(Credit: Joseph Maldonado/PCMag)
Last week’s sweeping FCC order banning foreign-made Wi-Fi routers has, rather ironically, placed an expiration date on the security of your home internet.
The commission insists the ban doesn’t affect consumer Wi-Fi routers that are currently on sale or in your home, only future products. However, as it stands, everyone’s foreign-made routers can only receive software updates until March 1, 2027.
The Technology Policy Institute, a US think tank, flagged the issue on Friday, writing: “The ban creates the very vulnerability it claims to address.”
Meanwhile, CNET points out that it’s hard to even recommend a Wi-Fi router model since we don’t know which products will be able to receive updates in the future.
Despite the current uncertainty, legal experts expect the FCC to clarify the issue over time. The looming question is whether the Trump administration will grant selective leniency to certain vendors while letting the software patch support expire for others.
(Photo by Justin Sullivan/Getty Images)Ensuring your Wi-Fi router receives software updates is crucial to patching vulnerabilities, especially since the router ban is all about stopping hackers from abusing flaws in today’s home networking gear. Most, if not all, routers are manufactured in countries such as China, Taiwan, Vietnam, and India. Or, at the very least, feature foreign-made components. But the Trump administration is pushing for all future routers to be made in the US, viewing it as a way to stop foreign-made routers from introducing “supply chain vulnerabilities.”
Although software updates are generally a good thing, some critics have flagged the update path as a way for a Chinese company to continue receiving data from US networks as the FCC continues to remove Huawei and ZTE telecommunications equipment.
In the short term, the FCC issued a waiver allowing software updates to continue flowing to existing Wi-Fi routers already sold and used in the US. Loyaan Egal, a former FCC enforcement official who now works at the law firm Morgan Lewis, told PCMag: “This exception acknowledges the practical challenges associated with completely shifting the global manufacturing and supply chain operations companies have relied on to one that requires a US domestic manufacturing and supply chain focus.”
The only catch? The waiver only lasts for the next 11 months. The FCC didn’t respond to a request for comment. But Egal said: “The FCC believes that a one-year period will provide companies and consumers with time to adjust, as well as provide it with an opportunity to consider how this limited waiver impacts the Covered List update.”
(Photo by Kevin Dietsch/Getty Images)There are also signs the commission is preparing to hammer out an exact policy. In the waiver document, the FCC explains that in December, it adopted new rules meant to protect the US telecom supply chain. These rules technically bar minor software changes to foreign-made consumer routers due to last week’s ban. The FCC is now calling for a delay to “give the commission an opportunity to consider the application” of the new rules to the banned routers.
In January, the FCC also issued a time-limited waiver on software updates for foreign-made drones, which it began restricting last year. Like routers, the FCC is letting vendors roll out software updates for the legally permitted drones, but “at least until January 1, 2027”—or two months ahead of the router-related deadline.
The commission also notes that in both cases, the FCC’s Office of Engineering and Technology can “re-evaluate” whether to extend the waivers even longer.
“As explained in the waiver, we expect the FCC to evaluate whether to allow software and firmware updates beyond March 1, 2027,” added Henry Wendel, a special counsel at the law firm Cooley. “Many consumers will purchase new routers this year and will need updates to address new security vulnerabilities.”
The 11-month period also gives the US time to decide which router manufacturers will be permitted to sell in the country. As part of the ban, the FCC created a “Conditional Approval" process that can give out temporary exemptions to new foreign-made routers looking to be sold in the US, but under the implicit pretext that they outline how they plan to bring their manufacturing to the US. It’ll be up to the Department of Defense and Department of Homeland Security to decide which applications receive the green light.
“If companies need the FCC to extend the waiver for their products, they should work with the FCC to help it understand extending the waiver will help protect their customers,” Wendel says.
A communications lawyer also told PCMag that he expects the US to grant exemptions for various new router models that apply, which the Commission has already done in the case of the FCC’s ban on foreign-made drones. For now, only four drone models have been granted conditional approval, and none of them are from China’s popular drone maker DJI.
A similar situation could play out with foreign-made routers, where exemptions are granted for some but not for Chinese-affiliated brands, potentially triggering lawsuits challenging the FCC.
Still, the communications lawyer predicts the FCC will extend the software update waivers to prevent US consumers from being caught in the regulatory crossfire. “If somebody, for example, buys a router this fall that was previously approved, then getting all the software updates by March 1 might not be sufficient. My suspicion is that (FCC) staff will grant relatively short waivers to allow for these security updates because failing to do so would be counterproductive to the overall intent of the ban itself,” he said.