tomshardware[.]com/networking/routers/fcc-reverses-course-allows-software-updates-for-foreign-made-drones-and-routers-until-2029-agency-says-blocking-security-patches-could-create-cybersecurity-risks

I guess the folly of trying to enforce a ban on router software updates [by a US agency that HAS NOTHING TO DO WITH SUCH THINGS] finally occurred to the FCC's chief A******, so he took a few minutes off from his new war on Disney/ABC and issued an official statement that those software updates would in fact be allowed until January 1, 2029 [when he'll have at most 20 days left in office]. How generous of him.

pcmag[.]com/news/fccs-foreign-made-router-ban-expands-to-portable-wi-fi-hotspot-devices

The US ban on foreign-made Wi-Fi routers also affects portable Wi-Fi hotspot devices, according to an update from the Federal Communications Commission.

On Wednesday, the FCC updated its FAQ on the ban, clarifying which consumer-grade routers are subject to the restrictions.

Portable Wi-Fi hotspots are usually considered a separate category from Wi-Fi home routers. Both offer internet access, but portable Wi-Fi hotspots use a SIM card to connect to a cellular network rather than an Ethernet cable inside a residence. However, the FCC’s FAQ now specifies that “consumer-grade portable or mobile MiFi Wi-Fi or hotspot devices for residential use” are covered under the ban.

Amazon, which has made efforts to be *friendly* with the current US admin [huge donations, mass firings by Bezos at the Washington Post, which the pres hates etc.] has now made the exclusion list.

The US FCC actually has very little to do with anything tech -- they only make sure that electronic / electrical devices don't interfere with radio or TV broadcast. The idgit in charge simply says they won't check any new routers for broadcast airwave interference unless they're on his approved list, and without that check they can't be sold. Obviously that has nothing to do with any firmware updates, so it's very uncertain how he would go about preventing them, though they are included in his BS order.

docs.fcc[.]gov/public/attachments/DA-26-351A1.pdf

netgear[.]com/letter-from-the-ceo-fcc-conditional-approval/?clickId=5451383818

Regarding Netgear, I posted earlier that there was evidence pointing at Netgear *maybe* being responsible, at least in part for the router ban. They certainly did their part trying to trash the market leader, TP-Link. Well now it looks like the fix is in, with Netgear getting government approval without doing anything, at least publicly -- no telling what happened behind closed doors. Their routers are still made in Asia, & they've announced no plans to move anything to US shores, but the gov however is satisfied.

FWIW, for my part, realizing it will make no difference whatsoever, I will NEVER purchase anything from Netgear from now on.

theverge[.]com/tech/899906/fcc-router-ban-march-2026-explainer

I was going to add a link to this article a few days ago, but it went from readable to behind a paywall. Now it's back to readable, at least at the moment.

The ridiculous router ban states that it's reason for existence is: "Volt, Flax, and Salt Typhoon". That alone betrays the ignorance of the FCC's head A******. Salt Typhoon is one of the nicknames given to a Chinese hacking group by cyber security folks. Flax Typhoon is another group that has been linked to the Chinese government. Both groups set up botnets that they used as part of their infrastructure to target less secure government IT. A botnet is basically a number of devices that have been hacked, giving cyber criminals access to their core functions. Cyber criminals then tell the individual devices to do something, e.g., contact a web server for a DDoS attack. In this case they served to hide the cyber criminal's activities as they hacked into government IT. Arguably, if governments secured their IT operations, any botnets would not have mattered. One sign that the US government's IT security was sorely lacking is that these hackers breached government systems and maintained their presence there for at least 5 years before being detected (!).

bleepingcomputer[.]com/news/security/chinese-hackers-hid-in-us-infrastructure-network-for-5-years/

The botnets themselves target routers, modems, IoT devices, and web-facing apps. IoT devices are things like cameras, power switches, lights etc. that use WiFi. Most brands are included.

vulncheck[.]com/blog/flax-typhoon-botnet

npr[.]org/2024/10/01/nx-s1-5124848/inside-the-investigation-into-a-giant-chinese-botnet

blog.lumen[.]com/derailing-the-raptor-train/

The US gov [CISA & FBI] verify the vulnerabilities that allowed routers etc. to be compromised are present in their software [firmware]. They urged manufacturers to harden their software's security, advising consumers to keep devices updated, stop using devices that are EOL and not receiving updates, and frequently reboot devices like routers to flush any malware in the device's memory. A large part of the problem however is something consumers cannot easily/cheaply mitigate themselves... Telecommunications companies are notoriously lax when it comes to security -- security costs money -- and the modems & routers they supply customers are often worst offenders.

