The U.S. Federal Communications Commission (FCC) has announced a ban on the import and sale of new foreign-made consumer routers, citing significant supply chain and cybersecurity risks. This move aims to protect American networks and critical infrastructure from potential exploitation by malicious actors. Existing routers already in use or previously approved are not affected by this new regulation.

Key Takeaways

• New foreign-made consumer routers are now banned from sale and marketing in the U.S.

• The ban addresses unacceptable supply chain and cybersecurity risks.

• Existing routers remain unaffected.

• Manufacturers can seek conditional approval if devices are proven safe.

National Security Concerns Drive FCC Action

The FCC's decision stems from a national security determination by Executive Branch agencies, which identified that foreign-produced routers introduce "supply chain vulnerability" and pose "a severe cybersecurity risk." These risks could potentially disrupt the U.S. economy, critical infrastructure, and national defense, and could be leveraged to severely disrupt U.S. critical infrastructure and directly harm U.S. persons.

Exploitation by Malicious Actors

State and non-state sponsored threat actors have reportedly exploited security shortcomings in foreign-made routers. These vulnerabilities have been used to gain unauthorized access to American households, disrupt networks, facilitate cyber espionage, and enable intellectual property theft. Furthermore, compromised routers can be conscripted into botnets for large-scale cyberattacks, including password spraying and unauthorized network access.

Adversaries with China-nexus, such as Volt Typhoon, Flax Typhoon, and Salt Typhoon, have been observed using botnets composed of foreign-made routers to target critical American communications, energy, transportation, and water infrastructure. These attacks have been used to embed and gain long-term access to networks.

The "Covered List" and Conditional Approval

All consumer-grade routers manufactured in foreign countries have been added to the FCC's "Covered List," which bars equipment deemed to pose an unacceptable risk to national security. This means new models will no longer be eligible for marketing or sale in the U.S. unless they receive conditional approval from the Department of War (DoW) or the Department of Homeland Security (DHS), after demonstrating they pose no risks.

Currently, the approved list includes only specific drone systems and software-defined radios. Producers of consumer-grade routers can submit applications for conditional approval. Notably, Starlink Wi-Fi routers, manufactured in Texas, are exempt from this policy.

Impact on Consumers and Businesses

The ban does not affect the continued use of routers already purchased by consumers. Retailers can also continue to sell router models that were previously approved through the FCC's equipment authorization process until their inventory runs out. For enterprises, the immediate impact may be limited as they often use enterprise-grade equipment, but long-term sourcing and cost challenges may arise due to reduced vendor choice and potential price increases.

Sources

• FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns, The Hacker News.

• FCC moves to ban new foreign-made routers over national security risks, Fox News.

• FCC Bans New Foreign Consumer Routers Over Security Risks, Petri IT Knowledgebase.

• US bans new foreign-made consumer internet routers, BBC.

• FCC targets foreign router imports amid rising cybersecurity concerns, Security Affairs.