In March, the Federal Communications Commission (FCC) updated its Covered List, adding “consumer-grade routers produced in foreign countries.”As approximately 60% of the market is produced in China, the FCC issued a waiver for software and firmware updates to be made by March 1, 2027.
Last week, the FCC’s Office of Engineering and Technology (OET) announced that waivers issued in January and March Public Notices of certain prohibitions in 47 CFR §§ 2.932(b) and 2.1043(b) would be extended at least until January 1, 2029. The move was made to soften the ban on new, non-compliant foreign-made router imports, and reverses the earlier restrictions that would have blocked updates after 2027 for devices placed on the FCC’s “Covered List” over national security concerns.
The FCC said that preventing software updates could unintentionally create cybersecurity risks by leaving millions of existing devices vulnerable to unpatched flaws, compatibility issues, and operational failures. However, the waiver applies only to products previously authorized before the restrictions took effect and does not remove the affected devices from the Covered List or permit new foreign-made router models to enter the U.S. market.
Security experts have warned that abruptly ending firmware support for already-deployed devices would create additional attack opportunities by leaving consumers and businesses with unsupported networking equipment.
“I strongly support the FCC’s decision to allow firmware and software updates for already-authorized routers, including covered devices already deployed in the United States. This is the right cybersecurity outcome,” said Matt Wyckhouse, founder & CEO of cybersecurity provider Finite State
Wyckhouse wrote in an email to ClearanceJobs that the biggest practical security risk with routers is not only who made them, but whether they remain patched.
“Routers sit at the edge of homes, businesses, and critical networks,” Wyckhouse continued. “When they stop receiving updates, known vulnerabilities remain exposed, attackers gain durable footholds, and consumers are left with equipment they cannot realistically secure on their own.”
Ensuring No Zombie Devices
The waiver update will also ensure that the devices remain reasonably secure in the short term and beyond. But only if patched accordingly.
“Manufacturers have zero incentive to write security patches for devices they can’t keep selling,” Josh Marpet, senior product security consultant at Finite State, also told ClearanceJobs. “Keeping the market alive, as this adjustment is doing, is the only way to keep U.S. citizens safe for longer. Simple as that.”
This will also give consumers and enterprises time to address the issue, during which they should use it to formulate a strategy for their replacement.
John Carberry, solution sleuth at cybersecurity provider Xcape, Inc., told ClearanceJobs this is important as it will ensure the devices remain patched.
“The FCC’s pivot from a hard 2027 cutoff to a January 2029 extension is a concession to the ‘zombie device’ reality: an unpatchable router is more dangerous to national security than a banned one that can still receive security updates,” Carberry explained. “By allowing Class I and Class II permissive changes for an additional two years, the FCC is preventing a scenario where millions of already-deployed edge devices become permanent, unfixable entry points for state-sponsored actors like Volt Typhoon.”
Carberry also noted that this is a “reprieve, not a policy reversal.” It is important to note that the extension only applies to hardware authorized before the 2025/2026 restrictions took effect. It will also mean that January 1, 2028, is a definitive “end-of-life” for legacy, foreign-made routers. That should provide time for a more phased procurement policy with trusted vendors. That doesn’t mean putting off something to the last minute or hoping for a further extension.
It also isn’t a time to let the guard down, either. The waiver applies to “covered” consumer-grade small office/home office (SOHO) routers that are already authorized or are in the market. The network may be secure, but caution should be exercised, especially when sending sensitive information.
“While waiting for replacement cycles, treat these devices as untrusted. Ensure they are isolated in restricted network segments and that administrative interfaces are never exposed to the public Internet,” suggested Carberry. “Managing security debt is a marathon, but the FCC just gave you two more years of oxygen; don’t waste them waiting for a 2031 extension that probably isn’t coming.”
No Easy Solution
The FCC’s decision to extend the update waivers wasn’t easy, but it shows the complicated nature of how some security decisions are made. The FCC likely understood that many users would ignore the warnings and continue to use the devices. Allowing for updates and patches will give users more time to replace legacy hardware.
“Blocking firmware and software updates for devices already deployed across homes and businesses could have created a much bigger problem by leaving millions of systems exposed to unpatched vulnerabilities,” warned Phil Wylie, senior consultant and evangelist at Suzu Labs.
“Threat actors actively target outdated and unsupported infrastructure because it is easier to exploit and often overlooked by defenders,” Wylie told ClearanceJobs. “While concerns around foreign-made technology and supply chain risk remain valid, this situation highlights the importance of balancing long-term security policy with operational reality. Unsupported technology does not become safer once updates stop. In many cases, it becomes a more attractive target.”
Finally, this waiver does not weaken the broader national security objective, which is to remove foreign-made technology from end use. It will result in a gradual removal of Chinese and other routers.
“It does not remove covered devices from the Covered List, and it does not permit new foreign-made router models to enter the U.S. market. It simply preserves the ability to fix software and firmware in products that are already deployed,” added Wyckhouse. “That distinction matters. Restrict risky new equipment from entering the market, but do not strand existing devices without patches.”
