Key Takeaways
- The FCC banned the import and sale of all foreign‑made “consumer‑grade” internet routers in March 2026, placing them on its covered list with only DoD‑ or DHS‑approved conditional exemptions.
- Manufacturers were initially allowed to provide security updates to U.S. users until March 2027.
- In a May 8, 2024 public notice, the FCC’s Office of Engineering and Technology (OET) extended that deadline to at least January 1, 2029.
- The extension covers only software and firmware updates that mitigate harm—such as vulnerability patches and OS compatibility fixes—while prohibiting the addition of new features via the same channel.
- The same two‑year extension applies to foreign‑made drone systems and critical drone components banned for sale in December 2025.
- Unpatched, end‑of‑life routers remain a low‑visibility foothold for threat actors, as demonstrated by China‑linked Volt Typhoon and Salt Typhoon campaigns.
Background on the FCC Ban
In March 2026 the United States Federal Communications Commission (FCC) issued a sweeping prohibition on the import and sale of all “consumer‑grade” internet routers manufactured abroad. The agency justified the move by declaring that these devices posed an “unacceptable risk” to national security, citing concerns about potential espionage, sabotage, or the insertion of malicious code at the hardware level. Consequently, every router falling under this definition was added to the FCC’s covered list, effectively barring it from lawful commercial distribution within the United States. The only carve‑outs permitted were routers that had received a conditional approval from either the U.S. Department of Defense (DoD) or the Department of Homeland Security (DHS), meaning that a limited number of vetted foreign‑made devices could still be sold if they met stringent security criteria set by those agencies.
Details of the Original Deadline
Alongside the ban, the FCC notified the affected manufacturers in March 2026 that they could continue to ship security updates to existing U.S.-based customers until March 2027. This concession was intended to prevent a sudden loss of protection for consumers who had already purchased the banned routers, ensuring that critical vulnerability patches could still be delivered even though new sales were prohibited. The original deadline reflected a balance between safeguarding national security interests and mitigating the immediate risk of leaving millions of devices unpatched, which could otherwise be exploited by malicious actors seeking to compromise home and small‑business networks.
Extension Announcement by OET
On May 8, 2024, the FCC’s Office of Engineering and Technology (OET) released a public notice announcing that the deadline for providing security updates would be extended. The notice stated that the cutoff date would now be pushed to at least January 1, 2029, effectively granting manufacturers an additional two years beyond the original March 2027 limit. The OET framed the extension as a response to ongoing feedback from industry stakeholders and cybersecurity experts, who emphasized the practical challenges of coordinating patch distribution across a diverse, global supply chain while still upholding the security objectives of the ban.
Scope of the Extension (Software/Firmware Updates)
The extension applies strictly to software and firmware updates that are designed to mitigate harm to U.S. consumers. According to the FCC notice, permissible updates include those that patch known vulnerabilities, fix bugs that could impair device functionality, and ensure compatibility with various operating systems or network protocols. In essence, manufacturers may continue to deliver the maintenance‑type code necessary to keep the routers operating securely and reliably, but they are not authorized to use this mechanism for any other purpose. The FCC’s language makes clear that the intent is to preserve a baseline of security without enabling further feature development that could inadvertently reintroduce risk.
Prohibition on Adding New Features
Crucially, the public notice specifies that the extension does not permit manufacturers to add new features via the update channel. This restriction is intended to close a potential loophole whereby vendors might attempt to bypass the ban by releasing ostensibly “security” updates that actually introduce novel capabilities—such as new wireless standards, advanced management interfaces, or proprietary protocols—that were not present in the original banned hardware. By limiting updates to harm‑mitigation purposes only, the FCC seeks to ensure that the extended window does not become a backdoor for enhancing the functionality of devices that were deemed too risky to sell in the first place.
Extension to Drone Systems and Components
The same two‑year extension applies to foreign‑made drone systems and their critical components, which were banned for sale in the United States in December 2025. Like the router restriction, the drone ban was motivated by national‑security concerns, particularly the possibility that adversarial nations could exploit drones for surveillance, data exfiltration, or as platforms for delivering payloads. The OET’s notice clarified that manufacturers of these prohibited drone products may continue to supply security‑related software and firmware updates to existing U.S. operators until at least January 1, 2029, subject to the same limitations on feature additions. This parallel treatment underscores the FCC’s broader strategy of managing risk across multiple categories of imported communications‑and‑navigation equipment.
Security Implications and Real-World Threats
Unmanaged network infrastructure—especially routers that remain unpatched or have reached end‑of‑life—continues to serve as a low‑visibility foothold for attackers aiming to establish persistent access within corporate environments. The FCC’s action acknowledges that simply banning new sales does not eliminate the risk posed by the existing legacy fleet. Recent cyber‑espionage campaigns attributed to China‑linked threat groups, notably Volt Typhoon and Salt Typhoon, have demonstrated how compromised routers can be used as pivot points for lateral movement, data theft, and the establishment of covert command‑and‑control channels. By extending the update window, the FCC hopes to reduce the attack surface while a longer‑term solution—such as incentivizing hardware replacement or fostering domestic production of secure networking gear—can be pursued.
Conclusion and Outlook
The FCC’s decision to extend the security‑update deadline for banned foreign‑made routers (and drones) to at least January 1, 2029 reflects a pragmatic approach to balancing national‑security imperatives with the realities of maintaining a protected consumer base. While the extension preserves essential patching capabilities, it simultaneously reinforces strict limits on feature additions to prevent circumvention of the original ban. Moving forward, policymakers may need to consider complementary measures—such as subsidies for upgrading to vetted domestic equipment, stricter compliance audits, or incentives for manufacturers to transition production to secure, trusted sources—to fully mitigate the lingering vulnerabilities presented by legacy, foreign‑sourced network devices. Until such steps are realized, the extended update window serves as a critical interim safeguard for U.S. consumers and enterprises alike.