FCC grants two-year software lifeline for DJI drone and TP-Link router owners

The Federal Communications Commission (FCC) has extended a vital software lifeline for millions of American consumers who own foreign-made drones and routers. Originally facing a looming deadline that would have halted all security patches and firmware updates, owners of devices manufactured by companies such as the Chinese drone maker DJI now have until at least 1 January 2029 to receive essential software support. This decision reverses a policy that experts warned could have inadvertently created a massive cybersecurity vulnerability.

The restrictions originate from revisions to the FCC equipment authorisation rules that were adopted in October 2025. As part of a broader national security effort pushed by the White House to reduce reliance on potentially risky foreign technology, the FCC began adding certain communications equipment, foreign-produced unmanned aircraft systems (UAS), and critical drone components to its Covered List in late 2025 and early 2026. Consumer routers produced in foreign countries were subsequently added to the list in March 2026. The American government cited serious concerns regarding espionage, unauthorised surveillance, and data exfiltration, pointing to cyberattacks such as the Volt Typhoon advanced persistent threat, which attempts to leverage compromised hardware to establish command and control channels over American infrastructure.

Placing these devices on the Covered List effectively blocked already-authorised devices from receiving post-approval software and firmware modifications, which the FCC classifies as permissive changes. Under the initial waivers, affected routers could only receive updates until 1 March 2027, while the cutoff for foreign-made drones was set for 1 January 2027. However, this strict enforcement created a difficult dilemma. Without vendor-provided software updates, which routinely patch vulnerabilities that hackers could exploit, millions of already-deployed devices risked becoming less secure over time. The scale of this vulnerability is vast; according to reports, approximately 60% of America’s routers and more than 80% of the operational drones in the US were designed and built in China.

A strict ban on updates meant that consumers who had legitimately purchased expensive equipment would be left with vulnerable devices. A major tech industry group, the Consumer Technology Association, advocated on behalf of these consumers, issuing an open letter to urge regulators to exercise leniency and clarify the scope of the ban. The group argued that blocking security patches could precipitate the exact operational failures and cybersecurity risks the government was attempting to prevent.

Acknowledging that continued software support remains necessary to protect consumers, the FCC’s Office of Engineering and Technology (OET) issued an updated waiver. The OET declared that ‘special circumstances warrant a deviation from the general rules and the public interest would be better served by extending the waiver’. The extension allows manufacturers to issue software and firmware updates that mitigate harm to consumers until 1 January 2029, provided the devices were already authorised for use in the US before being placed on the Covered List.

Before this reversal, the OET only permitted minor software updates classified as Class I permissive changes. The updated waiver broadens this allowance to include certain Class II permissive changes that involve more substantial modifications. These include updates that ensure continued device functionality, patch critical vulnerabilities, and maintain compatibility with varying operating systems and network environments. The waiver does not cover Class III changes, which involve significant alterations to the radio transmitter, such as output power or frequency range.

It is important to note that the waiver does not reverse the broader restrictions or remove any devices from the Covered List. All upcoming and newly developed foreign-made Wi-Fi routers and drones remain banned from the US market unless the manufacturer secures a conditional approval exemption from the Department of Homeland Security or the Pentagon. While companies such as Netgear and Amazon eero have successfully secured these exemptions, Chinese brands such as DJI and TP-Link have not. DJI, in particular, has been actively fighting the ban in court and through the FCC’s petition process to remove itself from the blacklist. TP-Link has also told the commission it is investing hundreds of millions of dollars in US manufacturing to secure an exemption.

The OET plans to recommend that the commission consider codifying this waiver through a formal rulemaking process. Depending on the outcome of future rulemakings, it is possible the FCC could extend the cutoff time even further, or axe it altogether, providing regulators with time to design a more permanent framework while avoiding immediate risks to the public. This extension serves as a two-year lifeline for American consumers, highlighting the complex balancing act governments face in securing communications infrastructure without inadvertently generating new cybersecurity threats. As the full scope of the cybersecurity threat clarifies over the coming years, supply lines and manufacturers are expected to re-localise.