Prospective router customers just got a little more breathing room, as the Federal Communications Commission will allow foreign-made routers to continue receiving software and firmware updates until at least Jan. 1, 2029, according to an extension announced on May 8.
When the FCC announced its sweeping ban of foreign-made Wi-Fi routers on March 23, it said companies could continue issuing security patches only to previously approved models until March 1, 2027. As nearly every router available in the US is considered “foreign-made” by the FCC’s standards, this left US customers facing the prospect of buying a new router only to find out it could become outdated within a year.
“A large percentage of networking routers are not produced in the United States. Therefore, a lot of those are going to turn into pumpkins in a year, unless they extend this waiver,” Alan Butler, senior counsel at the Electronic Privacy Information Center, told me at the time.
Less than two months later, we’ve already seen some significant backpedaling from the FCC’s initial blanket ban. Along with the deadline for software updates being extended by two years, two notable router companies, Netgear and Eero, have been granted exemptions from the FCC’s ban altogether — moves that came with mandatory timelines for onshoring their manufacturing processes.
“There is no domestic supply chain for a final product right now,” says Kevin O’Hanlon, a vice president at the industry trade group Global Electronics Association. “This extension is a little bit of a relief, but at the same time, it doesn’t change the fundamental timeline that the industry is working under to get technology to the market. There’s just not a lot we can do to speed that up.”
The FCC’s move to ban an entire category of consumer products was absolutely unprecedented, but it wasn’t necessarily unprovoked. The commission said that routers produced abroad were “directly implicated” in the Volt, Flax and Salt Typhoon cyberattacks over the past several years, and the cybersecurity experts I spoke with said routers have become an increasingly attractive point of entry for hackers.
“The router sits in such a privileged position within any network, but particularly in the home network. All of your communication, all of your traffic, has to pass through that device,” says Rik Ferguson, vice president of security intelligence at cybersecurity company Forescout.
But without the ability to receive security updates that address vulnerabilities exploited in cyberattacks, most routers would have become less safe to use after the ban, not more. Last month, the FBI took the unusual step of remotely resetting out-of-date routers that had stopped receiving software updates.
The FCC’s notice of the extension says that it “will, as soon as practicable, recommend to the full commission considering codifying this waiver through a rulemaking.”
That means the waiver would become permanent, allowing foreign-made routers to continue receiving updates indefinitely. Before that happens, it would have to go through the FCC’s rulemaking process, which would involve a public comment period on the proposed changes.
Here’s why I’d still hold off on buying a new router for now
When the FCC’s ban was first announced two months ago, I recommended holding off on buying a new router until we learned more. The risk of buying a new router that wouldn’t be able to receive new updates a year later was simply too high.
This extension shifts that calculus, but not enough for me to change my advice. In a worst-case scenario, you could still spend hundreds of dollars on a router today that could stop receiving vital security fixes two and a half years from now.
“The risk is very real,” Ferguson said. “If you find yourself in a situation where that update pipeline has been switched off, then you definitely have to consider whether you want to keep using that device.”
Everyone has a different cybersecurity risk tolerance. Hardliners would say that you shouldn’t spend a day using a router that can’t get security patches, but the reality is that most people don’t update their firmware regularly as it is. Still, routers are a significant enough investment that I think it’s worth exercising some patience here if you can.
And we’ve already seen significant amendments to the FCC’s initial ban. Eero and Netgear have both been granted exemptions, and the deadline for security updates could possibly be extended indefinitely.
Unless you have your heart set on a router from Eero or Netgear — and they are some of the best routers we’ve tested — you’ll almost certainly have better information to help you make your decision two months from now.
How to keep your router safe in the meantime
Keeping your home network secure is relatively simple, but a lot of us fail to follow some basic cybersecurity best practices when it comes to our Wi-Fi routers.
Here are some of the most effective steps you can take to protect yourself, whether you’re in the market for a new router or not:
- Keep your firmware up to date: You’re probably sick of hearing about firmware updates by now, but they are the most essential tool for keeping your router secure that we have. You can make sure your router has the latest firmware by enabling automatic updates in your router’s settings or by manually downloading updates in the app or web portal.
- Strengthen your credentials: The most common way that hackers gain access to your router is by using default login credentials provided by the manufacturer. “There’s a whole underground economy of vendors who basically just harvest credentials,” says Ferguson. This is different than your Wi-Fi network’s name and password; it’s the factory-set credentials that typically appear on the bottom of your router. Most brands have an app that lets you update your login credentials from there, but you can also type your router’s IP address into a URL. As always, the longer and more random your password, the better.
- Consider using a VPN: A virtual private network provides an extra layer of security by encrypting all your internet traffic and preventing your internet provider (or anyone else) from seeing the websites or apps you use. You can find CNET’s picks for the best VPN services here.
