US ban on Chinese routers leaves “millions” of insecure devices in American homes

The Federal Communications Commission has moved to block the authorisation and sale of foreign-made consumer internet yesters, warning the devices pose “unacceptable risks” to US national security.

The agency has added the category to its Covered List, a step that will prevent new models from being certified for sale in the United States.

However, the move does little to address the millions of ageing routers already deployed in American homes and small offices - devices that security agencies say are routinely exploited by criminals and state-linked threat actors.

With hybrid work extending corporate perimeters into residential networks, a compromised home router can provide attackers a pathway into enterprise systems.

In a statement, the FCC said: "Malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft.

"Foreign-made routers were also involved in the Volt, Flax, and Salt Typhoon cyberattacks targeting vital U.S. infrastructure."

The vulnerability of domestic routers

The ban follows a determination from a White House-convened interagency review body, which warned that compromised routers enable surveillance, data exfiltration, botnet attacks and unauthorized access to government or business networks.

It also stated that criminals and state-linked threat actors had spied on Americans in their own homes using hacked routers, citing research from the Cybersecurity and Infrastructure Agency (CISA), which labeled edge networking devices, including routers, as the "attack vector of choice" for threat actors.

In a September 2025 Cybersecurity Advisory, CISA said that Advanced Persistent Threat (APT) actors were "modifying router configurations for lateral movement, pivoting between networks and using virtualized containers on network devices to evade detection" to expose and target critical networks, including military infrastructure.

READ MORE: Cyberwar fears escalate as nation-state threat actors intensify private sector attacks

In Salt Typhoon attacks, state-sponsored actors leveraged compromised routers to gain access to telecom and critical infrastructure networks, embedding themselves for long-term covert surveillance or data access, often staying hidden for months or even years.

Chairman John Moolenaar of the Select Committee on China said: "Today’s tremendous decision by the FCC and the Trump Administration protects our country against China’s relentless cyberattacks and makes it clear that these devices should be excluded from our critical infrastructure.

"Routers are key to keeping us all connected and we cannot allow Chinese technology to be at the center of that. Additionally, I urge our national security agencies to keep shutting down the glaring vulnerabilities throughout the American IT supply chain, including Chinese-made cellular modules, networked sensors, industrial robots, and energy grid equipment."

A risk that still remains

However, the danger is far from over. Routers have a lifespan of about five years, meaning vast numbers are still out there in homes and even offices, waiting to be compromised.

Rik Ferguson, VP Security Intelligence at Forescout, said: "Adding 'foreign-made consumer-grade routers' to the FCC Covered List blocks new models from being imported for sale or use, but it doesn’t magically secure the millions of routers already deployed, many of which will stay in homes and small offices for years.

"That installed base matters because it’s where so many attackers already live, in exposed management interfaces, abusing weak or reused admin creds, and slow patching cycles, or EOL equipment that still works.

"These are still the day-to-day drivers of router compromise. Regular users don’t simply throw away a router that still works; many are understandably more worried about the consequences of disconnection to ever even think about logging in."

Forescout research found that routers are a "software supply-chain problem". After analysing OT and IoT router firmware, it found that OpenWrt-derived operating systems are "everywhere".

READ MORE: Phishing gangs are posing as government officials to steal money from permit applicants

Four of five major firmware images were heavily modified in ways that make them more difficult to patch and monitor. On average, components were 5.5 years old, years behind current releases and packed with hundreds of known vulnerabilities, including critical flaws and exploitable kernel bugs.

"The point is that 'Made in' isn’t the same as 'secure' - and it's not even close," Ferguson added.

"For organisations, the home router is now part of the corporate attack surface. Hybrid work means a compromised consumer router can be used for interception, redirection, or as a platform for botnet/proxy activity.

"What consumers and organisations should be doing right now is simple: replace end-of-life routers, keep firmware current, disable internet-exposed management, turn off UPnP where you can, enforce unique admin credentials (and MFA where supported), and segment IoT away from work devices and router management, because that reduces exploitation risk regardless of who built the box.”

Forescout also recently released a report which found that routers account for roughly a third of the most dangerous vulnerabilities in organisational networks, with these devices having an average of 32 vulnerabilities each in monitored networks.

Daniel dos Santos, Senior Director, Head of Research at Forescout, added: "Routers are the riskiest devices we see nowadays, both in enterprise and consumer environments. Threat actors have been exploiting consumer-grade routers to build botnets that are used to proxy attacks or launch distributed denial of service (DDoS) campaigns. What was usually a cybercriminal tactic is now widely employed by state actors against strategic targets. That includes Russia and China."

Follow Machine on LinkedIn