The FCC has updated its Covered List under the Secure and Trusted Communications Networks Act to include foreign-manufactured consumer routers — a move that directly impacts the networking gear sitting in millions of American homes and offices.
The Covered List is the FCC's national security blacklist. Equipment on it cannot be purchased with federal subsidies (Universal Service Fund dollars), and since 2021, the FCC can deny new equipment authorizations for listed items entirely. Previously, the list targeted telecom infrastructure gear from Huawei, ZTE, Hytera, Hikvision, and Dahua. This update extends coverage to the consumer router market for the first time.
The security rationale is straightforward. Chinese state-sponsored campaigns like Volt Typhoon and Salt Typhoon have repeatedly weaponized compromised consumer routers to target U.S. critical infrastructure. China's 2017 National Intelligence Law compels domestic companies to cooperate with state intelligence operations. The FCC's position: routers manufactured in countries with these legal frameworks are an unacceptable supply chain risk.
For developers and infrastructure teams, the practical implications break down into three tiers:
Immediate: Any organization spending federal dollars on networking equipment needs to audit its procurement pipeline. If you're running a federally-funded program, lab, or educational institution, routers from covered manufacturers are now ineligible for reimbursement.
Medium-term: If the FCC follows its established pattern, equipment authorization revocations could follow. That means affected routers couldn't legally be sold or imported into the U.S. — not just blocked from federal funding.
Long-term: This accelerates the bifurcation of the global networking supply chain. TP-Link alone holds roughly 65% of the U.S. consumer router market. A full ban would create enormous demand for alternatives from Netgear, Asus, and others — along with significant price pressure.
The HN discussion (394 points) reflects genuine practitioner concern. The technical community isn't debating whether compromised routers are a security risk — they obviously are. The debate is whether country-of-manufacture is a useful proxy for trustworthiness when firmware supply chains are already global, and whether this creates a false sense of security when the actual attack surface is unaudited firmware regardless of where the box was assembled.
That's a fair critique, but it misses the policy logic. The FCC isn't claiming a geographic ban eliminates all router vulnerabilities. It's asserting that manufacturers subject to compulsory intelligence cooperation laws represent a categorically different risk than manufacturers who aren't. That distinction holds.
What to do now: inventory your network hardware, check the updated Covered List at fcc.gov/supplychain/coveredlist, and if you're in a federally-funded environment, start planning procurement alternatives before the next budget cycle.
<a href="https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf" rel="nofollow">https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf</a><p><a hr
→ read on Hacker NewsThe FCC maintains a list of equipment and services (Covered List) that have been determined to “pose an unacceptable risk to the national security Recently, malicious state and non-state sponsored cyber attackers have increasingly leveraged the vulnerabilities in small and home office routers produc
Next they'll come for our OpenWRT-flashable equipment.I've already done everything the article says to do years ago, but what happens when this equipment dies? Can I get a replacement, and is it flashable? I currently use "routers" as access points because it's the cheapest
This part of the press release seems pretty crucial:> Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations.In other words, foreign-made consumer routers are banned by default. But if you are a manufacturer, you
This is the same thing they did to drones. It's corruption. It doesn't even make sense from an extreme isolationist point of view, because there's no path to create domestic manufacturing.I'm guessing the rest of this looks like drones, too: FCC approval is given only to American
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
Seems like now is as good a time as any for people who know how to do this to build their own routers with Pfsense, Opnsense, ClearOS, or one of the many other firewall/router distros out there.You can get an old desktop or laptop that's more than good enough to be a router for basically n