US softens stance on foreign drones and routers as blindspots emerge

The US Federal Communications Commission (FCC) has extended temporary waivers allowing certain foreign-made routers and drones already deployed in the US to continue receiving software and firmware updates until January 2029.
The US government agency announced on Friday through the Office of Engineering and Technology (OET) that it was extending temporary waivers, allowing certain foreign-produced drones, drone components, and consumer routers to continue receiving software and firmware updates within the market.
The move reverses earlier restrictions that would have blocked updates after 2027 for devices placed on the FCC’s “Covered List” over national security concerns. It also acknowledges that, like it or not, US critical infrastructure and consumers alike still depend heavily on potentially risky overseas tech.
Restrictions included a move in December to ban all foreign-made drones and their critical components, followed by a March ban blocking new foreign routers from entering the US market.
In both cases, national security concerns were cited, with officials saying the ban was necessary following ongoing threats from Chinese cyber groups, including Salt Typhoon, Volt Typhoon, and Flax Typhoon, to hit US infrastructure.
Bans blocked vital fixes, so pivot was needed
However, by adding these devices to its “Covered List,” the FCC effectively blocked already-authorized devices from receiving vital patches that come with software updates.
Experts warned that this could unintentionally create cybersecurity risks, leaving millions of existing devices vulnerable to unpatched flaws, compatibility issues, and operational failures.
The FCC’s waiver acknowledges that this software support remains necessary to protect US consumers.
Has your password leaked?
The waiver specifically allows updates that maintain device functionality, patch vulnerabilities, and preserve compatibility with changing operating systems and network environments.
The agency adds that it applies only to products previously authorized before the restrictions took effect, and does not remove the affected devices from the Covered List or permit new foreign-made router models to enter the US.
The move has been welcomed by security experts, who have warned that abruptly ending firmware support for already-deployed devices could create additional attack opportunities.
According to Matt Wyckhouse. founder and CEO of Finite State, the biggest practical security risk with routers is not who made them, but whether they remain patched.
“Routers sit at the edge of homes, businesses, and critical networks. When they stop receiving updates, known vulnerabilities remain exposed, attackers gain durable footholds, and consumers are left with equipment they cannot realistically secure on their own,” he said.
“The original restriction risked creating millions of deployed routers frozen in time, unable to receive security fixes."
Matt Wyckhouse, founder and CEO, Finite State
Josh Marpet, a senior product security consultant at Finite State, a cybersecurity firm specializing in product security, firmware analysis, added: “Manufacturers have zero incentive to write security patches for devices they can't keep selling.
“Keeping the market alive, as this adjustment is doing, is the only way to keep US citizens safe for longer. Simple as that.”
Unlock more exclusive Cybernews content on YouTube.