Your router is about to become a collector’s item.
In March 2026, the FCC issued a landmark National Security Determination declaring that all foreign-manufactured consumer routers present “unacceptable risks to Americans.” No more approvals for new devices built overseas. No grandfather clause for companies that merely design in the US. If the hardware is assembled abroad, it’s out.
The headline made waves. But the real story isn’t the ban itself — it’s what forced the FCC’s hand. Three Chinese state-sponsored hacking operations, known as Volt Typhoon, Flax Typhoon, and Salt Typhoon, spent years quietly burrowing into American networks. When the full picture emerged, regulators decided they’d seen enough.
Here’s everything you need to know.
The FCC’s Sweeping March 2026 Router Ban
The FCC’s National Security Determination on Routers — issued March 2026 — is unusually blunt for a regulatory document. The agency concluded that routers manufactured in foreign countries (with China front and center) create systemic vulnerabilities in American home and small-business networks that simply cannot be mitigated through software updates or monitoring alone.
The practical impact is broader than most people realize. Yes, TP-Link is the obvious target — the Chinese company that quietly became the best-selling router brand in the US. But the ban catches brands you’d consider American:
- NETGEAR manufactures in Asia
- Amazon Eero — assembled overseas
- Google Nest WiFi — manufactured in China
- Linksys, ASUS, D-Link — all affected
Under the new rules, these companies cannot receive FCC approval for new router models unless they qualify for an exemption. Getting an exemption requires a conditional approval from the Department of Commerce or the Department of Homeland Security, plus a credible plan to shift manufacturing to US soil.
That’s a high bar. The US consumer router market will look very different in 18 months.
The full FCC order (DA-26-278A1) details exactly how the determination was made — and the intelligence cited reads like a greatest-hits of Chinese cyber espionage.
What About Your Existing Router?
Your current router isn’t being confiscated. The FCC’s authority covers device authorization — what can be sold new in the US market going forward. If you have a TP-Link router today, it keeps working. If your NETGEAR lease comes up, your ISP may struggle to replace it with an approved foreign-made unit. New retail purchases of foreign-manufactured routers will dry up as existing inventory sells through and new approvals stop.
The Three Typhoons: How China Owned American Networks
The FCC didn’t wake up one morning and decide to get tough. Three overlapping Chinese intelligence operations, each linked to state-sponsored threat actors, drove this decision. Understanding them separately helps you see why the ban landed where it did.
Volt Typhoon: The Ghost in the Machine
Volt Typhoon became the Chinese hack that Washington talks about most, and for good reason. First exposed in 2023 but active for at least five years prior, Volt Typhoon specialized in what security researchers call “living off the land” — a technique so elegant it’s almost admirable, if it weren’t targeting critical infrastructure.
Living off the land means the attackers don’t bring malware. They use tools already present on the compromised system: Windows Management Instrumentation, PowerShell, built-in network utilities. No suspicious binaries to flag antivirus software. No command-and-control traffic that looks obviously malicious. To a defender watching logs, Volt Typhoon looks like routine administrative activity.
The targets weren’t random. Volt Typhoon systematically worked its way into US critical infrastructure — power grids, water systems, communications networks, transportation hubs. The goal, according to US intelligence assessments, wasn’t immediate disruption. It was pre-positioning: establishing persistent access in systems that could be activated to disrupt American operations in the event of a conflict over Taiwan or another flashpoint.
Routers were a key entry point. Home and small-office routers with weak credentials, unpatched firmware, and open management interfaces gave Volt Typhoon a foothold outside corporate security perimeters — perfect launching pads for lateral movement into operational technology networks.
Flax Typhoon: The IoT Botnet Nobody Noticed
If Volt Typhoon was surgical, Flax Typhoon was industrial. This group built one of the largest IoT botnets ever documented, sweeping up an estimated 260,000+ devices at its peak: home routers, IP cameras, digital video recorders, network-attached storage boxes.
The numbers are staggering — and roughly half of the compromised devices were located inside the United States.
Flax Typhoon’s targets weren’t random homeowners. The group specifically used this infrastructure to attack:
- Corporations across multiple sectors
- Universities and research institutions (particularly those with defense-relevant research)
- Media organizations
- Government agencies at federal, state, and local levels
The botnet provided anonymization: attacks routed through a device in a Minnesota suburb look, at first glance, like domestic traffic. By the time forensics caught up, Flax Typhoon had already pivoted.
The devices recruited into this botnet weren’t exotic enterprise hardware. They were the same TP-Link routers, Hikvision cameras, and Synology NAS boxes sitting in millions of American homes and small offices. Many owners never knew.
Salt Typhoon: The Telecom Breach That Shocked Washington
Salt Typhoon is the one that changed the political calculus. This operation didn’t go after infrastructure or random IoT devices — it went straight for US telecommunications carriers.
