FCC Says Foreign-Made Routers Can Get Updates Until 2029

The FCC has softened its ban on foreign-made consumer routers, allowing vendors to keep issuing broader software and firmware updates for devices already in use in the U.S. through at least January 2029. Dark Reading reports: Under the original FCC ruling, foreign manufacturers were permitted to provide only limited maintenance and security patches to US customers through March 2027. In a public note (PDF) on May 8, the FCC extended that deadline to at least January 2029 and also expanded the scope of permissible updates. The FCC will now allow foreign manufacturers to provide not just minor security fixes and changes, but also more major software and firmware updates that could affect router functionality, which previously required additional FCC review. The agency described the revisions as intended to ensure the continued safety of already deployed foreign-made consumer routers in the US. "The FCC likely issued this revision in response to the operational realities of network security and the slow pace of equipment replacement," says Jason Soroko, senior fellow at Sectigo. "Replacing millions of embedded devices across national infrastructure requires immense time and capital, and abandoning existing systems to a completely unpatched state would create an immediate vulnerability."

"This waiver significantly alleviates the most pressing fears tied to the initial ban by preventing a sudden and dangerous security vacuum," added Soroko.

Time

[Himmy32]

That leaves plenty of time to change their mind yet again when they realize that the people least likely to replace their 3+ year old router are also the people most likely to own a foreign router.

Throw in a a little corporate lobbying and a FCC leadership change after a presidential election, that'll be just about the right amount of time to pass the buck off to someone else.

Re:Time

[RitchCraft]

My fiber ISP places TP-Link routers in the home. Millions of routers installed by ISPs are going to need replaced too.

Re: Time

[drinkypoo]

Not after the bribes are paid.

Re:

[awwshit]

What to do with all of that Trump coin?

Re:

[Himmy32]

Apparently, buy US made routers. Just not the gold plated ones, those are still really foreign made and may not be delivered ever.

Re:

[awwshit]

Which American made routers are those? Which American made router should I recommend for my elderly mother?

Re:

[Himmy32]

Yeah, that's a big part of what I was trying to say though. People who don't replace their foreign ISP provided router now are still aren't likely to replace it in 3 years. Likewise ISPs are definitely going to lobby for a rule change because that's way more cost effective than having to foot the bill for all those replacements.

Re:

[RitchCraft]

Perhaps installing OpenWRT is the answer here? I just checked their table of hardware and see that in TP-Link's case almost 200 routers are supported.

Re:

[Himmy32]

Or just put your own kit in between and run the ISP gear in bridge / non-routing mode, then can run whatever your heart desires on your own gear. Whatever and whenever the ISP replaces their gear has minimal impact then.

Re:

[The-Ixian]

If you set your edge device up in a layer 2 bridging state, is it still a "router"?

I have always reconfigured my ISP provided equipment into this state so that my equipment can do the actual routing.

Re:

[WaffleMonster]

If you set your edge device up in a layer 2 bridging state, is it still a "router"?

I have always reconfigured my ISP provided equipment into this state so that my equipment can do the actual routing.

The FCC's asserted authority is contingent on certifications for the wireless radios. They can't do shit if there is no radio.

Re:

[Himmy32]

Yeah, but in that case the hardware device does have a radio, even though it's not being used. But pragmatically then what the ISP replaces it with (or doesn't) isn't really of consequence. The only real effect will be raising prices to pass along the cost of replacement to the consumer.

Re: Time

[frdmfghtr]

This will get kicked down the road again, just like RealID (so important to airline security after all) was kicked down the road 20+ years.

Re: Time

[smooth wombat]

RealID is so important to security, it can't be used to prove you are a U.S. citizen [reason.com]. So says DHS, the people administering the RealID program.

Re:

[leonbev]

Don't most people just use the router that their ISP provides them? This seems like this is more of a issue for the ISP's to resolve than an issue for your average consumer to resolve. They'll just buy the latest Netgear from Amazon, or from whatever other companies decided to pay the new FCC certification bribes.

Re:

[thegarbz]

Throw in a a little corporate lobbying and a FCC leadership change after a presidential election

I have a feeling this is the goal. Declare a policy that will take effect right after it is anticipated the next guy will reverse a policy. Pander to the current leadership while making sure this braindead fucking idea doesn't get off the ground.

