The US decision to add foreign-made consumer routers to the FCC’s Covered List has sparked predictable debate about supply chains, geopolitics and trust. Those are valid concerns. But if we are honest about where risk actually sits today, the truth is that the ban addresses tomorrow’s procurement decisions far more than today’s security exposure.
That matters, because attackers are not waiting for procurement cycles.
Routers have quietly become one of the most attractive footholds in both enterprise and home networks. They sit at the edge, are often internet-facing and frequently overlooked once deployed. In our own research, routers consistently rank among the riskiest devices, with high vulnerability density and a growing role in real-world exploitation.
Whereas the FCC decision focuses on where a device is made, the problem organisations need to deal with is how those devices are built, managed and maintained.
“Made in” is not the same as “secure” – it’s not even close.
Many of the weaknesses we see come from familiar, measurable issues like outdated software components, slow patching cycles, weak credentials, exposed management interfaces and long lifespans that extend well beyond vendor support. In firmware analysis, we regularly see common components that are years behind current versions, carrying known vulnerabilities that attackers can and do exploit.
And crucially, none of that changes because a new device is banned from import.
The bigger blind spot in this conversation is the installed base. Millions of routers already sit in homes, branch offices and remote worker environments. They will remain there for years. They are rarely patched or monitored and hybrid working has made them part of the enterprise attack surface whether organisations like it or not. A compromised home router can be used for traffic interception, credential harvesting, or as a pivot point into corporate systems.
So while the ban may reduce future exposure in a narrow sense, it does nothing to address the risk organisations already carry today, which will inevitably extend into the future.
There is also a risk that policy discussions drift into a false sense of progress. Focusing on supplier origin can create the impression that risk is being reduced at a structural level, when in reality the underlying issues remain unchanged. Security is not something you import. It is something you continuously verify.
Network infrastructure needs to be treated as part of the active attack surface, not background plumbing. That means maintaining an accurate inventory of routers across enterprise and remote environments, including firmware versions and exposure. Lifecycle management should also be prioritised and that means replacing end-of-life devices, enforcing firmware updates and demanding transparency from vendors around software components as well as patch cadence.
In order to remove easy wins for attackers, disable internet-exposed management interfaces, enforce unique credentials and apply segmentation so that one compromised router does not automatically lead to broader access.
Finally, recognise that the FCC decision raises important questions about trust and resilience in technology supply chains, but if it leads organisations to believe the problem has been dealt with, it risks becoming a distraction. The real work is less visible, less political and far more operational. It is about fixing the conditions that make routers such an easy and persistent target in the first place.
And that work is long overdue.