The breach was extensive. Salt Typhoon compromised the internal networks of at least eight major US telecom companies, including some of the largest names in American communications. What they accessed:
- Customer call metadata at massive scale — who called whom, when, for how long
- Unencrypted voice calls and SMS messages for targeted individuals
- Court-authorized law enforcement surveillance systems — the “lawful intercept” infrastructure that US carriers maintain to comply with CALEA (the Communications Assistance for Law Enforcement Act)
That last item is what made the intelligence community go pale. The systems Salt Typhoon compromised were the same systems used for court-ordered wiretaps. China didn’t just intercept communications — it accessed the list of who the US government was surveilling, effectively turning America’s own surveillance infrastructure into a Chinese intelligence asset.
The political dimension intensified the response. Salt Typhoon’s targeting reportedly included communications involving US presidential campaign officials and potentially candidate communications during the 2024 election cycle. Unencrypted calls and texts — the kind most people make every day — were accessible.
The FCC’s router ban won’t fix the Salt Typhoon breach. But it’s part of a broader reckoning with the supply chain risks that made all three operations possible.
Why Routers Specifically?
A reasonable question: if Chinese hackers are compromising telecom carriers and power grids, why focus on consumer routers?
Several reasons:
Access without attribution. A router in a home network is outside most enterprise security monitoring. Compromising it gives attackers a persistent presence in American networks that’s genuinely difficult to detect and trace back.
Scale. There are hundreds of millions of internet-connected devices in American homes. Routers are the hub everything passes through. Compromise the router, and you potentially see every unencrypted byte flowing through that household or small office.
Firmware control. A router running attacker-supplied firmware can intercept traffic, redirect DNS queries, create persistent backdoors, and survive factory resets if the attack is sophisticated enough. There are documented cases of router firmware with undisclosed remote-access capabilities — and with foreign-manufactured hardware, the FCC has no practical ability to audit the full firmware supply chain.
Supply chain opacity. When a router is designed in California but manufactured in Shenzhen, the path from silicon to shelf passes through supply chains that American regulators simply cannot fully inspect. The FCC’s determination essentially acknowledges this: the risk isn’t primarily about a single company’s intentions, it’s about the structural vulnerability of hardware made in adversarial territory.
What This Means For Home IoT Users Right Now
The immediate picture
Your existing router continues to work. The FCC ban is forward-looking — it affects new device authorizations, not devices already in homes. But here’s what changes:
-
New foreign-manufactured router models won’t get FCC approval, meaning they can’t legally be sold in the US. Existing inventory will sell through; after that, foreign-branded options disappear from shelves.
-
ISPs face the same constraint. Your cable company or fiber provider can’t order new batches of a foreign-made gateway device once their current supply runs out. Expect ISPs to accelerate their own supply chain shifts — and potentially push rental/lease model transitions.
-
US-made alternatives are nascent. The honest answer is that a robust American consumer router manufacturing ecosystem doesn’t exist yet. Building it will take 12-24 months minimum. There will be a supply gap.
-
Premium pricing is coming. US-manufactured routers will cost more — meaningfully more. The $49 TP-Link era is probably over.
What to actually do
Don’t panic-buy a new router. Your current device still works and the sky isn’t falling. A rush to replace working hardware benefits nobody except retail margins.
Do update your firmware. Whatever you have, make sure it’s running the latest firmware. Most Volt and Flax Typhoon entry points exploited known, patchable vulnerabilities on devices running outdated software.
Check your admin interface. Log into your router right now and confirm: remote management is disabled (it should be off by default, but verify), the default admin password has been changed, and UPnP is off unless you specifically need it.
Segment your IoT devices. If your router supports a guest network or VLAN, put smart home devices — cameras, thermostats, smart locks — on a separate network from your computers and phones. If Flax Typhoon compromises your camera, it shouldn’t automatically get access to your laptop.
Watch for US-manufactured options. Companies like Netgate (pfSense hardware), some Ubiquiti lines, and emerging US-focused brands will be positioning themselves aggressively in 2026-2027. Wait for the reviews before buying.
Consider your ISP-provided equipment. If your ISP provides your gateway device, ask what their plan is for compliance with the FCC determination. This is a legitimate question and any decent ISP should have an answer.
The Bigger Picture
The FCC’s router ban is a significant policy move, but it’s one piece of a larger reckoning with how much of America’s digital infrastructure runs on hardware built in countries whose governments are actively trying to compromise that same infrastructure.
Volt Typhoon spent years pre-positioning in critical systems. Flax Typhoon built a botnet out of American homes and aimed it back at American institutions. Salt Typhoon turned telecom carriers into intelligence assets and potentially compromised the very systems designed to keep Americans safe from exactly that.
The FCC’s conclusion — that “foreign-produced routers present unacceptable risks to Americans” — is a reasonable policy response to documented, ongoing attacks. It won’t undo the breaches that already happened. But it starts to close the front door.
For home IoT users, the message is simple: your router is not a passive appliance. It’s the gateway to everything in your network, and someone has been treating it that way for years. It’s time you did too.
Sources: FCC National Security Determination on Routers (March 2026) | FCC Order DA-26-278A1
