All foreign-made consumer routers have been banned from import into the US over security risks following a spate of attacks that targeted infrastructure.
The US Federal Communications Commission (FCC) said the ban applies to all new device models, including those designed in the US but manufactured overseas.
It will be possible for overseas-made routers to be added to an approved list, but that may require divulging a list of foreign investors and efforts to shift manufacturing to the US – something Trump has tried to encourage across the tech industry, including with threats of tariffs on chips.
Overseas threat?
So far, no router makers are on that exclusion list, but they have been encouraged to apply for conditional approvals.
"A majority of the routers currently in Americans' homes and businesses are manufactured in foreign countries," the government said via a statement shared by the FCC. "Given the criticality of routers to the successful functioning of our nation's economy and defense, the United States can no longer depend on foreign nations for router manufacturing."
The ban applies to any routers made outside the US, but the vast majority are produced in China or Taiwan. The rule only applies to new equipment: companies need not rip out existing infrastructure or bin the routers they already have.
This isn't the first time the US has targeted foreign-made infrastructure over security reasons: in 2020, the US demanded telcos "rip and replace" China-based Huawei kit, designating that company and compatriot ZTE as security threats. The UK has also banned Huawei from key networks. Such government bans aren't limited to networking equipment, as the US has also banned software made by Russia's Kaspersky.
Security threat to critical infrastructure
The move follows a string of attacks against US infrastructure that made use of home and small office routers, the FCC noted, pointing to the Volt, Flax, and Salt Typhoon campaigns that targeted critical infrastructure.
Salt Typhoon targeted American politicians' emails and compromised telecoms companies, while the Volt attacks went undetected for nearly a year, disrupting key infrastructure, including water utilities. Last year, thousands of Asus routers were hijacked to run a state-sponsored spying campaign, and flaws are frequently spotted in consumer-grade equipment, with compromised devices used to build bot networks.
"Recently, malicious state and non-state sponsored cyber attackers have increasingly leveraged the vulnerabilities in small and home office routers produced abroad to carry out direct attacks against American civilians in their homes," the FCC said. "From disrupting network connectivity to enabling local networking espionage and intellectual property theft, foreign-produced routers present unacceptable risks to Americans."
The FCC said it had been sent a national security designation from the central government saying the risk was no longer acceptable. "Routers in the United States must have trusted supply chains so we are not providing foreign actors with a built-in backdoor to American homes, businesses, critical infrastructure, and emergency services," the document said.
The FBI warned last year that outdated routers were being used for criminal attacks, and businesses have been warned that they must address common issues such as misconfiguration and weak encryption to avoid becoming victims.
Satya Nadella needs to remember the Streisand effect for 'AI slop'
Oracle announces new proactive enterprise agents
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaign
Warning issued over critical flaws spotted in TP-Link routers
A sneaky cyber espionage campaign is exploiting IoT devices and home office routers – here's what you need to know
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s why
