On March 23, 2026, the FCC updated its Covered List to include every consumer-grade router produced outside the United States. New models can’t get FCC equipment authorization, which means they can’t be imported or sold here. Existing models already on shelves aren’t affected, and manufacturers can apply for a “Conditional Approval” exemption through the Department of War (formerly Department of Defense) or the Department of Homeland Security.
The ruling names the Volt, Flax, and Salt Typhoon campaigns as direct justification. And that’s where this gets interesting for anyone working in network security.
What the FCC actually did#
The National Security Determination, issued March 20, states that foreign-produced routers introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”
The definition of “foreign-made” is broad. The FCC’s guidance says production “generally includes any major stage of the process through which the device is made, including manufacturing, assembly, design, and development.” That catches nearly every router on the market. According to reporting on the ruling, there isn’t a single consumer router currently manufactured entirely in the United States. Even US-headquartered companies like Netgear and Eero build their hardware overseas.
Companies can apply for exemptions, but the approval process runs through DoW and DHS, and there’s no published timeline for how long that takes.
The Typhoon campaigns made this inevitable#
If you’ve been tracking Volt Typhoon and Salt Typhoon over the past two years, this ruling reads like a predictable conclusion to a slow-building crisis.
Volt Typhoon first surfaced publicly in May 2023 when Microsoft and the Five Eyes intelligence alliance disclosed a long-running campaign targeting US critical infrastructure. The group built a botnet from compromised small office and home office routers, primarily end-of-life Cisco and Netgear devices that no longer received security patches. They used these compromised routers as proxy infrastructure to mask their intrusions into energy, water, and communications systems. In some cases, they maintained undetected access for five years. The FBI disrupted the botnet in January 2024 by remotely wiping malware from hundreds of infected routers. By late 2024, security researchers confirmed Volt Typhoon had rebuilt its infrastructure and was actively compromising outdated Cisco RV320/325 routers again.
Salt Typhoon took a different approach but exploited the same weak point: network edge devices. Rather than building botnets, Salt Typhoon targeted the backbone of US broadband providers by exploiting known vulnerabilities in Cisco IOS XE and Ivanti Connect Secure products. The group infiltrated over 200 targets in more than 80 countries, but its focus on US telecommunications providers is what made headlines. Salt Typhoon compromised AT&T, Verizon, Lumen Technologies, and dozens of other ISPs. They didn’t just access the networks. They specifically targeted Lawful Intercept (CALEA) systems, meaning they gained access to the regulatory apparatus designed to facilitate government-authorized wiretapping. Once inside, they deployed tools inside Cisco Guest Shell containers, a legitimate Linux virtualization feature on modern Cisco routers, making their presence invisible to standard network auditing commands.
Flax Typhoon ran a massive IoT botnet that compromised at least 126,000 devices in the United States. The US government disrupted it in September 2024, but the campaign demonstrated how consumer-grade networking equipment serves as persistent infrastructure for state-sponsored operations.
The case for firmware verification#
Here’s where I think the real conversation needs to happen.
Banning foreign-made routers addresses the supply chain concern at the hardware level. That’s a valid move. But the Typhoon campaigns didn’t succeed because routers were manufactured in China. They succeeded because firmware was vulnerable, patches were unavailable or unapplied, and nobody was verifying what was actually running on these devices after they shipped.
For years, cheap consumer electronics from overseas markets have shipped with questionable firmware. Hardcoded credentials, undocumented remote access capabilities, telemetry calling back to servers that shouldn’t be in the picture. Security researchers have been documenting these issues for over a decade. TP-Link, which holds roughly 65% of the US home and small business router market, has been the subject of federal investigations since 2024 over concerns about its ties to China. Texas sued the company in February 2026, alleging it facilitated hacks of consumer devices.
But the problem isn’t limited to one vendor or one country’s manufacturing base. The real gap is that there’s no mandatory firmware verification standard for consumer networking equipment sold in the US market. The FCC authorizes devices based on RF emissions and interference compliance, not on whether the software running on them is secure, auditable, or free of undocumented functionality.
What the US market needs is a firmware verification framework that requires:
Signed and verifiable firmware so consumers and enterprises can confirm that what’s running on a device matches what the manufacturer published. Software bill of materials (SBOM) requirements have been gaining traction in enterprise software. There’s no reason the same principle shouldn’t apply to the firmware on the device that connects every other device in your home or office to the internet.
Mandatory security update commitments with defined support windows. End-of-life routers were the backbone of Volt Typhoon’s botnet. Devices that can’t receive patches become permanent infrastructure for attackers. Manufacturers should be required to disclose a minimum security update period before a device can be authorized for the US market, and that information should be on the box.
Independent security auditing for devices in critical deployment categories. The conditional approval process the FCC just created could serve as the foundation for this, but it needs to go deeper than a manufacturer self-certifying that their device is safe. Third-party firmware audits, validated against published security baselines, would give the process teeth.
The right direction, but not the finish line#
The FCC’s ruling is a necessary step. Foreign-manufactured networking equipment has been a known risk vector for years, and the Typhoon campaigns removed any remaining ambiguity about whether state actors are actively exploiting that access. Tightening controls on what enters the US market makes sense.
But banning foreign hardware without establishing firmware security standards for domestic products creates a false sense of resolution. Salt Typhoon’s most impactful intrusions went through American-made Cisco equipment. The exploit wasn’t where the router was built. It was what the router was running, and whether anyone was checking.
The firmware verification conversation is the one that actually moves the needle on router security. The FCC just created an enforcement mechanism with the Covered List and conditional approval process. Now it needs to pair that mechanism with security requirements that address the software layer, not just the country of origin.
Until that happens, we’re solving half the problem.
