As of May 9, 2026, the Federal Communications Commission (FCC) has issued a notice that allows software and firmware updates to continue for banned drones and routers in the US until January 2029. This means that for nearly three years, these devices will still receive critical security patches and updates, despite being prohibited from sale or use in the country.
Key Takeaways
- The FCC will allow software and firmware updates for banned drones and routers until January 2029.
- Manufacturers must provide updates for devices already sold in the US.
- Updates will continue for nearly three years, despite the ban.
- The FCC has not specified any additional requirements for manufacturers.
- The ban on sale or use of these devices remains in effect.
FCC Notice and Manufacturer Requirements
The FCC’s notice is part of a broader effort to address security concerns surrounding banned drones and routers. According to the FCC, manufacturers must continue to provide software and firmware updates for devices already sold in the US. However, the agency has not specified any additional requirements for manufacturers, such as implementing new security measures or undergoing additional testing.
This directive applies only to devices that were legally sold in the United States before the ban took effect. It doesn’t extend to new units imported or activated after the prohibition. The lack of added obligations—like third-party audits, vulnerability disclosure programs, or secure update protocols—leaves the enforcement of update quality entirely in the hands of manufacturers.
The FCC hasn’t clarified what happens if a manufacturer fails to deliver updates. There’s no stated penalty or mechanism for holding companies accountable. That absence of oversight could create uneven outcomes across brands. One company might issue monthly patches, while another releases nothing beyond a single mid-cycle update. Users won’t know which scenario they’re facing until it’s too late.
Still, the FCC’s stance reflects a pragmatic approach. Rather than severing support outright, which could leave thousands of devices vulnerable to exploits, the agency is opting for a managed wind-down. This keeps known vulnerabilities in check while avoiding abrupt obsolescence for consumers and small businesses still relying on the hardware.
Update Timeline and Scope
The FCC’s notice allows updates to continue until January 2029, which means that banned drones and routers will still receive critical security patches and updates for nearly three years. This is despite the ban on sale or use of these devices, which remains in effect.
The timeline suggests the FCC expects a full phaseout of these devices from active use within that window. Three years is long enough to allow organizations to transition to compliant alternatives, but short enough to prevent indefinite reliance on banned technology. It also aligns with typical hardware lifecycles—most drones and routers see peak usage for two to four years before performance degrades or users upgrade.
Security patches during this period will likely focus on high-risk vulnerabilities: remote code execution flaws, authentication bypasses, and network spoofing threats. Manufacturers probably won’t invest in feature improvements or UI redesigns. The goal is containment, not enhancement.
What’s less clear is how updates will be delivered. Will they remain automatic? Can users manually trigger them? If a drone is grounded due to network restrictions but still capable of connecting via direct Wi-Fi, will it qualify for patching? These operational details haven’t been addressed by the FCC, leaving room for inconsistency between vendors.
Another open question: what constitutes a “critical” update? The FCC doesn’t define the term. Without standardization, one manufacturer might classify any fix as critical, while another reserves the label for only the most severe exploits. That variability could lead to confusion among users about the urgency and scope of each patch.
Implications for Manufacturers and Users
The FCC’s decision has significant implications for manufacturers and users of banned drones and routers. For manufacturers, it means continuing to provide updates for devices that are no longer sold or used in the US. For users, it means that they will still have access to critical security patches and updates for their devices, despite the ban.
For manufacturers, the cost of maintaining legacy systems isn’t trivial. Development teams will need to keep access to old codebases, maintain build environments, and test patches against outdated hardware. Some companies may spin off small maintenance squads dedicated solely to these discontinued lines. Others might outsource the work to third-party dev shops, which could introduce delays or quality issues.
There’s also a reputational risk. Continuing to support a banned product line could be interpreted as defiance of federal policy—or worse, as evidence that the devices weren’t as risky as claimed. On the other hand, halting support prematurely could alienate loyal customers and invite scrutiny from consumer advocacy groups.
From a legal standpoint, manufacturers aren’t being forced to do anything new. The FCC’s language is directive but minimal. It stops short of mandating how updates are tested, how quickly they’re rolled out after a vulnerability is discovered, or whether they must be digitally signed to prevent tampering. That light touch reduces regulatory burden but increases the chance of weak implementations.
