Volt Typhoon Weaponized SOHO Routers at Scale — Here's Your Zero-Trust Playbook for the Remote Edge

The FCC just banned all new foreign-made consumer routers from US sale (effective March 23, 2026), but here's what most coverage misses: the ban doesn't fix the actual problem. Millions of unpatched SOHO routers already deployed in your remote workers' homes are the real attack surface — and three Chinese state-sponsored campaigns (Volt Typhoon, Flax Typhoon, Salt Typhoon) have been weaponizing them for years. This post breaks down the technical reality behind the ban, why it might actually increase the US attack surface, and — most importantly — a concrete zero-trust playbook for removing the home router from your enterprise trust chain entirely. What the FCC Actually Banned The FCC's Public Safety Bureau issued DA 26-278 on March 20, 2026. The order adds every consumer-grade router manufactured outside the US to the FCC's Covered List. New models can't get the FCC ID required for legal sale. Date Action March 23, 2026 FCC ceases all new equipment authorizations for covered foreign-ma