TP-Link makes some of the most popular routers in the country, but they may not be available in the US for much longer.
Inspectors in the Departments of Commerce, Defense and Justice they all opened their probes in the company that are related to Chinese cyber attacks. These departments are considering a potential ban on the sale of TP-Link routers, according to a Wall Street Journal article published last week.
TP-Link has become increasingly dominant in the US router market since the pandemic. According to the Journal report, it grew from 20% of total router sales in 2019 to about 65% this year. TP-Link disputed these figures to CNET, and a separate analysis by IT platform Lansweeper found that 12% of home routers in the US they are TP-Link.
While there have been high-profile cyberattacks involving TP-Link routers, this potential ban is more about the company's ties to China than specific security issues that have been publicly identified, according to cybersecurity researchers I spoke with.
“People expect there to be a smoking gun or something in these devices from Chinese manufacturers, and what you end up finding are exactly the same problems in every device. It's not like the Chinese devices are glaringly insecure,” Thomas Pace, CEO of cybersecurity firm NetRise and a former Department of Energy security contractor, told CNET. “That's not the risk.” The risk is in the corporate structure of every Chinese company.”
TP-Link was founded in 1996 by brothers Zhao Jianjun and Zhao Jiaxing in Shenzhen, China. In October, it moved its headquarters to Irvine, California, two months after the House announced an investigation into the company. The company told CNET that it previously had dual headquarters, in Singapore and Irvine.
Watch this: Best Wi-Fi Routers 2024: Buying Guide
In my conversations with TP-Link representatives over the past few weeks, they have consistently distanced themselves from ties to China.
“TP-Link has a secure, vertically integrated and US-owned international supply chain,” a TP-Link representative told CNET. “Almost all products sold in the United States are made in Vietnam.”
Despite this, the US government seems to view TP-Link as a Chinese entity. In August, the House of Representatives Committee of the Chinese Communist Party called for an investigation into the company.
“TP-Link's unusual degree of vulnerability and the required compliance with (Chinese) law is troubling in itself. wrote the MPs. “When combined with the (Chinese) government's common use of (home office) routers like TP-Link to carry out large-scale cyber attacks in the United States, it becomes significantly alarming.”
Asked for comment, a TP-Link representative told CNET: “Like many consumer electronics brands, TP-Link Systems routers have been identified as potential targets for hackers. However, there is no evidence to suggest that our products are more vulnerable than those of other brands.”
CNET has several TP-Link models on our lists the best Wi-Fi routers and will be watching this story closely to see if we need to reconsider those choices. While our assessment of the hardware hasn't changed, we're pausing our recommendations for TP-Link routers until we know more.
The ban is more about TP-Link's ties to China than a known technical issue
The cybersecurity experts I spoke with agreed that TP-Link has security vulnerabilities, but so do all router companies. It is unclear whether the government has found a new issue that would lead to a potential sales ban on TP-Link.
The Wall Street Journal article cited federal contract documents showing TP-Link routers purchased by agencies from the National Aeronautics and Space Administration to the Defense Department and the Drug Enforcement Administration.
The potential ban comes at a time in Washington when there is growing bipartisan support for pulling Chinese products out of U.S. telecommunications. In an attack discovered in October called Salty Typhoon, Chinese hackers allegedly broke into the networks to US ISPs like AT&T, Verizon and Lumen, which own CenturyLink and Quantum Fiber.
“Vulnerabilities in embedded devices are not unique to any manufacturer or country of origin,” said Sonu Shankar, chief product officer at Phosphorus Cybersecurity. Nation-state actors often exploit vulnerabilities in devices from vendors around the world, including those sold by US manufacturers.”
Brendan Carr, Trump's pick to chair the Federal Communications Commission, said in an interview with CNBC that a recent intelligence briefing on the Salt Typhoon attack “made me want to basically smash my phone at the end of it.”
“In many ways, the horse is out of the barn at this point,” Carr said. “And we need all hands on deck to try to solve this and rein it in.”
TP-Link is not related to the Salty Typhoon attacks, but it shows the current temperature on perceived threats from China.
The government may have identified a TP-Link vulnerability, but we don't know for sure
Several of the cybersecurity experts I spoke with believe it's likely that intelligence agencies have found something with TP-Link that warrants a ban.
“I think this comes from deeper intelligence within the US government. Usually this happens before the information becomes public,” Guido Patanella, senior vice president of engineering at Lansweeper, told CNET.
“I think it's beyond political,” Patanella added. “It could either be a deliberately placed hardware flaw or it could be from a firmware point of view. This is usually a black box analysis and usually not shared, as happened with Huawei.