For users, the decision offers real benefits. Many organizations—agricultural operators, public safety departments, rural ISPs—still depend on these devices. A hard cutoff would have left them exposed. Now they have time to plan migrations without sacrificing security in the interim.
But there’s a psychological effect at play, too. Knowing that updates will last until 2029 might make some users complacent. They may delay replacing their hardware, assuming the patch pipeline will hold. That’s dangerous. The update guarantee ends in 2029, and there’s no promise it’ll be extended. Any device still in use after that date will become a liability.
What This Means For You
If you’re a manufacturer, you’ll need to continue providing updates for banned drones and routers sold in the US until January 2029. This means investing time and resources into maintaining and updating your products, even if they’re no longer sold or used in the country.
If you’re a user, you can breathe a sigh of relief. Your banned drone or router will still receive critical security patches and updates for nearly three years, despite the ban.
For developers working on enterprise drone management platforms, this creates a narrow but important window to integrate migration tools. You’ll want to build diagnostics that detect banned hardware on networks, flag end-of-support dates, and recommend compliant alternatives. Some companies are already adding sunset alerts into their fleet monitoring dashboards—automated warnings that trigger when a device is within 12 months of the 2029 cutoff.
Founders of cybersecurity startups should consider this an opening. A new layer of compliance-as-a-service tools could emerge—platforms that verify whether a banned device has received the latest firmware, scan for known unpatched flaws, or generate audit reports for regulators. That kind of niche software wasn’t viable before because the timeline was too uncertain. Now there’s a fixed endpoint, and that makes product planning easier.
For infrastructure builders in rural or underserved areas, the extension is a lifeline. Many community broadband projects rely on banned routers due to cost and availability. With updates guaranteed, they can keep networks stable while applying for grants or negotiating with approved vendors. One county in Montana reported that 60% of its wireless access points are affected by the ban. Without this reprieve, they’d have faced a $2.3 million replacement cost overnight.
Historical Context
This isn’t the first time the FCC has allowed continued support for banned hardware. In 2021, the agency permitted firmware updates for certain Chinese-made surveillance cameras after they were added to the FCC’s equipment authorization blacklist. At the time, officials argued that cutting off updates would make the devices more dangerous, not less.
A similar pattern emerged with radio transceivers in 2023. After a ban on specific models linked to foreign supply chain risks, the FCC gave manufacturers 24 months to continue issuing patches. The 2026 drone and router decision extends that precedent by nearly a year, suggesting the agency has settled on a policy template: ban sales, restrict use, but preserve updates for a defined period.
The roots of this approach go back further. During the 2018 crackdown on counterfeit networking gear, the FCC worked with Cisco and other vendors to maintain security support for affected units. The logic was consistent: insecure devices already in the wild pose a greater threat than controlled, monitored ones receiving patches.
What’s different now is scale. Drones and routers touch more sectors than previous cases. They’re used in agriculture, logistics, emergency response, and home networks. A blanket cutoff would have disrupted too many operations. The FCC appears to have learned from past rollouts—this time, they built in a longer transition phase from the start.
Key Questions Remaining
The January 2029 deadline looms, but major uncertainties remain.
Will manufacturers still be around to deliver updates? Some of the banned brands have already scaled back US operations. If a company dissolves or exits the market entirely, who takes over patching? The FCC hasn’t designated a fallback provider or escrow system for source code.
What happens to devices after 2029? Will they be automatically blocked from connecting to networks? Nothing in the notice suggests active enforcement. It’s more likely they’ll become unpatched but functional—silent risks waiting to be exploited.
And what counts as compliance? If a manufacturer releases one update in 2028 but ignores a critical flaw discovered in 2029, has it met the FCC’s expectations? The lack of measurable standards makes enforcement murky.
Another concern: updates themselves could be weaponized. A bad actor with access to a manufacturer’s signing keys could push malicious firmware under the guise of a security patch. The FCC hasn’t required multi-party signing, hardware-based verification, or public transparency logs. That’s a gap.
Finally, will this policy influence future bans? If the 2029 transition goes smoothly, we might see similar update windows for other prohibited tech—IoT sensors, smart city systems, even autonomous vehicles. But if widespread vulnerabilities emerge from lagging patches, the FCC could shorten or eliminate update allowances next time.
The next three years won’t just determine the fate of these devices. They’ll shape how the US manages the lifecycle of insecure but entrenched technology.
Sources: Engadget, The Verge
