You'll Subscribe to Your Router, Too | The First Router Bribes Are Here
Audio Summary
AI Summary
The United States has effectively banned the sale of new foreign-made consumer router models, citing national security concerns. This move is seen by some as a way to consolidate power for Internet Service Providers (ISPs), who increasingly require router rentals as part of their service. The US currently produces almost no routers, with Starlink, led by government contractor Elon Musk, being a notable exception. Ironically, Musk's company has been running ads against stories about the FCC's ban on his competition.
This ban is expected to increase router prices and potentially worsen security due to reduced innovation and fewer updates for older models, which are currently the only ones allowed to be sold. While exemptions exist, they often require significant lobbying efforts, as seen with Netgear, which secured conditional approval after spending $560,000 lobbying the US government since 2023. This raises questions about anti-competitive practices.
The NSA recently urged everyone to update their routers, which some view suspiciously in light of the government's increasing collaboration with surveillance-focused companies like Flock, Rain, and Palantir. The ban also extends to portable Wi-Fi hotspot devices and could potentially include phones, making the regulation sweeping enough to cover almost any device that connects another to the internet.
The FCC's "covered list" of equipment deemed a security risk was updated on March 23, 2026, to include "Routers produced in a foreign country except routers which have been granted a conditional approval by DOW or DHS." Most consumer routers, even those from US-based companies, are manufactured outside the US. Existing routers and old product models already in the country can still be sold, but this supply will diminish over time, and these models will eventually lose access to critical security updates. This could make consumers more vulnerable, as highlighted by past security issues with brands like ASUS, TP-Link, and Cisco.
This policy comes after the Trump administration cut thousands of jobs from federal cybersecurity work and proposed significant budget cuts to the Cybersecurity and Infrastructure Security Agency (CISA). The current administration is also attempting to cut cybersecurity funding, reducing CISA's budget to $2 billion annually from $2.5 billion. For context, this is less than three days of Nvidia's quarterly revenue.
The FCC's stated reason for the ban is that foreign-made routers "pose unacceptable risks to the national security of the United States or the safety and security of US people," citing their alleged involvement in cyberattacks like Volt, Flax, and Salt Typhoon. However, critics point out that American routers weren't implicated simply because there are none. The FCC also argued against US dependence on "outside power for core components necessary to the nation's defense or economy." US Representative Molinar, chairman of the House Select Committee on the Strategic Competition between the United States and the Chinese Communist Party, praised the move as protecting against "China's relentless cyber attacks."
However, many of these routers are manufactured in Thailand, Vietnam, and Taiwan, not China. Critics argue that this move, if aimed at surveillance, merely shifts control to the US government, representing "a different flavor of surveillance." FCC chairman Brendan Carr, known for controversial statements regarding free speech and his past as an advisor to former FCC chairman Ajit Pai (infamous for repealing net neutrality), is at the forefront of this initiative. ISPs, who benefit from router rentals, spend millions lobbying annually.
The Biden administration previously considered banning Chinese-founded TP-Link, which accounts for 65% of home and small business routers in the US, and oversaw the banning of computer cooling manufacturer Deepcool. Texas Attorney General Ken Paxton sued TP-Link, alleging it allowed the CCP to access American consumer devices and that its products were used in state-sponsored cyberattacks. TP-Link, founded in Shenzhen, China, is now headquartered in California, with US product manufacturing in Vietnam since 2018. The company states it does not sell products to mainland China, and its CEO and his wife have applied for US permanent residency through the "gold card program."
The FCC's fact sheet clarifies that "Foreign-Made consumer grade routers are prohibited from receiving FCC authorization and are therefore prohibited from being imported for use or sale in the US." Existing authorized models can continue to receive updates until at least March 1, 2027. This means companies will eventually be forced to abandon older models, hindering technological advancement in the US market.
The FCC's definition of "routers" is broad, encompassing "consumer grade networking devices that are primarily intended for residential use and can be installed by the customer." This open-ended definition could extend to Wi-Fi extenders, mesh systems, smart TVs, game consoles, and even computers, raising concerns about the scope of the ban.
Security experts like Bitdefender's threat research director note that the ban has "clear limitations" as it doesn't address the large installed base of existing devices. The FCC's insinuation that existing routers may not receive security updates beyond March 1, 2027, only exacerbates the issue, as many consumers will not replace their devices until they stop working, likely opting for ISP-provided solutions. This benefits ISPs, who are major government technology donors.
The EFF called the FCC's approach a "blunt instrument" that impacts "many harmless products" and highlighted the "defunding of cyber defense initiatives." Telecom reporter Karl Bode suggested that the Salt Typhoon hack, cited by the FCC, was caused by "a lack of oversight and regulation of telecom monopolies," with many failing to change default admin passwords.
Professor Milton Mueller argues that focusing on the geographic location of assembly lines ignores the "logical supply chain of the software." A US-assembled router with poorly written software is just as vulnerable as a foreign one. Open-source solutions can even make older routers more secure.
The foreign router ban also introduces conflicts of interest, particularly with Starlink, whose routers are reportedly made in Texas (though sometimes Vietnam). Elon Musk's close government ties could lead to Starlink contracting for consumer routers. Conditional approvals are now to be handled by the Department of Defense or Homeland Security, which could slow processes and raise additional spyware concerns. This environment may create more opportunities for "political contributions" to bypass regulations, favoring companies with existing government relationships. Netgear's lobbying efforts and its lawsuit against TP-Link, accusing it of ties to the Chinese government, illustrate this dynamic. Netgear's CEO even stated that TP-Link is a "national security risk" in an earnings call, signaling its intent to regulators.
Beyond corporate collusion, there are concerns about potential government backdoors in these devices, which have access to extensive online activity data. Such access could facilitate authoritarian control, oppression of speech, or manipulation of information, reminiscent of China's "Great Firewall." This raises concerns about the US government creating a slippery slope where it might engage in practices it criticizes other countries for.
The FCC's focus on "consumer grade" routers, excluding industrial, enterprise, or military contexts, is notable. Government and military routers are already subject to stricter regulations like the Buy American Act, which allows waivers if domestic products are unreasonable in cost or against public interest—an option not available to consumers. There is also evidence that the US government has purchased TP-Link equipment in the past.
Parallels are drawn to the FCC's ban on drones, which also cited "unacceptable risks to the national security." Similar to routers, this ban disproportionately affects competitive Chinese companies like DJI, while introducing conflicts of interest, such as President Trump's sons' partial ownership in a firm merging with a drone manufacturer.
In summary, the router ban is expected to lead to decreased innovation, limited access to new technology, and increased costs for American consumers. It may facilitate ISPs' router rental schemes and creates conflicts of interest favoring companies like Starlink. While the US claims to address foreign attacks, the reality is that vulnerabilities can exist in any router, regardless of origin, often at the software level. The ban is unlikely to significantly boost US manufacturing in the short term, given the global supply chain.
The historical opposition to right-to-repair by corporations has even led to routers being bricked if users attempt to install more secure open-source firmware. This current situation is seen as a rapid acceleration of long-standing issues of corporate collusion and government collaboration, where "bribes aren't disguised anymore."
Ultimately, this move is interpreted as a play for government and corporate control over public communications, potentially enabling surveillance, targeted advertising, or even propaganda. The fact that the official White House app reportedly tracks user locations and presents security risks further underscores the concern that the government's focus on consumer routers is a blend of surveillance and corporate interests, rather than genuine security. Open-source solutions like OpenWRT and PFSense offer alternatives for those concerned about security and surveillance.