bleepingcomputer[.]com/news/security/cisa-vendors-must-secure-soho-routers-against-volt-typhoon-attacks/

bleepingcomputer[.]com/news/security/flax-typhoon-hackers-infect-260-000-routers-ip-cameras-with-botnet-malware/

At any rate, the main problem is that government IT systems are getting hacked. If they were more difficult to hack, these large botnets would be irrelevant, and wouldn't need to exist, so they would not. They're simply a tool, a means to an end. That's not to say that manufacturers of connected devices, including routers, could not do a better job of writing & updating the firmware these devices use. They could also tremendously improve their communication with customers. Do you know when your devices have a firmware update available? Do you know when one of your devices reaches EOL, and will not get any further updates? It's up to you to find that info and check it regularly. It would be nice if you didn't have to, if you received a communication from the manufacturer. And none of this of course has Anything to do with the electronics or construction of connected devices. The ban is B*******. A chip can be covertly added -- the US gov has done so in the past -- but the firmware will not recognize and use it unless it's been designed to do that, and without that the chip is limited to capturing a copy of whatever data. That's not a problem for a dodgy manufacturer, but a well known US-based firm is Not going to add chip-enabling spyware to their firmware.

Googling to see if Netgear had made political donations that might have influenced the ban -- I didn't find any -- I came across a Reddit post where someone had been doing quite a bit of digging. Besides detailing how Netgear was likely behind the government scrutiny of TP-Link, it tells how a Netgear board member also sits on the influential Aspen Digital U.S. Cybersecurity Group. They do have the ear of the administration.

reddit[.]com/r/pwnhub/comments/1s2thgj/the_fcc_router_ban_following_up_on_a_post_here/

aspendigital[.]org/person/brad-maiorino/

aspendigital[.]org/project/us-cybersecurity-group/

I do not know if the writer of [1] made a slip-of-the-pen, or really does not know the term "router" was used long before consumer-grade networking devices were produced.

Just using the generic term "router" conversationally. The gov will need to clarify everything in later docs, since there are still Lots of details that have to be spelled out. The referenced Report 8425A for the most part reinforces what I posted earlier about the importance of the router's firmware. [Which perhaps the officials involved neglected to read.] It doesn't say anything about where a router is manufactured, but is a government doc that contains a definition of a consumer grade router, which I'd guess is all that they were after in this case [since I highly doubt anyone involved actually knew what a router was, so couldn't supply any sort of definition themselves].

For anyone interested, the tech definition I like of a network router is: "A router is a device that connects two or more packet-switched networks or subnetworks. It serves two primary functions: managing traffic between these networks by forwarding data packets to their intended IP addresses, and allowing multiple devices to use the same Internet connection." Put another way, a web site sends the data making up a web page to your home address [usually the IP address assigned to your router by your ISP]. The router assigns a similar address to every connected device, and routes the data from that web page to the address of the device that requested it. A switch in contrast allows multiple devices to connect over one cable by giving each one a turn [like a round robin]. While there are several features that differentiate between brands/models, the ones that grab the ad headlines and determine cost tier are usually WiFi capabilities. That 8425A doc defines consumer grade routers as routers typically installed by the user at home, though those same routers are often found in small to mid-size biz, while corp IT uses beefier &/or virtual versions.

cisco[.]com/site/us/en/learn/topics/small-business/what-is-a-router.html

cloudflare[.]com/learning/network-layer/what-is-a-router/

I've tried not to sound overly biased, so this last part is just IMHO & FWIW... the way things have worked with the US gov this past year, is that if a company makes the right donations, supports the right political movement & its influencer advocates, and so makes their case to the gov on what they want to see happen, there's an excellent chance that it will happen, e.g., the reported call in to an influencer that was repeated on Fox News, resulting in ICE supplementing TSA. Netgear, a company that makes routers, has seen its stock prices surge since the ban was announced, despite their routers being made in the same countries as TP-Link for example. I would not be surprised if it turned out that their new model routers are approved -- Wall St. certainly thinks they will be -- indicating they have friends in the right places. If it turns out that's true, it would strongly hint that Netgear was behind the ban that decimates their competition.

wired[.]com/story/us-government-foreign-made-router-ban-explained/

neowin[.]net/news/us-bans-import-of-routers-due-to-severe-cybersecurity-risks/

I believe the primary effects of the ban will be that 1) consumer grade routers will go up in price [probably by a Lot], 2) the manufacturer's cost for authorized new routers, at least at first, will be inflated because of necessary political donations [to expedite approval], with development costs reduced to compensate, 3) security will at best likely match the average router sold today, but may well be less than current offerings. As Bogdan Botezatu, director of Threat Research at cybersecurity firm Bitdefender, in the Wired article says: "... what matters more than geography is the security model behind the product." That means the router's firmware, more than anything else. [I did not include the added cost of on-shoring production, because only plans to move production are required, while the actual move may not be.]

