TL;DR
- The U.S. Federal Communications Commission (FCC) has banned all consumer routers manufactured outside the United States from future import, citing "unacceptable risk" to national security [1].
- Most consumer and small business routers — including those from TP-Link, the world's largest router vendor — are manufactured overseas, meaning this ban affects virtually the entire industry [1].
- The ban follows confirmed evidence that compromised foreign-made routers were used in the Salt Typhoon espionage campaign, password spraying attacks against Microsoft customers, and large-scale botnets targeting critical infrastructure [2] [3].
- Existing routers are not affected, but businesses should use this as a catalyst to audit their network equipment and strengthen their security posture.
What the FCC Ruling Actually Says
On March 20, 2026, the FCC issued a National Security Determination (NSD) banning the import of consumer routers produced outside the United States [1]. The ruling applies to new devices seeking FCC certification — existing routers already in homes and businesses can continue to be used.
Router man
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →The scope is significant. According to TP-Link — a router company founded in China and now headquartered in California — "virtually all routers are made outside the United States, including those produced by U.S.-based companies like TP-Link, which manufactures its products in Vietnam" [1]. This means the ban affects not just Chinese manufacturers but the entire router industry's global supply chain.
Why Routers Became a National Security Concern
The FCC did not make this decision in a vacuum. The NSD explicitly references a pattern of state-sponsored cyberattacks that exploited compromised routers as their entry point.
The Salt Typhoon campaign. Chinese state-sponsored hackers used compromised foreign-manufactured routers to "jump to embed and gain long-term access to certain networks and pivot to others depending on their target," according to the FCC's determination [2]. Salt Typhoon targeted U.S. telecommunications infrastructure, and compromised routers served as the initial foothold.
Microsoft password spraying attacks. In October 2024, Microsoft disclosed that threat actor Storm-0940 used a botnet of compromised routers to conduct password spray attacks against Microsoft customers [3]. The compromised devices were predominantly foreign-manufactured consumer routers with known firmware vulnerabilities.
FBI botnet assessment. In September 2024, the FBI, Cyber National Mission Force, and National Security Agency jointly published a cybersecurity assessment confirming that foreign-made routers had been weaponised into botnets used for distributed denial-of-service attacks and other malicious activity [4].
The Cybersecurity and Infrastructure Security Agency (CISA) has called routers an "attack-vector of choice" for nation-state actors, specifically highlighting the threat in a September 2025 advisory about Chinese state-sponsored compromises of U.S. networks [5].
What This Means for Australian and Global Businesses
While the FCC ban applies directly to the U.S. market, the underlying security concerns are global. The Australian Signals Directorate (ASD) has issued similar warnings about compromised network equipment. In their 2024-2025 Annual Cyber Threat Report, the ASD specifically highlighted that "network devices remain a primary target for both state-sponsored actors and cybercriminal groups" and that "many organisations lack visibility into the firmware running on their perimeter devices" [6].
According to research from Cisco Talos, 70% of small business routers run firmware that is at least 12 months out of date, and 30% run firmware with known critical vulnerabilities [7]. For businesses with fewer than 50 employees, the router is often the single most important — and most neglected — security device on the network.
The business impact of a compromised router is substantial. According to IBM's 2025 Cost of a Data Breach Report, breaches originating from compromised network infrastructure averaged $4.66 million in total cost, with an average dwell time of 280 days before detection [8]. The extended dwell time reflects the difficulty of detecting compromise at the router level, where traditional endpoint security tools have no visibility.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →Five Steps to Strengthen Your Network Security Today
1. Know what you are running. Log into every router in your network and document the manufacturer, model, firmware version, and last update date. Many businesses cannot answer these basic questions about their own infrastructure.
2. Update firmware immediately. Check the manufacturer's website for the latest firmware for every router in your environment. According to NIST's guidance on network device management, firmware updates should be treated with the same urgency as operating system patches [9].
3. Replace end-of-life equipment. If your router's manufacturer no longer provides security updates, it is an unpatched vulnerability sitting at the perimeter of your network. The average lifespan of a consumer router before it reaches end-of-support is approximately three to five years [7].
4. Enable automatic updates where available. Modern business-grade routers from vendors like Ubiquiti, Meraki, and Fortinet offer automatic firmware updates. Consumer-grade routers often require manual updates, which means they rarely get updated in practice.
5. Consider business-grade networking equipment. Consumer routers lack features that businesses need: automatic security updates, network segmentation, intrusion detection, and centralised management. The price difference between a consumer router and a business-grade access point has narrowed significantly — entry-level business solutions from vendors like Ubiquiti start under $200 AUD.
