Your Wi-Fi router is the kind of box you forget about until the movie buffers or your work call turns into digital mush. Now the Federal Communications Commission has moved to block approval of new consumer router models produced abroad, and it quietly puts a countdown timer on something that matters even more than speed.
Under an FCC waiver, existing routers can still receive the software and firmware updates that fix security flaws, but only until at least March 1, 2027.
That date is the headline hiding inside the fine print. So what happens when the updates stop? A router that cannot be patched becomes the kind of unguarded entry point attackers love, especially in homes packed with smart TVs, doorbells, and always-on laptops.
What the FCC actually changed
On March 23, the FCC updated its “Covered List” to include all consumer-grade routers produced in foreign countries, which blocks new models in that category from receiving the equipment authorization needed to be imported, marketed, or sold in the United States.
The agency says this follows a White House-convened interagency determination that such routers pose “unacceptable risks” to national security or to the safety and security of U.S. persons.
The FCC also stresses what did not change. You can keep using a router you already own, and retailers can keep selling models that were previously authorized. The restrictions mainly hit future device models, not the installed base sitting on your shelf today.
The waiver that keeps patches flowing for now
If a device lands on the Covered List, the FCC’s equipment authorization rules can become surprisingly strict. The Office of Engineering and Technology says revisions that took effect in December 2025 exclude covered equipment from the normal pathway for “Class I permissive changes,” a bucket that can include software, firmware, and security updates.
To avoid cutting off critical fixes, that office issued a public notice on March 23 that temporarily waives the prohibition for certain updates. It says all routers authorized for use in the United States may continue to receive software and firmware updates that “mitigate harm to U.S. consumers” at least until March 1, 2027, including patches and compatibility updates.
The notice also makes clear the FCC has left itself room to change course. It says the office will re-evaluate whether to extend the waiver before the March 2027 date, so this is not just a ban: it’s a ticking software policy decision.
Security logic and the awkward tradeoff
In its fact sheet, the FCC argues foreign-produced routers create both supply chain exposure and cybersecurity risk. The agency says malicious actors have exploited security gaps in foreign-made routers and links them to the Volt, Flax, and Salt Typhoon cyberattacks that targeted vital U.S. infrastructure.
The problem is that home router security often fails for more ordinary reasons. The Technology Policy Institute warns that a waiver that expires can turn today’s routers into tomorrow’s unpatched devices, and Dark Reading quotes experts who say missed patches, default credentials, and exposed management interfaces drive many compromises no matter where the hardware was built.
So the policy’s success depends on two things happening at once. The U.S. wants fewer supply chain risks, but it also needs the installed base to stay patchable until consumers and small businesses can reasonably replace gear. That is the tightrope.
The business side is where people may feel it first
Analysts cited by Light Reading say “nearly 100%” of consumer routers are manufactured or assembled outside the United States, which means this approach can squeeze almost the entire market, including U.S. brands.
If approvals slow down, the article warns of supply shortages and higher prices that ripple from router makers to internet service providers that bundle Wi-Fi gear with broadband plans.
The FCC points to an exception called “Conditional Approval” that can be granted by the Department of War (listed as “DoW” in the FCC materials) or by the Department of Homeland Security.
Light Reading reports that applicants are expected to disclose corporate structure and supply chain details, plus a “detailed, time-bound” plan to establish or expand manufacturing in the United States, while the Technology Policy Institute says these conditional approvals can last up to 18 months.
How to protect your network right now
Start with the simple stuff you can do tonight. Turn on automatic updates if your router offers them, change default admin credentials, and disable remote administration unless you truly need it. Security is often won or lost on these basics, not on branding.
Next, shop with the update cycle in mind. Before you buy, look for a clear promise of ongoing security support for that exact model, and avoid devices that are already near end of life. The FCC waiver is time-limited, so the practical value of long-term support is suddenly higher.
Finally, limit the damage if something goes wrong. Put smart home gadgets on a guest network, keep your router’s management interface off the public internet, and consider managed Wi-Fi options if you do not want to babysit updates yourself. Small steps, big payoff.
What to watch before March 2027
One big question is whether the FCC extends the waiver or replaces it with a longer-term mechanism that keeps security updates legal while the market shifts. The waiver itself says the Office of Engineering and Technology will re-evaluate before March 1, 2027, so the countdown is real but not final.
The other question is whether conditional approvals become a workable pipeline or a narrow gate. If approvals are scarce or slow, consumers may hang onto older gear longer, which can be a security problem in its own right.
For now, the safest assumption is that router policy will stay in flux as regulators and manufacturers negotiate what “secure” really means at scale.
The official public notice was published on the Federal Communications Commission.
