If You Buy a New Router, It Might ‘Turn Into a Pumpkin’ Next Year – CNET

Key takeaways:

• The Federal Communications Commission has banned the sale of new foreign-made routers in the US. The sweeping order applies to virtually every Wi-Fi router currently available in the US market.
• After speaking with four cybersecurity experts, my advice is to hold off on buying a new router if you can. 
• Under the current rules, banned routers will no longer receive essential security firmware and software updates after March 1, 2027. 
• The FCC’s action has effectively frozen the entire market while router companies scramble to gain approval. 
• More specific information on which router companies will be subject to the ban is expected to become clearer within the next month or two. 

In my eight years of writing and reviewing broadband and routers, I’ve rarely seen news that I would describe as unprecedented. The FCC’s recent decision to ban foreign-made routers is absolutely unprecedented.

The sweeping order applies to any router in which any stage of “manufacturing, assembly, design and development” occurs outside the US — in other words, just about any router you can buy right now. The FCC order says that foreign-made routers pose “unacceptable risks” to national security. The ironic side effect is: It could stop your current router from receiving vital security updates.

The ban doesn’t apply to routers that were already authorized by the FCC — that is, every router that’s currently for sale in the US — and will only impact new models that haven’t been approved yet. That means every router that was available before the order is still available today, and router companies can still restock them using their existing manufacturing processes. 

Essentially, the FCC is freezing the entire router market. As William Budington, a technologist for the digital rights nonprofit Electronic Frontier Foundation, put it to me, “This is using an extremely blunt instrument.”

Where previous FCC bans have been limited to specific companies, such as last year’s push to ban TP-Link routers, this one affects an entire industry. So where does that leave someone who needs a new Wi-Fi router? Should you buy a model you’ve had your eye on in case it sells out? Or is it better to wait and see which companies the FCC considers foreign-made?

Expert opinion: Is your current router still safe to use?

When I polled four cybersecurity experts, I was surprised to find that they were generally in favor of the FCC taking action to protect router security in theory, but critical of the execution. 

“It’s going to impact many harmless products in order to stem a real problem,” Budington said.  “It’s also not particularly well-targeted, since routers are only one part of the problem, along with IoT devices.”

The concern for national security risk 

The FCC says that routers produced abroad were “directly implicated” in the Volt, Flax and Salt Typhoon cyberattacks. These attacks aren’t necessarily targeting an average person’s data, but they can turn your router into a tool to be used in malicious attacks. 

“The individual user who owns the router probably doesn’t even know anything about it,” Butler said. “It’s happening in the background without their knowledge, and it’s not necessarily affecting them directly in any way that they can notice.” 

In the Salt Typhoon attack, hackers gained access to data from millions of people through their internet providers, aiming to gain access to information from court-authorized wiretaps. It was a particularly bold instance of a tried-and-true hacker approach called “spray and pray”: Find default login credentials and try them on as many connected devices as you can. 

“It can be only one router out of 5,000, but that one can be a bingo,” Sergey Shykevich, a threat intelligence manager at Check Point Research, told me about these types of attacks. “It’s mostly just easy. In many cases, you don’t have to be a very sophisticated actor, or even nation-state, in order to be successful.”

How you can secure your router right now 

It’s just as easy for hackers to gain access through a router’s default credentials as it is for you to change your own settings. Most routers have an app that lets you update your login credentials from there, but you can also type your router’s IP address into a URL. These are different from your Wi-Fi name and password, which should also be changed every six months or so. It’s also a good idea to keep your firmware updated, which you can do automatically in your router’s settings or by manually downloading updates in your router’s app or web portal.

When will we know more?

I wish I could point to another time when the FCC ordered a blanket ban on an entire category of consumer products, but nothing like this has happened before. Manufacturers can apply for “Conditional Approval,” and they are likely scrambling behind the scenes to make the cut. When I reached out to the FCC for more clarity on the order, I was referred to the commission’s “Covered List” FAQ page.

My best guess is that we’ll learn more specifics on which companies are banned in the next month or so — an estimate that was echoed by two industry observers I spoke with. But the wait could be even longer. Budington told me he thinks router companies might wait until the ban is lifted rather than hustle to try to move their entire supply chains to the US. 

No matter how it shakes out, we’ll likely look back on this as the most chaotic chapter of the router ban story. Unless you need a new router immediately, there’s a good chance you’ll be able to make a more informed decision a month from now.