FCC Home Router FAQ: Questions Remain

The FCC has added home routers built outside the U.S. to its Covered List, effectively banning all new routers from the U.S. market. The stated rationale is that they post "an unacceptable risk to the national security of the United States and to the safety and security of U.S. persons.” It is undeniably true that there are problems with insecure connected devices in the home; they can and have been used as access points for bad actors for cyber-attacks, phishing scams, and botnets. Home routers and consumer IoT devices without secure passwords and updated firmware are particularly vulnerable even if past large-scale cyber-attacks like Salt Typhoon occurred on telecom gear, not in the home. The FCC's action led to lots of questions around what security vulnerabilities are being addressed and whether existing routers are being banned, so the FCC posted a FAQ today to try to add some clarity.

The FAQ does explain that all existing FCC-approved routers are fine to use, sell, and import. This should avoid consumer panic and a run on routers at retail. However, any new models will not get FCC approval unless they are granted a Conditional Approval exemption or are assembled in the U.S. This applies no matter where the routers are designed, so future routers from U.S. companies like Netgear, Google, and Amazon are included in the ban. New routers assembled in the U.S. can contain foreign components and get FCC approval but can't contain "certified modular transmitters." The allowance for foreign components is crucial for product development because it is not possible to build a consumer router based entirely on U.S. components; that part of the supply chain doesn't exist in the United States. Even Starlink, which assembles some of its routers in the U.S., sources some key components from Asia.

Developers building and testing products can also continue to import small numbers of uncertified products as before under FCC regulation 47 CFR § 2.1204(a)(3) provided that they are not marketed or sold.

Concerning Definitions

The FCC's definition of home router is any device designed for routing IP traffic for home use that can be user installed. Whatever the intention may be, that definition not only includes TP-Link mesh Wi-Fi systems, it also covers Charter Spectrum cable modems, Samsung smart refrigerators, Amazon Fire TVs, Honeywell Home thermostats, Dell laptops, and Apple iPhones. I don't expect the FCC to deny approval to the iPhone 18 on this basis, but it theoretically could. More likely it will slow down AT&T from deploying new 5G FWA service as it expands its SA network and wants to update its home routers with new chipsets unless exemptions are issued quickly and routinely.

Similarly, the definition of “certified modular transmitters” comes from FCC Rules 47 CFR § 15.212(a), which defines modular transmitters as “a completely self‑contained radiofrequency transmitter device that is typically incorporated into another product, host, or device.” In other words, any radio. This rule was intended to prevent Chinese companies on the Entity List or Covered List from selling chips to third parties or shell companies and having them enter the U.S. supply chain that way. The FCC presumably will allow Taiwanese-manufactured MediaTek Filogic chips into future T-Mobile FWA access points, or Qualcomm FastConnect chips into future Netgear Wi-Fi 8 routers, but these are undeniably modular transmitters, i.e., radios.

Questions Remain

The FAQ does not discuss how router assembly in the U.S. will improve security on a product category where software is a key vulnerability. This action does not fix vulnerabilities in existing routers or put in place design and service mandates around software updates. The FCC FAQ does explicitly note that router vendors are allowed to continue updating software on existing products, but this action does not require them to do so, set timelines for support updates, or mandate that they must notify users when updates have stopped.

Most components are part of supply chains that would take several years to move to the U.S. and while exemptions are possible, there is no grace period inherent in the Covered List. Therefore, any future routers built in the U.S. will merely be assembled in the U.S. using components. However, on its own, assembling components in the U.S. doesn't improve physical security as the FCC does not have any audit mechanisms to ensure that nothing is added during the production process.

An email address is listed for companies seeking exemptions. I expect that inbox to get plenty of submissions, although it is not clear what documentation the FCC is looking for, as there are no security guidelines provided, just a mandate that the location of manufacture be in the U.S. There are also no automatic exemptions for networking equipment provided by MSOs; most cable operators and wireless carriers have moved at least partly to a consumer-install option.

Industry Impact/Next Steps

The security concerns that the FCC has raised are real, and its actions have already generated a response from U.S. router companies touting their security bona fides – for example, Google noted that its Nest routers have TPM chips inside. (They are not manufactured in the U.S., though, so unless that changes, future routers are still Covered.) Even if the FCC reverses itself and removes home routers from the Covered List, this action should make it easier if Washington wants to pass targeted legislation with security mandates, software update guidelines, and compliance audit trails.

In the meantime, there are undoubtedly executives at Amazon, Google, TP-Link, wireless carriers, and cable companies sending exemption requests to the FCC email for products about to go into production; their supply chain analysts are looking into the logistics of setting up assembly shops in the U.S. and re-routing components from Asia to those shops for products farther out; and product managers are tallying the additional cost of parts shipping, U.S. factory construction, and U.S. labor and automation into their product planning decks.

Most consumer routers are provided by MSOs, so while future router prices will rise to cover the new shipping and manufacturing costs, the additional cost will be passed on through monthly fees not higher MSRPs. On the retail side, existing products will stay in market longer and marginal players will leave the U.S. market rather than incur additional costs, reducing competition.

For Techsponential clients, a report is a springboard to personalized discussions and strategic advice. To discuss the implications of this report on your business, product, or investment strategies, contact Techsponential at avi@techsponential.com.

* However, large-scale cyber-attacks like Salt Typhoon occurred on telecom gear, not in the home.