People, and now AI write programming code, and both make errors that impact router security. It's like Windows, where every month patches are released to fix vulnerabilities that have been discovered since the last update. The router's firmware, the software that runs the router, ideally is written with security in mind, so that there are no known vulnerabilities. Then as soon as vulnerabilities are discovered, a new version that fixes those vulnerabilities is released. As you know from trying and using various apps, and Windows, the care & quality of the software's code varies -- they can spend the necessary time & effort to produce high quality work, or settle for the quickest solution that *seems* to work OK, e.g., the usual Windows update. Router design is important to give good WiFi range, coverage, and throughput, but the quality of the firmware, and the company releasing timely firmware updates, are more important, especially concerning security.

Which is why the US government's stated reason for the ban, better security, is nonsensical and based on ignorance. An additional chip [or 3] could be added during the manufacture of a router's circuit board that could send a mirror copy of traffic to someone else. But to guard against a router getting hacked, or to add a backdoor as the gov often claims, you're talking about the firmware. Now American router companies are responsible for the firmware their routers use, regardless where they are manufactured. They might use engineers at their home office, contract the work to people anywhere in the world, &/or fall prey to North Korea's shadow remote IT workforce. Like any other company writing software, they are susceptible to online attacks, breaches, and supply chain breaches, particularly when they include open source libraries. If you want to increase security of routers, start [and stop] at the firmware.

That said, when it comes to widely reported campaigns targeting routers, the real villains are whomever is still using EOL routers. Like Windows itself, routers have a supported lifespan. Once that ends, they don't receive any further updates. The routers will still work, so people keep using them -- it's like continuing to use unsupported copies of Windows, which are more vulnerable to getting hacked [like Microsoft keeps telling us]. I can sympathize, and in fact that's my personal worry about this whole mess -- will the company that makes my router decide to throw in the towel, no longer supplying firmware updates to their products in the US. That would be an added tax [forcing me to buy a new router] that I do Not want to pay. For some people there's an alternative in the form of open source router firmware, but my router is not supported by these alternatives.

dd-wrt[.]com/

openwrt[.]org/

freshtomato[.]org/

various texts show an inconsistency in the definition of routers:
1) The How are routers defined?

The FCC followed the definitions in the National Security Determination.
“Routers” is defined by National Institute of Standards and Technology’s Internal Report 8425A to mean consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems.
source: https[:]//www.fcc.gov/faqs-recent-updates-fcc-covered-list-regarding-routers-produced-foreign-countries

2) Routers: For the purpose of this determination, the term “Routers” is defined by National
Institute of Science and Technology’s Internal Report 8425A to include consumer-grade
networking devices that are primarily intended for residential use and can be installed by the
customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between
networked systems.
source: https[:]//www.fcc.gov/sites/default/files/NSD-Routers0326.pdf

So, according to [1] a router is primarily intended for residential use, while according to [2] the classical definition of a router has been extended to include consumer-grade
networking devices that are primarily intended for residential use and can be installed by the
customer.

I do not know if the writer of [1] made a slip-of-the-pen, or really does not know the term "router" was used long before consumer-grade networking devices were produced.

reuters[.]com/sustainability/boards-policy-regulation/fcc-banning-imports-new-chinese-made-routers-citing-security-concerns-2026-03-23/

fcc[.]gov/faqs-recent-updates-fcc-covered-list-regarding-routers-produced-foreign-countries

No one needed any further proof of the US government's incompetence & insanity, but here it is. The gov will not authorize or approve ANY new routers for home or consumer use -- already approved routers can still be imported & sold. They are allowing router manufacturers to provide software &/or firmware updates for 1 year -- how generous of them. The idgits say it's because of national security, but limiting the ban to consumer grade devices actually shouts that that's a lie. Playing devil's advocate, let's say a router was compromised at some overseas factory. That could mean bad people could spy on you, and see what you were looking at and saying online. But they're overseas, and there's nothing that they could possibly do to you. And the idea that spying on you as an individual compromises national security is laughable. Now a business or government agency is an entirely different story, but they're exempt from the ban! The true purpose for this lunacy is revealed in the requirements to get government approval in the future... the demands include concrete plans to manufacture whatever routers in the US. Might sound good to the terminally simple minded, but the reason routers are not made here is that the supply chains & circuit board manufacturing expertise do not exist in the US. Many consumer routers are designed here by US-based companies, but no one can come up with an example I've seen/read of any company actually making them here.

IMHO there's a potential added effect... If a company thinks that their US sales are likely to plummet, why offer continuing support to customers in the US? Would that not be wasted expense? We might not see any router software/firmware updates in the US, no matter how urgently needed.