Ban on updates?! And more distinctions without ...

[itsme1234]

... a difference. What's the fear here, that they might be using your router maliciously? They might introduce some payload to attack your internal network or something similar? Aren't these already illegal, like in federal pound-me-in-the-ass illegal (well, to the extent you can prosecute some foreign state-backed actors)?

What's this going to do, the ones doing the update already have a backdoor (or a front door if you wish). This is just potentially leaving other doors open.

Also, all this small and big an

maybe next time

[FudRucker]

Before banning foreign made products like routers have some domestic made routers ready to ship, but since the global economy had gutted most domestic manufacturing 50 years ago that's not a quick & easy solution, maybe next time consider the implications of gutting domestic manufacturing and financing foreign factories to do it all because some things are more valuable than a few extra dollars in walstreet's already fat bank accounts, like not having to depend on adversarial nations to manufacture for you using slave labor

Re:

[DarkOx]

well yeah; but lets look at where we are now. Nobody is make domestic routers because you CAN'T for structural reasons complete with foreign ones.

There are exactly two ways to make domestic router production happen.

1) Defense production act, go all command economy compel some company with domestic electronics manufacturing plant they are going to produce routers. Good luck because it isnt just you with a PCB layout kit, and you there with the injection molding machine, hop to it. It is also design the th

Re:maybe next time

[dfghjk]

Which one of these is the Ayn Rand laissez-faire capitalism choice? #3, right? Certainly can't be #1 or #2. Funny how free markets get abandoned the moment nationalism is the priority.

"While were at it, the public till can get raided to inject cash into some American chip makers so they can design but not actually make any chips..."

So #3 is also the communism choice?

"...do fuck all about supply chain risk and the national security and sovereignty implications..."

What are those, other than current administration talking points? Racism against the Chinese sure is complicated.

"...pretend we did not just sell out our grandchildren at the same time."

Like you did in the last election?

OpenWRT

[PPH]

n/t

Re:

[DrMrLordX]

The FCC should probably require open firmware. That would take out a lot of the hassle of securing network devices.

Re:

[ChunderDownunder]

c.f. the GNU Libre kernel that 'cripples' hardware relying on binary blobs with the intent that any training data ought to be supplied in human readable source code before being compiled into said binary firmware.

If we want to go all in tinfoil-hat, harmless initialization data or something nefarious? The idea that you're uploading undocumented bootstrap code into hardware registers to unlock secret modes or redirect your traffic to hostile actors...

Re:

[Local ID10T]

Security is not the goal. Control is the goal.

These agencies have only gotten worse

[MobyDisk]

20 years ago I thought these agencies were incompetent. Now I know that it was actually their peak. The FCC of prior administrations would document their goals, send out a notice for public comment, write a proposed rule set, hold a hearing, the make a rule. Now they make a rule, and everyone goes "That doesn't even make sense" then they switch it. It's not just the FCC: It's the DOJ, DHS, EPA, etc.

I don't ask FCC to "allow" me anything

[Sloppy]

My router's hardware [protectli.com]'s parts were made in China. Its software [opnsense.org] was made as a worldwide effort but the team seems to be officially based in the Netherlands. And I'm not asking my government's permission for updating either one. Trumptards and their micromanaging far-left centralized-economic-planners can go fuck themselves. Keep your damn dirty ape hands off my computers, comrade.

Re:

[DrMrLordX]

The FCC has been interfering with our ability to use communications gear for many many years. You'd think you'd be used to it by now.

Re:

[Himmy32]

You're unfortunately in the collateral damage zone of geopolitics, none of the rule making is going to take into account the small percentage enthusiast kit. This is a shot at the big consumer players like TP-Link, just like Huawei has been the perennial target starting years ago.

Curious

[ArchieBunker]

How the FCC is powerless to enforce net neutrality while at the same time enforcing bans under the guise of software security.

Re:

[drinkypoo]

How the FCC is powerless to enforce net neutrality while at the same time enforcing bans under the guise of software security.

