Key takeaways:

• The Federal Communications Commission has banned the sale of new foreign-made routers in the US. The sweeping order applies to virtually every Wi-Fi router currently available in the US market.
• After speaking with seven industry experts, my advice is to hold off on buying a new router if you can. 
• Under the current rules, banned routers will no longer receive essential security firmware and software updates after March 1, 2027. 
• The FCC’s action has effectively frozen the entire market while router companies scramble to gain approval. 
• More specific information on which router companies will be subject to the ban is expected to become clearer within the next month or two. 

It's not often that we get bombshell news in the router world, but the FCC’s move to ban the sale of foreign-made routers in the US is absolutely unprecedented.

The sweeping order applies to any router in which any stage of “manufacturing, assembly, design and development” occurs outside the US -- in other words, just about any router you can buy right now. The argument is that they pose "unacceptable risks" to national security. Ironically, the order also prevents existing foreign-made routers from receiving vital security updates after March 1, 2027.

The ban doesn’t apply to routers that were already authorized by the FCC -- only new models that haven’t been approved yet. That means every router that was available before the order is still available today, and router companies can still restock them using their existing manufacturing processes. 

Essentially, the FCC is freezing the Wi-Fi router market. As William Budington, a technologist for the digital rights nonprofit Electronic Frontier Foundation, put it to me, “This is using an extremely blunt instrument.”

Where previous FCC bans have been limited to specific companies, such as last year’s push to ban TP-Link routers, this one affects an entire industry. So where does that leave someone who needs a new Wi-Fi router? Should you buy a model you’ve had your eye on in case it sells out? Or is it better to wait and see which companies the FCC considers foreign-made?

I know what I would do, but I gut-checked my advice with four cybersecurity experts. Turns out, we agree. 

My advice: Hold off on buying a new router for now

When I first saw the FCC’s announcement, I couldn’t stop thinking about how much chaos this would introduce to the US router market. As I tried to tease out which manufacturers would count as “foreign-made,” it quickly became clear how deeply international the supply chains for routers are. 

Understanding the scope of the ban

Take Netgear. While it’s a US-founded and headquartered company, it manufactures routers in Vietnam, Thailand, Indonesia and Taiwan. With the exception of Starlink -- the company says its newer routers are made entirely in Texas, according to the BBC -- I couldn’t find a single router brand that’s homegrown. 

I don’t have any issues recommending routers that were manufactured abroad. After all, they’d already gone through the FCC’s authorization process, and I haven’t seen convincing evidence that any one router brand has more hardware vulnerabilities than another. 

Thomas Pace, CEO of cybersecurity firm NetRise, told me last year during an interview about the potential TP-Link ban: "We've analyzed an astonishing amount of TP-Link firmware. We find stuff, but we find stuff in everything.”

I just finished testing, reviewing and rating over 30 routers, and after years of resistance, I finally concluded that Wi-Fi 7 routers are worth the money for the speeds you get. While I stand by my recommendations, with this ban in place, the router you buy today may not be any good in a year. 

The future-looking security risk

Then I saw the FCC’s Public Notice on the ban, which specifies that manufacturers can continue providing software and firmware updates “at least until March 1, 2027.” That means if you own a foreign-made router -- if you own any router, in other words -- it won’t be able to get security patches after that deadline. 

That’s why I think the wise move here is to wait on buying one if you can. Keeping your router’s firmware up-to-date is an essential part of securing your home network. If you buy from a router company that doesn’t get an exemption from this ban, you risk having an unsecured device a year from now. 

It’s an ironic side effect of an order that is ostensibly designed to keep Americans safer: They may no longer be able to get the latest security fixes.  

“If you're limiting the ability of people to get security updates, then you’re making the problem worse, not better,” Alan Butler, senior counsel at the Electronic Privacy Information Center, told me. “A lot of those routers are going to turn into pumpkins in a year unless they extend this waiver.”

By saying you can update your firmware “at least until March 1, 2027,” the FCC does leave some wiggle room for an extension. But until we know more about which companies the FCC considers foreign-made and which will be exempt, I wouldn’t feel comfortable recommending spending money on a new router right now. 

