Security pros generally welcomed the March 23 edict by the Federal Communications Commission (FCC) to ban all foreign-produced consumer-grade routers, but some pointed out that teams still have to properly manage these routers for employees who work from home.“The FCC’s move highlights a real concern, but it’s important to understand where the actual risk lives,” said Shane Barney, chief information security officer at Keeper Security. “Routers are a meaningful part of the attack surface, but they’re not the root problem: identity and access are often the deciding factor in whether a compromise spreads.”In announcing the ban, the FCC said that foreign-produced routers introduce a supply chain risk that could disrupt the U.S. economy, critical infrastructure and national defense. They also said the foreign-made routers pose a “severe cybersecurity risk” that attackers could use to disrupt critical infrastructure or harm U.S. citizens.Barney pointed out that in a remote and hybrid work model, the corporate perimeter no longer ends at the office network: it extends into thousands of home environments, each with its own mix of devices, configurations and potential vulnerabilities.“From an enterprise perspective, restricting approval of new consumer router models produced abroad reduces one category of supply chain risk, but it doesn’t solve the broader issue of unmanaged endpoints and uncontrolled access,” said Barney. “Organizations need to assume that home networks are untrusted environments. That means enforcing zero-trust principles — strong identity verification, least-privilege access and continuous monitoring — regardless of where a user connects from.”Barney added that auditing remote fleets should focus less on trying to control every piece of consumer hardware and more on controlling what actually matters: who can access corporate resources, under what conditions and with what level of privilege. Even a perfectly secure router won’t protect an organization if a compromised credential grants administrative access.Sonu Shankar, president and COO at Phosphorus, said expanding the FCC’s banned device list to consumer imports represents an important step toward addressing risks tied to limited visibility into foreign manufacturing processes and assembly sites.Shankar said organizations often lack insight into how devices are built or whether they have been tampered with before deployment. Even devices assembled in the U.S. frequently rely on globally sourced components, extending that uncertainty across the supply chain.“Firmware from banned manufacturers has repeatedly surfaced in white-labeled or OEMed products, making them difficult to identify and manage with traditional approaches,” said Shankar. “Risk is not static. A device that appears trusted today can become weaponized if the firmware update channel gets compromised.”Shankar said the industry needs to get back to the fundamentals: For consumers, password and firmware updates are important. For enterprise customers, this means continuous assessment, firmware-level validation that the device is not banned, and consistent enforcement of credential, firmware, certificate and configuration hygiene.Sharon Hagi, chief security officer at Finite State, added that many organizations still lack strong governance over remote access to their business applications and SaaS platforms. As a result, Hagi said these systems are often accessible from virtually any device — not just managed corporate laptops or mobile devices where security controls may be enforced.For example, Hagi said employees can frequently access email, cloud storage, and other sensitive resources from personal home computers using standard corporate credentials and MFA.
“It’s a concern because the security of that access path matters,” said Hagi. “A compromised home router or intermediary WiFi, router or modem device between a personal computer and a corporate application can enable a man-in-the-middle attack.”Hagi pointed out that in some cases, attackers may even undermine TLS protections, exposing sensitive data and credentials. Once obtained, attackers can use these credentials to directly target enterprise systems.“This type of approach aligns with known tactics used by advanced nation state actors such as Volt Typhoon,” added Hagi.
“It’s a concern because the security of that access path matters,” said Hagi. “A compromised home router or intermediary WiFi, router or modem device between a personal computer and a corporate application can enable a man-in-the-middle attack.”Hagi pointed out that in some cases, attackers may even undermine TLS protections, exposing sensitive data and credentials. Once obtained, attackers can use these credentials to directly target enterprise systems.“This type of approach aligns with known tactics used by advanced nation state actors such as Volt Typhoon,” added Hagi.
