FCC bans import of new consumer routers made overseas, citing security risks

The Federal Communications Commission has ordered a ban on the import of new consumer routers that are manufactured overseas, citing cybersecurity risks.

The order, published late Monday, said the import ban will “include all consumer-grade routers produced in foreign countries.” The FCC said the order does not affect imports or usage of existing routers, but new devices may be granted an exception if the Departments of Defense or Homeland Security approve.

The FCC claimed foreign-made routers “pose unacceptable risks” to U.S. national security, referring to a threat from China-backed hacking groups Volt, Salt and Flax Typhoon.

According to Reuters, China is said to command around 60% of the market for consumer routers, which connect homes and businesses to the internet.

The FCC said it was taking action because malicious hackers have exploited flaws in foreign-made routers to attack U.S. households, disrupt networks, and enable cybercrime and surveillance. 

Government-backed hackers and cybercriminals alike have long targeted routers because they allow access to home or business networks. Hackers can also hijack routers to pummel other companies or businesses with disruptive events designed to overload servers with junk network traffic, known as distributed denial-of-service attacks.

The FCC did not provide evidence to show that U.S.-made consumer routers are more secure than routers developed overseas. An FCC spokesperson did not immediately respond to a request for comment.

Salt Typhoon, a China-backed espionage group that has hacked into dozens of phone and internet companies across the world, including in the United States, has been known to exploit vulnerabilities in routers made by American networking giant Cisco. Flax Typhoon, another hacking group backed by China that U.S. authorities have accused of running a massive botnet of hijacked devices, targeted both U.S.-made and foreign-made routers to hack at least 126,000 devices in the United States, as well as thousands more around the world. 

FCC chairman Brendan Carr said in prepared remarks that the agency will “continue do [sic] our part in making sure that U.S. cyberspace, critical infrastructure, and supply chains are safe and secure.”

Despite the raft of Chinese hacks targeting U.S. businesses and government agencies, Carr was among the two FCC commissioners who voted in November to scrap cybersecurity rules that required telecom operators to secure their lawful intercept systems from unauthorized intrusions.