FCC walks back router update ban before it bricks America’s network security

Networks

Quietly extends waivers to 2029 after realizing it was about to leave millions of devices unpatched

America’s telco regulator has seen some sense over its ban
on foreign-made routers, deciding that existing devices should continue receiving software and firmware updates after all.

The Federal Communications Commission (FCC) has extended waivers covering certain foreign-made routers (and drones) already operating in the US, pushing the update deadline to at least January 1, 2029. Without the extension, updates would have been blocked as early as 2027.

Back in March, the FCC updated its Covered List to include all
foreign-made consumer routers, prohibiting the approval of any new models.
This effectively banned any new kit made in other countries from being sold,
but did not prevent the import, sale, or use of existing models that had previously
been authorized.

The policy stems from fears that foreign-made router pose a security threat. Because they handle network traffic, they could introduce
vulnerabilities exploitable against critical infrastructure, and in
the words of the FCC represent “a severe cybersecurity risk that could harm
Americans.”

Miscreants have exploited security flaws in routers to
disrupt networks or steal intellectual property, and routers are implicated in
the Volt, Flax, and Salt Typhoon cyberattacks.

The policy was widely regarded as flawed, not just because the
vast majority of consumer router kit is made outside the US or built from components
sourced abroad, but because vulnerabilities and security flaws are not limited
to any particular geography, and appear in products from all brands and
countries of origin, as noted
by the Global Electronics Association (GEA).

Blocking firmware updates, which typically deliver security patches for newly discovered flaws, also seemed a peculiar own goal for a regulator whose stated motivation is reducing network vulnerability. 

The FCC has belatedly recognized this, stating that its
policies would have “had the effect of prohibiting permissive changes to the
UAS, UAS critical components, and routers added to the Covered List in December
and March.

“This prohibition would be in effect even for Class I and Class II
permissive changes – such as software and firmware security updates that
mitigate harm to US consumers – because previously authorized UAS, UAS critical
components, and routers are now covered equipment.”

The waivers now run until at least until January 1, 2029, falling into the final month of the Trump administration, when there is a chance this may be overlooked in the preparations for Trump’s successor.

The FCC extension was met with some approval. Doc McConnell, head
of policy and compliance at security biz Finite State said in a supplied
remark: 

“I strongly support the FCC’s decision to allow firmware and software
updates for already-authorized routers, including covered devices already
deployed in the United States.”

“The biggest practical security risk with routers is not
only who made them, but whether they remain patched. When they stop receiving
updates, known vulnerabilities remain exposed, attackers gain durable
footholds, and consumers are left with equipment they cannot realistically
secure on their own.

“The original restriction risked creating exactly that
problem: millions of deployed routers frozen in time, unable to receive
security fixes. I appreciate the FCC recognizing that preventing updates could
unintentionally make Americans less safe,” he added.

However, as previously reported by The Register, the FCC’s
Conditional Approval framework explicitly requires vendors seeking approval for
new routers to submit plans to establish or expand manufacturing in America, with quarterly progress updates.

As stated by the GEA, “The policy’s logic assumes that
manufacturers can and will move production to the United States.” That might be
an assumption too far. 
®