Related: The Ransomware Gap: AI Gives Attackers a 13-to-1 Advantage
The Bigger Picture: Infrastructure as a Security Foundation
The FCC router ban is part of a broader regulatory trend toward treating network infrastructure as a security priority. The European Union's Cyber Resilience Act, which took effect in late 2025, imposes mandatory cybersecurity requirements on all network-connected products sold in the EU, including routers [10]. Australia's own Security of Critical Infrastructure Act continues to expand its scope to cover more categories of network equipment and services [11].
For small and mid-sized businesses, the message is clear: the device that connects your business to the internet is a security-critical asset, not a commodity appliance. Treating your router with the same attention you give your locks, alarms, and insurance makes your business fundamentally more resilient.
Building strong network foundations is not about fear — it is about knowing that your infrastructure supports your business rather than undermining it.
FAQ
No. The ban applies only to future imports of consumer routers seeking FCC certification. If you already own a foreign-manufactured router, you can continue using it. However, this is a good time to check whether your router is still receiving firmware updates from the manufacturer.
The FCC ban applies directly to the U.S. market, but the security concerns it addresses are global. The same compromised router models used in the Salt Typhoon and Storm-0940 attacks are sold worldwide. Australian businesses should treat this as a signal to audit their own network equipment regardless of regulatory jurisdiction.
Virtually all consumer router brands manufacture outside the U.S., including TP-Link (Vietnam), Netgear (multiple countries), ASUS (Taiwan/China), and D-Link (multiple countries). The ban is technology-neutral — any router manufactured outside the U.S. requires an exemption. U.S.-designed but foreign-manufactured routers like those from Cisco and Ubiquiti will also need to navigate the exemption process [1].
Not necessarily. If your router is receiving regular firmware updates and you keep it updated, it remains safer than an outdated device. Focus first on ensuring your firmware is current and your router's administrative password has been changed from the default. Plan replacement for devices that are end-of-life or no longer receiving updates.
Start with what you have: update firmware, change default passwords, and disable remote administration features you do not use. When budgeting for replacement, business-grade access points from vendors like Ubiquiti (starting under $200 AUD) offer significant security advantages over consumer routers, including automatic updates and network segmentation capabilities.
References
[1] S. Smalley, "FCC bans foreign-made routers from US market over 'unacceptable risk'," The Record by Recorded Future, Mar. 25, 2026. [Online]. Available: https://therecord.media/fcc-routers-banned-security-china
[2] Federal Communications Commission, "National Security Determination — Routers," FCC, Mar. 20, 2026. [Online]. Available: https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf
[3] Microsoft Threat Intelligence, "Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network," Microsoft Security Blog, Oct. 2024. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/
[4] FBI, CNMF, and NSA, "PRC-Linked Actors Botnet Assessment," Department of Defense, Sep. 2024. [Online]. Available: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF
[5] CISA, "Countering China State Actors' Compromise of Networks," CISA Advisory, Sep. 2025. [Online]. Available: https://www.cisa.gov/sites/default/files/2025-09/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.pdf
[6] Australian Signals Directorate, "Annual Cyber Threat Report 2024-2025," ASD, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/reports-and-statistics/annual-cyber-threat-report
[7] Cisco Talos, "Small Business Router Security Report 2025," Cisco Talos Intelligence Group, 2025. [Online]. Available: https://blog.talosintelligence.com/small-business-router-security/
[8] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[9] NIST, "Guide to Enterprise Patch Management Planning," NIST SP 800-40 Rev 4, 2022. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
[10] European Commission, "Cyber Resilience Act," European Commission, 2025. [Online]. Available: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
[11] Australian Government, "Security of Critical Infrastructure Act 2018," Federal Register of Legislation, 2025. [Online]. Available: https://www.legislation.gov.au/Series/C2018A00029
Is your network equipment a security asset or a liability? Book a consultation with lilMONSTER to get a clear-eyed assessment of your network security posture and practical steps to strengthen it.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- The U.S. government just banned foreign-made routers from being sold in America because hackers were using them to break into networks [1].
- Almost all routers — even ones from American companies — are built overseas, so this affects the whole industry [1].
- Government hackers from China used compromised routers to spy on phone companies and attack Microsoft's customers [2] [3].
- Your current router is fine to keep, but now is the time to check whether it is up to date and secure.
What Is a Router and Why Does It Matter?
Your router is like the front door to your business's internet connection. Every email, every file, every video call, every payment — it all flows through that one small box sitting in the corner of your office.
