The Smart Money: FCC Router Ban Leaves 109 Million Homes at Risk

On March 23, the U.S. Federal Communications Commission (FCC) expanded its Covered List to include all consumer-grade routers produced in foreign countries – a significant escalation of the same supply chain security framework that has long restricted Chinese manufacturers such as Hikvision, Dahua, Huawei, and ZTE.

The Covered List identifies equipment and services deemed to pose unacceptable risks to U.S. national security; inclusion effectively bars new device models from receiving the FCC equipment authorization required to import, market, or sell products in the United States.

The action was prompted by a National Security Determination from a White House-convened interagency body that found foreign-produced routers create both supply chain vulnerabilities and direct cybersecurity exposure, citing documented state-sponsored intrusion campaigns that exploited consumer-grade routing equipment to penetrate American networks. Critically, the ban applies if any major stage of production – including manufacturing, assembly, design, or development – occurs outside the U.S.; the location of final assembly alone is not sufficient to qualify a device as domestically produced.

The practical reach of this ruling is broad: no major router manufacturer currently produces devices wholly within the U.S. across all stages of design and manufacture. The FCC issued a waiver permitting previously authorized routers to continue receiving security patches and firmware updates through at least March 1, 2027, at which point the FCC has indicated it will re-evaluate – leaving the long-term update status of the existing U.S. router installed base unresolved.

The scale of the installed base is significant. According to Parks Associates, ISP-issued routers account for approximately 70% of home internet households in the U.S., with the remaining 30% represented by retail brands including NETGEAR, Eero (Amazon), TP-Link, and Google. All are sourced, at least in part, from foreign production – and all fall within the scope of the new restrictions on future model approvals.

Following the FCC’s initial announcement, NETGEAR and Adtran (a leading maker of ISP-issued devices) have applied for and received temporary exemptions for several of their device models; however, these exemptions expire in October 2027 and will need to be renewed, creating uncertainty about the longevity of these products and especially their software support. Additionally, most ISPs partner with a wide number of router-making OEMs, supporting potentially hundreds of different device SKUs across their footprints: even in a best-case scenario, it is unlikely that more than a small percentage of existing routers and gateways will be made exempt through the vendor-led process.

The threatened end to software and firmware updates for existing router deployments puts U.S. cyber infrastructure at risk, as well as the data privacy and security of an estimated 109 million U.S. homes. With no current router models qualifying under FCC rules, and only a handful of non-qualifying devices receiving temporary exemptions, the vast majority of the deployed router base may need to be replaced in the next several years to mitigate the risk of cyberattacks, putting service providers and consumers in a position of being forced to absorb billions of dollars in costs or remain cyber-insecure by taking no action.  

What’s at Stake

Over the past five years, routers and gateways have become deployment channels for a wide variety of innovative new services into the home, including advanced whole-home cybersecurity solutions. These solutions – offered by companies such as NETGEAR, Eero, Plume, as well as many of the leading ISPs through myriad partners – protect all devices connected to residential Wi-Fi networks, including the millions of IoT products that will never see a firmware update.

Preventing existing routers and gateways from being updated, and delaying or even stopping router-makers from delivering new products, opens a vast attack surface inside of smart homes beyond the router itself.

This new development from the FCC comes alongside the continued rapid expansion of the U.S. residential broadband market. In the fourth quarter of 2025, Parks Associates reports that U.S. residential broadband subscriptions grew by an estimated 984K among the top 30 players, an increase of more than 300K from Q4 2024. Net additions reached an estimated 2.66 million new home internet subscriptions in 2025, up from 2.43 million in 2024, even in the face of consumer economic concerns.

Although ISPs are incentivized to keep costs low for their customers in this time of high competition, and home internet subscribers have more choices than ever, larger market forces continue to push prices up. The FCC decision introduces new financial pressures and a new layer of disruption at a time when connectivity, service reliability, and security are central to the home internet experience.

While most residential security integrators, telecom providers, and manufacturers remain in limbo, this combination of regulatory pressure, replacement costs, and increased cybersecurity risk creates a complex challenge for service providers and the broader home networking market.

In light of our analysis, Parks Associates advises service providers and router makers to review their legal options and engage policymakers on this ruling before the October 2027 exemption deadline forces the issue.

Editor’s Note: This article includes excerpts from Parks Associates Home Services Dashboard and Parks Associates Broadband Tracker Service, which provide estimates for residential home internet subscribers, ISP revenues, and key market trends.