In 2019, then-President Donald Trump issued an executive order which effectively banned US companies from using networking equipment from Huawei, another Chinese company that has come under fire over national security concerns.
Pace, NetRise's CEO, told me he thought it was likely that there was a “zero-day” vulnerability in TP-Link devices — a term that refers to a hidden flaw that had zero days to fix — but he was quick to point out that there is no evidence of that.
“But at least that claim is based on some reality that we're aware exists, which is that the PRC (People's Republic of China) is involved in every Chinese corporation. And that's undeniable,” Pace said.
TP-Link has known security vulnerabilities, but so do all router companies
A TP-Link representative pointed us to the Cyber Security and Infrastructure Agency's list of Known exploited vulnerabilities. TP-Link has two of these events cataloged, compared to eight for Netgear and 20 for D-Link; other popular router brands like Asus, Linksys, and Eero don't have either.
By this measure, the TP-Link isn't exceptional in any way, but that may not be that useful of a measure.
“We analyzed an incredible amount of TP-Link firmware. We find things, but we find things in everything,” said Thomas Pace, CEO of cybersecurity firm NetRise and a former Department of Energy security contractor.
“The problem with the CISA KEV (list) is, if everything is on the list, how good is that list?” Tempo added. “Basically every telecommunications device on the planet has at least one CISA KEV vulnerability. It's a big problem for which there are no great answers.”
There were also several cybersecurity reports that specifically singled out TP-Link. The most famous was in October when Microsoft post details of a password spraying attack that followed him for more than a year. In this type of attack, hackers use one common password to access multiple accounts.
Microsoft called the attack “nation-state threat activity” and said TP-Link accounted for the majority of routers used.
In May 2023, Check Point Research also identified a firmware implant in TP-Link routers linked to a Chinese state-sponsored hacking group. In this case, the campaign was aimed at European foreign affairs entities. However, the researchers emphasized that the attack was written in a “firmware-agnostic manner” and was not designed to exploit TP-Link specifically.
“Although our analysis focused on its presence in modified TP-Link firmware, previous incidents show that similar implants and backdoors have been used on devices from various manufacturers, including those based in the United States,” Itay Cohen, one of the authors of the report on Check Point research. , told CNET.
“The broader implication is that this implant is not targeting a specific brand – it is part of a larger strategy to exploit systemic vulnerabilities in the internet infrastructure.
Cohen said he doesn't believe banning TP-Link will improve security much. As I have heard from other researchers, the security issues identified are not unique to one company.
“The vulnerabilities and risks associated with routers are largely systemic and affect a wide variety of brands, including those made in the United States,” Cohen said. “We do not believe that the implant we found was known to TP-Link or was knowingly inserted as a backdoor into their products.
Is it safe to use a TP-Link router?
There are real risks associated with using a TP-Link router, but some level of risk is present no matter what brand of router you use. In general, cyberattacks linked to Chinese actors have targeted think tanks, government organizations, non-governmental organizations and Defense Department suppliers, according to the Journal's reporting.
“I don't think the average person is going to have this huge target on their back,” Pace told CNET. “They tend to go after the things they want to go after.”
However, these types of attacks are often indiscriminate, in order to create a chain of nodes between infected routers and hackers.
“This means regular users are at risk of being targeted as part of a broader attack campaign, even if they are not individually targeted,” said Cohen, a Check Point security researcher.
How to protect yourself if you have a TP-Link router
To keep your network safe and secure, you should follow the same steps whether you have a TP-Link router or any other brand. Here's what the experts recommend:
- Keep your firmware up to date: One of the most common ways hackers access your network is through outdated firmware. TP-Link told us that customers with TP-Link Cloud accounts can simply click the “Check for Updates” button in their product's firmware menu when logged into the TP-Link app or website. You can also find the latest updates at TP-Link download center.
- Strengthen your credentials: If you have never changed your router's default login credentials, now is the time to do so. Weak passwords are the cause of many common attacks. “Devices using default or weak passwords are easy targets,” Cohen told CNET. “Standard or simple passwords can be easily brute-forced or guessed.” Most routers have an app that allows you to update your login credentials from there, but you can also type your router's IP address into the URL. These credentials are different from your Wi-Fi name and password, which should also be changed every six months or so. The longer and more random the password, the better.
- Consider using a VPN service: For an extra layer of protection, a virtual private network will encrypt all your internet traffic and prevent your ISP (or anyone else) from tracking the websites or apps you use. You can find CNET's selection of the best VPN services here.