Australians could have to reconsider their choice of network and Wi-Fi routers, if the ACSC opts to follow a new US government ban on foreign-made routers that’s set to block the sale of some of the world’s most widely used devices.
Routers connect every home and business to the Internet, and provide Wi-Fi services – making them indispensable to life online – yet exploitable security vulnerabilities have made them complicit in major attacks like Volt Typhoon, Flax, and Salt Typhoon.
Such concerns led the US Federal Communications Commission (FCC) to announce the ban after a determination that “foreign-produced” consumer routers “pose unacceptable risks to US national security.”
They “establish a severe cybersecurity risk that could be leveraged to immediately and severely disrupt US critical infrastructure and directly harm persons,” it found, warning the US “can no longer depend on foreign nations for router manufacturing.”
“Allowing routers produced abroad to dominate the U.S. market creates unacceptable economic, national security, and cybersecurity risks.”
Foreign devices are now on the FCC’s Covered List – a blacklist of technologies deemed to be dangerous for the US or its residents that also includes Kaspersky Labs security tools, DJI and other foreign-made drones, and Dahua and Hikvision cameras.
FCC won’t certify products on the Covered List, blocking their sale in the US – although firms can apply for ‘Conditional Approval’ to plead their case with national security authorities.
The ban could reshape a market in which major brands like TP-Link, Huawei, and Xiaomi (based in China), D-Link, Asus and Zyxel (Taiwan) hold around two-thirds of the router market, beating US brands like Cisco, Linksys, Netgear, Eero, and Ubiquiti.
Yet with US brands making devices in Taiwan, China, Vietnam and Mexico, they could face problems given the FCC classifies “production” as “any major stage of the process through which the device is made, including manufacturing, assembly, design, and development.”
Security prudence or tech xenophobia?
Security authorities regularly urge consumers to upgrade their routers to close security vulnerabilities, which are regularly exploited by cybercriminals to plant information-stealing malware and build global botnets that attack companies.
The US National Vulnerability Database includes over 2,900 mentions of router-related known exploited vulnerabilities (KEVs), which have already been exploited in the wild by cybercriminals that often compromise and sell access to large numbers of routers.
So-called ‘end-of-life’ routers – those that are so old that they are no longer receiving security updates from their vendors – are particularly vulnerable because consumer routers are often installed and then ignored for years as long as they keep working.
Yet American routers suffer security issues just like those from overseas – one recently patched Cisco vulnerability lingered for three years – so is the ban technically prudent, or just another xenophobic policy like those banning foreign drones, cameras, and cars?
Some foreign-made routers have shipped with malware installed, notes Deral Heiland, principal IoT security researcher with security firm Rapid7, who notes “insecure or poorly designed routers” have fuelled an “unprecedented” surge in compromises.
“This move by the FCC to rein in these risks is a positive step that will ultimately help the US maintain and protect its critical infrastructure and intellectual property,” he said, advising other governments to review the FCC’s decision and consider similar options.
“While this effort will likely take years to fully realise, it will ultimately be a win-win for cybersecurity professionals tasked with protecting businesses and critical infrastructure networks.”
Could the ban be extended to Australia?
Since Australia no longer manufactures routers domestically, non-US brands dominate business, government and home networks where they are routinely supplied by ISPs.
Australia’s wireless router market, pegged at $385 million (US$267.34 million) in 2024, is expected to reach $800 million (US$559.4 million) by 2033 as users embrace technology like mesh Wi-Fi, faster Wi-Fi 7, and upcoming Wi-Fi 8 and HaLow.
Australian Signals Directorate (ASD) authorities regularly work with the US FBI, National Security Agency, CISA and other bodies to investigate large-scale botnet and device compromises, with advisories and policies often following US authorities’ lead.
A 2024 advisory, for example, warned that a China-based company had compromised at least 260,000 IoT devices while routers’ role in another widespread campaign was called out with a list of known device vulnerabilities being exploited.
The FCC measure “does have a credible supply-chain security rationale, but it is far broader than the public evidence shown so far,” said Jason Pearce, field chief technology officer with IoT security firm Claroty.
“A router is secure because of its architecture, software-maintenance discipline, and support lifecycle,” he added, “not because of the passport of the factory.”
“The national security case is strongest against specific high-risk vendors and weakens materially when it becomes a blanket rule about geography – and if the risk is immediate and severe, why are existing foreign routers allowed to stay in service?”
A spokesperson for the ASD, which has regularly advised consumers to secure their routers and Wi-Fi, told Information Age that it “is not a regulator”, but takes an advisory role “in order to assist risk-based decision making about technology supply chains.”
“Vendor choice, including whether to use foreign produced software, ICT equipment, social media and messaging apps,” they said, “is a risk-based decision for individuals and organisations, unless there are specific regulations preventing the use of a specific product.”
