The FCC's Waiver Extension for Routers Is the Right Call for Cybersecurity

On May 8, the FCC quietly averted a looming cybersecurity crisis. The Office of Engineering and Technology extended waivers for foreign-made consumer routers and drones already deployed in the United States, allowing them to continue receiving firmware and software updates until at least January 1, 2029. Without the extension, updates on these devices—including updates intended to close exploitable cybersecurity vulnerabilities—could have been blocked as early as 2027.

The purpose of placing foreign-made routers on the Covered List was to improve cybersecurity for US consumers. Had the FCC not made this change, it would have produced the opposite outcome: millions of edge devices in American homes, small businesses, and critical infrastructure, all still in service, with no path to receive a security patch. That's a much worse posture than the policy was trying to fix.

The reversal also validates something my colleagues at Finite State and I have been saying since the FCC first added foreign-made consumer routers to the Covered List in March. The biggest practical risk from a router isn't where it was made. It's whether vulnerabilities get patched.

What Changed

The March 2026 update to the FCC Covered List blocked new equipment authorizations for foreign-made consumer routers, citing supply-chain and national-security concerns. The policy cited the kind of intrusions we've seen from Volt Typhoon, Flax Typhoon, and Salt Typhoon, all of which have leaned heavily on compromised edge devices.

But the original framing missed how router compromises actually happen at scale. Compromising flawed software is far easier and cheaper than compromising a supply chain. Most successful router attacks exploit known, unpatched vulnerabilities in older devices. The original order would have prohibited router manufacturers from solving this problem starting in 2027, leaving tens of millions of devices open to attacks—indefinitely.

By allowing firmware updates, the FCC has given manufacturers time to resolve cybersecurity issues for routers already in the field. However, this waiver only extends until 2029, so this issue has been delayed, not resolved.

Why Country of Origin Doesn't Predict Security

Back in March, our Chief Security Officer, Sharon Hagi, pointed out that the consumer router conversation isn't really about consumer devices at all. It's about the access path. A compromised home router sits between a remote employee's laptop and the corporate applications they reach with standard credentials. From an attacker's perspective, that's a man-in-the-middle position with a clear line into enterprise systems. The same vulnerability class that gets framed as a "consumer issue" routinely shows up in nation-state intrusion playbooks like the ones we've seen from Volt Typhoon.

Our General Counsel, Eric Greenwald, made a related point at the time: the vast majority of router-borne attacks rely on known CVEs (for which patches are available) against devices that, in some cases, have already reached end of life. That hands attackers a bounty of low-hanging fruit. Nation-state actors don't need to engineer a supply-chain compromise when, as Eric put it, the ecosystem is already "littered with devices that are child's play to commandeer."

When the ban first dropped, our founder and CEO, Matt Wyckhouse, explained the complexity of the router supply chain. Even routers assembled in the United States by American companies are using chipsets, firmware, and other components from all over the world. Today, a fully domestic router supply chain does not exist. Finite State also pointed out the patch problem early on. In a WIRED feature, Matt warned that blocking firmware updates would result in “millions of deployed routers frozen in time.”

After the extension was announced, our Senior Product Security Consultant, Joshua Marpet, named the economic reason the patch pipeline runs dry when a product line gets banned: router manufacturers have little incentive to keep issuing security updates for devices they can no longer sell. Preserving the market is what preserves the patches.

None of this argues that the underlying supply-chain concerns aren't real. They are. But a remedy that severs the patch pipeline for tens of millions of in-service devices is counterproductive.

What This Means for Device Makers

The waiver extension is welcome, but it's a reprieve, not a permanent fix. January 2029 marks the final weeks of the current administration, and policy on foreign-made network equipment will keep shifting.

The FCC's order is, at root, an onshoring mandate. The Covered List bars new foreign-made router models from entering the US market, and the FCC's Conditional Approval framework requires manufacturers to submit concrete plans for US production. Authorization is now a sustained engineering and operations commitment, and device makers should treat it that way.

But onshoring the supply chain and securing the device are two different problems. A router assembled in the US can ship with the same exploitable firmware as one assembled overseas. To really address the risk of unpatched vulnerabilities on millions of edge devices across the United States, manufacturers have to look at software quality, not manufacturing geography.

To solve this problem, manufacturers need to know what firmware is actually installed and running in the field, produce regular updates for every shipped version, and, crucially, find and fix firmware vulnerabilities before release. Manufacturers can’t be disinterested suppliers of new software versions. They have to commit to addressing the ubiquity of vulnerabilities that led the FCC to place routers on the Covered List in the first place.

This is the work Finite State spends most days helping connected-device makers do, grounded in deep firmware binary analysis of what actually ships rather than what a source manifest claims. We scan every build as it changes and continuously correlate shipped software against new vulnerability intelligence as it surfaces, so the exposure picture stays current between releases. The product security teams that handle the next policy shift well will be the ones who already have that view across their deployed devices on the day the rule changes.

The Real Question

The FCC's reversal is the right decision for cybersecurity. It's also a quiet acknowledgment of the next challenge for policy work on connected devices: a device's security posture is determined by the quality of its software, not just where it was assembled.

For everyone building, deploying, or regulating these systems, the practical question isn't where the box was built. It's whether the device was built to be secure, whether it’s consistently maintained, and whether your devices—today—are keeping your customers secure or putting them at risk.

If you don't already have that view of what you've deployed, building it is exactly the work this moment requires. (And if you need help getting there, that's what we do.) Talk to our team about what that looks like for your specific products and regulatory context.

Finite State provides software and firmware analysis, SBOM generation, and compliance evidence for connected-device manufacturers. finitestate.io