If someone takes control of your router, they can see everything that passes through it. They can redirect your web traffic, steal passwords, or use your connection to attack other businesses — all without you knowing.
What Did the FCC Do?
The FCC — the U.S. agency that regulates communications technology — just said: no more foreign-made routers can be imported into America unless the manufacturer proves they are safe [1].
The reason is simple. Government investigators found that hackers — specifically groups working for the Chinese government — had been breaking into foreign-made routers and using them as secret tunnels to spy on American companies and government agencies [2].
Think of it like discovering that a popular brand of door locks had a hidden master key that burglars were using. The government decided to stop selling those locks until the problem is fixed.
How Were Hackers Using Routers?
Three major incidents pushed the FCC to act:
Spying on phone companies. A group called Salt Typhoon used compromised routers to break into U.S. telecommunications companies and listen in on calls and messages [2].
Attacking Microsoft customers. Another group called Storm-0940 built a network of thousands of hacked routers and used them to try millions of password combinations against Microsoft customers' accounts [3].
Building robot armies. The FBI found that foreign-made routers had been turned into "botnets" — networks of hijacked devices that attackers control remotely to overwhelm websites and services [4].
Does This Affect My Business?
If you are in the U.S., this ban affects what routers you can buy in the future. If you are in Australia or elsewhere, the ban itself does not apply — but the security risks absolutely do. The same routers with the same vulnerabilities are sold worldwide.
According to security researchers, 70% of small business routers are running outdated software with known security holes [5]. That is like leaving your front door unlocked every night and hoping nobody tries the handle.
The Australian Signals Directorate has specifically warned that network devices are "a primary target" for both government hackers and criminal groups [6].
What Should You Do Right Now?
1. Check your router's firmware. Log into your router (usually by typing 192.168.1.1 or 192.168.0.1 in your web browser) and look for a firmware update option. If an update is available, install it.
2. Change the default password. If you have never changed your router's admin password from the one it came with, do it today. This is the single most impactful thing you can do.
3. Find out how old your router is. If your router is more than five years old, it probably does not get security updates anymore. That means known vulnerabilities will never be fixed. Plan to replace it.
4. Ask your IT provider. If someone manages your IT, ask them: "When was the last time our router firmware was updated?" If they do not know, that is a problem.
The Simple Takeaway
Your router is the most important — and most ignored — security device in your business. Whether or not the FCC ban affects you directly, the underlying lesson applies everywhere: know what is connecting your business to the internet, keep it updated, and replace it when it is past its use-by date.
Strong foundations make for strong businesses. A $200 investment in a modern, automatically-updating router is one of the highest-value security improvements any small business can make.
FAQ
Yes. The ban only applies to new routers being imported into the U.S. for sale. Your existing router is not affected. However, check if it still receives firmware updates — if it does not, plan to replace it.
Almost all of them. TP-Link, Netgear, ASUS, D-Link — even American companies manufacture their routers overseas. The ban affects any router made outside the U.S. unless the manufacturer gets a special exemption [1].
Check three things: (1) Is the firmware up to date? (2) Have you changed the default admin password? (3) Is remote management turned off? If you can answer yes to all three, your router is in better shape than most.
A botnet is a network of hijacked devices — like routers, cameras, or computers — that a hacker controls remotely. They use these networks to overwhelm websites with traffic (DDoS attacks), try millions of stolen passwords (credential stuffing), or hide their real location when hacking other targets [4].
References
[1] S. Smalley, "FCC bans foreign-made routers from US market over 'unacceptable risk'," The Record by Recorded Future, Mar. 25, 2026. [Online]. Available: https://therecord.media/fcc-routers-banned-security-china
[2] Federal Communications Commission, "National Security Determination — Routers," FCC, Mar. 20, 2026. [Online]. Available: https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf
[3] Microsoft Threat Intelligence, "Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network," Microsoft Security Blog, Oct. 2024. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/
[4] FBI, CNMF, and NSA, "PRC-Linked Actors Botnet Assessment," Department of Defense, Sep. 2024. [Online]. Available: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF
[5] Cisco Talos, "Small Business Router Security Report 2025," Cisco Talos Intelligence Group, 2025. [Online]. Available: https://blog.talosintelligence.com/small-business-router-security/
[6] Australian Signals Directorate, "Annual Cyber Threat Report 2024-2025," ASD, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/reports-and-statistics/annual-cyber-threat-report
[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[8] NIST, "Guide to Enterprise Patch Management Planning," NIST SP 800-40 Rev 4, 2022. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
Not sure if your network is properly secured? Chat with lilMONSTER — we explain network security in plain English and help you build a stronger foundation for your business.
