The Federal Communications Commission has banned all consumer routers produced outside of the U.S. from being imported unless their manufacturers obtain an exemption due to what the agency called an “unacceptable risk to the national security of the United States and to the safety and security of U.S. persons.”

Most routers used by American consumers are manufactured outside of the U.S. so the ban could have a significant impact. The new rule follows a similar FCC ban on foreign-made drones that was issued in December.

The ban applies only to future imports, meaning that Americans who already own foreign-made devices can keep using products they already have in their homes. 

To be exempt from the ban, router companies will have to receive a “specific determination” from the Department of Homeland Security or Department of War saying their products do not pose security risks. 

In a statement, a spokesperson for TP-Link — a router company founded in China that is now headquartered in California — said “virtually all routers are made outside the United States, including those produced by U.S.-based companies like TP-Link, which manufactures its products in Vietnam.” 

“It appears that the entire router industry will be impacted by the FCC’s announcement concerning new devices not previously authorized by the FCC,” they said.

The interagency committee proposing the ban found that American consumers’ reliance on foreign-made routers introduces supply chain vulnerabilities that could threaten the U.S. economy, critical infrastructure and defense posture while also creating “severe cybersecurity risk,” the FCC said in a National Security Determination (NSD) on March 20.

Compromised routers can facilitate network surveillance, data exfiltration, botnet attacks, and unauthorized network access, the FCC said.

“Unsecure and foreign-produced routers are prime targets for attackers and have been used in multiple recent cyberattacks to enable hackers to gain access to networks and use them as launching pads to compromise critical infrastructure,” the NSD said. They “are enabling hackers to create massive networks that can be leveraged to carry out password spraying, unauthorized network access, and act as proxies for espionage.”

State-sponsored hackers behind the Salt Typhoon attacks used compromised foreign-manufactured routers to “jump to embed and gain long term access to certain networks and pivot to others depending on their target,” the NSD said.

The Cybersecurity and Infrastructure Security Agency also has called routers an “attack-vector of choice,” the NSD said, citing a September 2025 agency advisory that detailed the threat.

In September 2024, the FBI, Cyber National Mission Force and National Security Agency published a joint cybersecurity assessment that said hackers have used foreign-made routers to create botnets used for malicious activity, including distributed denial-of-service attacks. 

The FCC also pointed to an October 2024 announcement from Microsoft that the company had found that compromised, foreign-produced routers were used to mount password spray attacks against its customers.

In February, Texas sued TP-Link Systems for allegedly facilitating hacks of consumers’ devices by the Chinese Communist Party even as it marketed itself as having strong security and privacy protections.

“TP-Link is confident in the security of our supply chain and we welcome this evaluation of the entire industry,” the company said in response to the FCC notice.

American-made routers have also proven vulnerable to hacks. In January 2024, the Department of Justice said that Cisco and NetGear routers that were no longer supported with security patches and other software updates were used by the Volt Typhoon hackers.