The FCC banned all new foreign-made consumer routers from receiving equipment authorization effective March 23, 2026. The ruling cites Volt, Flax, and Salt Typhoon — three state-sponsored cyberattack campaigns that weaponized consumer routers against US critical infrastructure.
This isn't like the Huawei/ZTE bans. This is categorical — every router produced outside the United States, regardless of manufacturer. A router designed by a US company but assembled in Taiwan is treated the same as one built in Shenzhen.
The punchline for infrastructure engineers: Enterprise gear (Cisco ISR/Catalyst, Arista, Juniper) is exempt. But every remote worker connecting to your network through a consumer router is now using a device the US government officially classifies as a national security risk.
The Supply Chain Numbers
China and Taiwan produce 60–75% of routers sold in the US market. Domestic production sits at roughly 10%. Virtually every major brand is affected:
| Brand | Manufacturing Location | Status |
|---|---|---|
| TP-Link | China, Vietnam | Likely blocked longest |
| Asus | Taiwan, China | Needs Conditional Approval |
| Netgear | China, Vietnam, Taiwan | US company, still needs approval |
| Amazon Eero | Taiwan | US company, needs approval |
| Google Nest Wifi | China, Taiwan | US company, needs approval |
| Cisco (Enterprise) | US, Mexico | Unaffected — enterprise classification |
| Arista | US | Unaffected — enterprise classification |
Expect consumer networking equipment prices to rise 15–30% over the next 12 months as inventory depletes.
How Volt/Flax/Salt Typhoon Exploited Consumer Routers
Understanding the attack chain matters for your defensive architecture:
- Initial compromise — Exploit known firmware vulnerabilities (many unpatched for years) for admin access
- Persistence — Install rootkits that survive reboots, invisible to end users
- Lateral pivot — Use compromised router as a trusted position to intercept VPN traffic, perform DNS hijacking, or tunnel into corporate networks
- Exfiltration — Route stolen data through chains of compromised routers across multiple countries to obscure attribution
Volt Typhoon used SOHO routers as persistent C2 infrastructure with living-off-the-land techniques. Flax Typhoon built a 260,000-device botnet — primarily routers — for traffic proxying. Salt Typhoon penetrated AT&T, Verizon, and T-Mobile through router-level exploits.
The Three Enterprise Challenges
1. Remote Worker Edge Risk
Every WFH employee connects through a consumer router that the FCC now classifies as a national security risk. Your mitigation stack:
- Always-on VPN with split-tunnel policies routing all corporate traffic through your perimeter — bypass the router's ability to inspect or manipulate traffic
- NAC enforcement via Cisco ISE or similar — verify device posture before granting network access, regardless of the home router
- ZTNA — authenticate identity, not transport. A compromised home router shouldn't give lateral movement into sensitive segments
2. Supply Chain Audit
The procurement model just shifted from vulnerability-based assessment to origin-based trust evaluation:
| Audit Category | Action Required | Timeline |
|---|---|---|
| Hardware BOM | Map country of origin for every edge device component | 30 days |
| Firmware supply chain | Verify signing keys and build pipeline for all router firmware | 60 days |
| Vendor questionnaire | Add Covered List compliance checks to RFP templates | Immediate |
| Conditional Approval tracking | Monitor vendor applications and status | Ongoing |
| Software update pathway | Confirm firmware entitlement through March 2027 waiver | 30 days |
3. Vendor Concentration Risk
The narrowing pool of approved suppliers creates dependency and potential single points of failure. If you're running SD-WAN with Catalyst 8000 vEdge platforms, the enterprise equipment is safe — but hub-and-spoke topology assumptions change when you can't trust the last-mile consumer device.
Consider deploying DMVPN or FlexVPN tunnels with certificate-based authentication that validates endpoint identity independent of the transit network.
What's Banned vs. What's Not
| Aspect | Banned | Not Banned |
|---|---|---|
| Scope | New FCC authorizations for foreign-made consumer routers | Enterprise-grade networking equipment |
| Existing devices | Not affected — keep using lawfully purchased routers | No recall or forced replacement |
| Firmware updates | Permitted through at least March 1, 2027 | Waiver may extend |
| Retail inventory | Already-authorized models still sellable | Current stock can clear |
| Exemptions | Conditional Approval pathway through DoW/DHS | Case-by-case, no timeline |
The Conditional Approval Pathway
Manufacturers can apply to DoW or DHS for Conditional Approval. Requirements: disclose full management structure, detail supply chain, present a plan for onshoring manufacturing to the US. Approval is discretionary, typically limited to 18 months.
The precedent from the December 2025 drone ban: exactly 4 drone systems received Conditional Approval — all non-Chinese. DJI and Autel remain fully blocked. Expect a similar pattern for routers.
Your Action Checklist
This Week
- Inventory your edge — complete asset discovery of every device, including remote worker equipment
- Classify devices — separate enterprise (exempt) from consumer (covered)
- Verify firmware currency — confirm all foreign-made devices run latest patches
- Update RFP templates — add Covered List compliance to procurement docs
- Brief your CISO — quantify exposure: number of remote workers, consumer router models, attack surface
Next 90 Days
- Deploy ZTNA that authenticates independent of transport network
- Move to certificate-based VPN auth with OCSP stapling (eliminate PSK)
- Evaluate SASE (Cisco Umbrella SIG, Zscaler) to bypass home routers entirely
- Build a vendor compliance matrix tracking Conditional Approval status
CLI Quick Reference: Verifying Device Trust
For Cisco IOS-XE environments, validate your firmware signing chain:
show platform integrity sign nonce 12345
show software authenticity running
show version | include System image
Critical for demonstrating supply chain integrity in compliance audits.
The Regulatory Trend
| Year | FCC Action | Scope |
|---|---|---|
| 2020 | Huawei/ZTE added to Covered List | Two specific companies |
| 2021 | Kaspersky added | One company |
| 2022 | China Telecom/China Mobile revoked | Specific carriers |
| 2025 | Foreign drone ban | Product class by origin |
| 2026 | Foreign router ban | Product class by origin |
Origin-based restrictions are expanding from specific entities to entire product categories. Network switches, access points, and IoT gateways could follow. Plan accordingly.
This article was originally published on FirstPassLab. For more deep dives on network security and infrastructure engineering, check out firstpasslab.com.
🤖 AI Disclosure: This article was adapted from the original blog post with AI assistance for formatting and Dev.to optimization. All technical content, analysis, and recommendations are based on the cited sources.
Top comments (0)