John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The FCC updated its Covered List to bar new foreign-manufactured consumer routers from receiving FCC equipment authorization. No authorization, no legal sale. It’s effectively a market ban. Go ahead and flip over your router and check where it was made.
A few things the coverage has gotten wrong. This is not a China-specific rule. It covers all foreign-made routers regardless of origin. It applies to new models only. Your existing router isn’t recalled, isn’t banned, isn’t going anywhere. You don’t need to replace it.
The concern is real: consumer routers make excellent attack infrastructure. They run continuously, sit on the network perimeter, rarely get updated, and most owners never change the default credentials. Volt Typhoon exploited exactly this, building a botnet from compromised US consumer routers to conduct espionage against critical infrastructure. The ASUS KadNap botnet did the same thing.
But here’s the problem the rule doesn’t solve. The actual security risk in consumer routers is the firmware, not the chassis. Firmware is written in global development environments. It runs on chipsets from Taiwan and Malaysia and across Southeast Asia. A router assembled in Texas with globally-sourced components and foreign-developed firmware isn’t obviously more secure than one assembled in Shenzhen with the same ingredients.
The rule addresses the most visible part of the supply chain and leaves the rest. To actually move the needle, you’d pair this with mandatory firmware update mechanisms, required vulnerability disclosure programs, and audit rights. Whether that’s coming isn’t clear.
Your current equipment is fine. When you eventually replace it, the selection of new models will be thinner.