"The risk is very real," said Rik Ferguson, vice president of security intelligence at cybersecurity company Forescout. "If you find yourself in a situation where that update pipeline has been switched off, then you definitely have to consider whether you want to keep using that device."

"The risk just keeps going the longer time passes, because chances are that there will be new vulnerabilities being found that you cannot patch," added Daniel Dos Santos, vice president of research at Forescout.

Advice for immediate router needs  

If your old router stopped working, I’m not going to tell you to wait for clarity from the FCC to get back on Wi-Fi -- the timeline for concern is more in years than months. A good compromise might be to buy an older budget router rather than the latest Wi-Fi 7 model you’ve had your eye on. But if you can afford to wait a month or two, it’s worth exercising some caution. 

“I do think this is going to become a mess very quickly,” Butler said.

This is the messiest point in the process we’re likely to see. As the dust settles in the coming weeks, we’ll likely have better information on which routers will still be safe to use a year from now. 

What if you rent your router from your ISP?

Where does this order leave the 70% of Americans who rent their internet equipment from their internet service providers? The FCC’s ban will impact them, too, as they also rely heavily on foreign-made routers. 

Essentially, my advice is no different than it is for people who own their routers: Don't panic, and wait to see how things shake out. If you haven't upgraded your equipment in a few years, now might be a good time to call your ISP and ask them what options are available. But it's not likely that they'll proactively replace them on their own, says Doug Dawson, a veteran broadband analyst and author of the industry blog POTs and PANs.

"I don't see any mass replacement of these things, because it's just too much money," Dawson told me. "I'd guess before any deadline on firmware updates, they're going to issue those three days before that and then they're going to cross their fingers that they don't start seeing problems."

Expert opinion: Is your current router still safe to use?

When I polled four cybersecurity experts, I was surprised to find that they were generally in favor of the FCC taking action to protect router security in theory, but critical of the execution. 

“It’s going to impact many harmless products in order to stem a real problem,” Budington said.  “It's also not particularly well-targeted, since routers are only one part of the problem, along with IoT devices.”

The concern for national security risk 

The FCC says that routers produced abroad were “directly implicated” in the Volt, Flax and Salt Typhoon cyberattacks. These attacks aren’t necessarily targeting an average person’s data, but they can turn your router into a tool to be used in malicious attacks. 

“The individual user who owns the router probably doesn't even know anything about it,” Butler said. “It’s happening in the background without their knowledge, and it's not necessarily affecting them directly in any way that they can notice.” 

In the Salt Typhoon attack, hackers gained access to data from millions of people through their internet providers, aiming to gain access to information from court-authorized wiretaps. It was a particularly bold instance of a tried-and-true hacker approach called “spray and pray”: Find default login credentials and try them on as many connected devices as you can. 

“It can be only one router out of 5,000, but that one can be a bingo,” Sergey Shykevich, a threat intelligence manager at Check Point Research, told me about these types of attacks. “It’s mostly just easy. In many cases, you don't have to be a very sophisticated actor, or even nation-state, in order to be successful.”

How you can secure your router right now 

It's just as easy for hackers to gain access through a router’s default credentials as it is for you to change your own settings. Most routers have an app that lets you update your login credentials from there, but you can also type your router’s IP address into a URL. These are different from your Wi-Fi name and password, which should also be changed every six months or so. It’s also a good idea to keep your firmware updated, which you can do automatically in your router’s settings or by manually downloading updates in your router’s app or web portal.

When will we know more?

I wish I could point to another time when the FCC ordered a blanket ban on an entire category of consumer products, but nothing like this has happened before. Manufacturers can apply for “Conditional Approval,” and they are likely scrambling behind the scenes to make the cut. When I reached out to the FCC for more clarity on the order, I was referred to the commission's "Covered List" FAQ page.

My best guess is that we’ll learn more specifics on which companies are banned in the next month or so -- an estimate that was echoed by two industry observers I spoke with. But the wait could be even longer. Budington told me he thinks router companies might wait until the ban is lifted rather than hustle to try to move their entire supply chains to the US. 

No matter how it shakes out, we’ll likely look back on this as the most chaotic chapter of the router ban story. Unless you need a new router immediately, there’s a good chance you’ll be able to make a more informed decision a month from now.