The FCC isn't making these decisions. They are made by the DoD and the DHS, per the initial announcement.

This is batshit crazy

[WaffleMonster]

The FCC will now allow foreign manufacturers to provide not just minor security fixes and changes, but also more major software and firmware updates that could affect router functionality, which previously required additional FCC review.

The FCC has no authority to do any of this. The mechanism they were using to ban foreign routers is withholding FCC certification. If the device is already sold that horse has left the stable. The cited references are explicitly about the hardware (e.g. radio and radio firmware) not software changes.

"A new application for an equipment authorization shall be filed whenever there is a change in the design, circuitry or construction of an equipment or device for which an equipment authorization has been issued,"

"Changes to the software installed in a transmitter that do not affect the radio frequency emissions do not require any additional filings and may be made by parties other than the holder of the grant of certification."

Re:

[DrMrLordX]

Are you saying the FCC can't withdraw certification of a device at a later date?

Re:

[RitchCraft]

I found this little tidbit of information here: https://industrialcyber.co/cri... [industrialcyber.co]

"Currently, the FCC has the authority to revoke existing equipment authorizations under specific circumstances, but lacks a clear mechanism to rescind authorization solely because the vendor has been designated on the Covered List. This authority is limited to cases involving technical non-compliance, false statements or misrepresentation in the application, failure to meet technical requirements following subsequent testing or

Re:

[dfghjk]

I like how the discussion centers on what government organizations can do as if that's how the Trump executive branch works. Respect for the law has really sorted the tariffs out and stopped the war in Iran.

Re:

[WaffleMonster]

Are you saying the FCC can't withdraw certification of a device at a later date?

There needs to be an enabling authority to do so. I merely quoted relevant bits of legislation the FCC itself cited and neither impose any recertification requirements for software updates. The only nexus is software changes (e.g. radio firmware) that impact characteristics of the transmitter.

Re:

[ArchieBunker]

This sounds like your first encounter with the orange jesus administration. Allow me to educate you.

1) Stephen Miller whispers something into the fully healed orange leader's ear
2) Orange leader makes a decree
3) Loyalists praise dear leader and his wise words
4) Lackeys carry out dear leader's wishes regardless of legality
5) Courts intervene
6) Many appeals later the supreme court (6/3 ruling) rubber stamps orange leaders plans

How GENEROUS to allow

[Burdell]

something they have no authority to forbid!

There is absolutely no way the FCC (or any government agency) has legal power to block firmware updates on already-purchased hardware.

Re:

[PCM2]

Forget legal power ... HOW? What technical mechanism does the FCC have that can block firmware updates over the public internet? Are we proposing a China-style "Great Firewall" for U.S. consumers?

Re:How GENEROUS to allow

[lucifuge31337]

When has legality of actions stopped this administration in the past, specifically on creation of unpopular, protectionist (very communist market control) policies?

Re:

[dfghjk]

Never, since SCOTUS declared the president immune from the constitution and all other law. The OP's question is a good one, the only thing that prevents the Trump administration from doing anything is competence / ability to do it.

You can't update firmware unless you can get firmware. That's what alligator Alcatraz is for, anyone who imagines they can provide firmware. Threats is how they do it, just like how they do everything else.

Re:

[dfghjk]

Fortunate, then, that Trump is immune from law. What's this "legal power" stuff? Does ICE have the "legal power" to murder US citizens in the streets?

Re:

[ArchieBunker]

The one thing that ruffles their feathers is that dumb bitch who got shot in the neck on Jan 6th. That shooting would be clean if she was doing that in my home.

I watched her bleed out while draped in a Trump flag.

A ban made by idiots...

[guygo]

full of sound and fury, signifying nothing.
Wasted time and energy over stupid, misguided fears.

rogue patching

[awwshit]

How long until some grey-hat hacks all of these routers and updates them with OpenWRT?

Odd risk assessment

[Nkwe]

So foreign routers and related firmware is too risky to continue to allow for imports, but it's not too risky to allow the same risky sources continue to give us new firmware? Seems to me if a foreign entity wanted to screw us, now with be the time. It's like, those guys over in the US are going to cut us off, so we should use this last chance to send them backdoored firmware.