is granted.

While the extension provides some breathing room, it does little to clarify how the hardware restrictions will play out over time. Many router manufacturers have not yet secured exemptions to continue selling new devices in the US, and the approval process requires sign-off from either the Department of Defense or the Department of Homeland Security. That leaves vendors trying to plan product roadmaps without clear timelines for approval.

The outlook may be especially complicated for companies with ties to China. A report from the Global Electronics Association suggested that manufacturers based in or sourcing from allied countries could face fewer hurdles, while Chinese-origin companies may encounter a presumption of denial. TP-Link Systems Inc., whose headquarters are in the United States, is still waiting on a decision after meeting with FCC officials in April. In a filing, the company said, "TP-Link routers are safe and secure. Publicly available data places TP-Link on par with or ahead of other major industry players in terms of security outcomes."

For now, the FCC is trying to avoid a scenario where existing infrastructure becomes less secure because of its own rules. Extending the update window and broadening permissible software changes reflects the role ongoing firmware support plays in maintaining network security, even as the agency tightens controls on new hardware.

Permalink to story:

 
People serious about making hardware should be serious about making their own software.

How exactly does America think it's going to have developing nations build all our hardware and still be safe from exploits when we rely on those same countries for our firmware/software updates?
 
When they're talking about unsafe routers and show a picture of the one you own :/ Its also defective, I think, sooo..sounds like a great time to upgrade!
 
People serious about making hardware should be serious about making their own software.

How exactly does America think it's going to have developing nations build all our hardware and still be safe from exploits when we rely on those same countries for our firmware/software updates?
America could do better if people there would simply change the default password, which is responsible for waylst majority of issues. People of US would probably benefit as well from installing the updates, which would fix nearly all the other issues... But, instead doing such enormous and difficult stuff, us of a citizens will eagerly pay much more for losing nearly any control over their internet access, but we know their isp can be trusted. Lol.
 
Well seems like all those 80's/90's offshoring is just biting back... You can get really rich taking your production to nations with cheaper labor but you can't keep doing this and magically hope your own industrial capacity stay whole in any reasonable level...
 
FCC: "You can no longer sell your hardware here, because we believe there are security issues. However, you can still provide over-the-air firmware and software updates until ... because we want to keep everyone secure."

Malignant Manufacturer: "Thanks. While we are restructuring our corporate identity under another name, we will gladly script some new updates to (make sure the devices currently in place continue to serve our interests) insure our customers are kept safe. By the way, where shall we send our contributions? This time?"
 
Back