The logo of TP-Link appears on the products of router manufacturer TP-Link in Fuyang, China, on December 19, 2024. (Photo by Costfoto/NurPhoto via Getty Images)
Nurphoto | Nurphoto | Getty Images
While the TikTok ban has lawmakers scurrying and chatter about Chinese influence over U.S. tech at a fever pitch, another danger is lurking. One of Amazon’s top-selling router brands, TP-Link, has been under scrutiny by regulators as posing a threat to American infrastructure. Experts worry that China could exploit the routers to launch attacks on critical infrastructure or steal sensitive information.
Rep. Raja Krishnamoorthi (D-IL) and Rep. John Moolenaar (R-MI) sent a letter to the U.S. Department of Commerce last summer, touching off a flurry of investigations and calls for a ban. The letter, which the Wall Street Journal first reported, flagged “unusual vulnerabilities” and required compliance with PRC law as disconcerting. “When combined with the PRC government’s everyday use of SOHO [small office/home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming,” the letter stated.
But so far, no action has been taken, and Krishnamoorthi is concerned.
“I am not aware of any plans to get them out,” Krishnamoorthi said. He pointed to the government’s “rip and replace” plan with Huawei network equipment as a precedent that could be followed. The government mandated in 2020 that companies rid themselves of Huawei equipment, which was deemed to pose a national security threat. Efforts to remove the equipment are still ongoing.
According to data he cited, TP-Link has a 65% share of the U.S. router market, and its success has followed a similar playbook used by China with other technology: make a lot more than they need, export the surplus to undercut the competition, and use the technology to backdoor access or to disrupt.
“I am wondering whether something similar needs to be done, at least in regards to national security agencies, Department of Defense, and Intelligence,” Krishnamoorthi said. “It just doesn’t make sense for the U.S government to be buying the routers.”
The routers were among brands in the market linked to hacks on European officials and the Typhoon Volt attacks.
An Amazon best seller inside our online histories
Krishnamoorthi’s concerns go beyond the federal government. State and local utilities that have them could be vulnerable, he said, as well as people who have the routers at home.
“The PRC has every intent to collect this data on Americans and they will, why give them another backdoor?” Krishnamoorthi said.
Browsing history, and family and employer information, are all at risk.
“I would not buy a TP-Link router, and I would not have that in my home,” he added, and noted that he never had TikTok on his phone.
Ranking member Raja Krishnamoorthi (D-IL) participates in the first hearing of the U.S. House Select Committee on Strategic Competition between the United States and the Chinese Communist Party, in the Cannon House Office Building on February 28, 2023 in Washington, DC. The committee is investigating economic, technological and security competition between the U.S. and China.
Kevin Dietsch | Getty Images News | Getty Images
There are multiple versions of TP-Link routers available on Amazon, with one labeled a “best seller” retailing for $71. Amazon did not respond to questions about whether it planned to pull the routers.
A spokesman for the majority of the Select Committee on the Chinese Communist Party, chaired by Moolenar, told CNBC the TP-Link routers pose an espionage risk to Americans because the company is beholden to the Chinese government, who are engaged in a full-scale hacking campaign against the United States and our people. “Because of this, we hope to see TP-link routers banned in the coming year, coupled with programs to replace existing Chinese routers with safe American alternatives.”
TP-Link Technologies has said in response to the accusations that it does not sell router products in the U.S. and denied its routers have any cybersecurity vulnerabilities. TP-Link Systems, which recently built a new headquarters for the U.S. market in Irvine, California, has had operations in the state since 2023, and says it is a separate company with separate ownership, and most of the routers made for the U.S. market come from Vietnam.
“TP-Link Systems is proactively seeking opportunities to engage with the federal government to demonstrate the effectiveness of our security practices and to demonstrate our ongoing commitment to the American market, American consumers and addressing U.S. national security risks,” the company told the Orange County Business Journal earlier this month.
The People’s Republic of China’s ministry in the United States did not respond to a request for comment.
The problem of unencrypted communication
A consensus on the best way to combat the problem, and enact a ban, remains elusive, given how widespread use of the routers already is within U.S consumer and business markets.
Guy Segal, vice president of corporate development at cybersecurity services company Sygnia, said in addition to TP-Link router prevalence in government institutions, including defense organizations, the company has the majority of the U.S. market in routers for homes and small businesses.
“The pervasiveness of this technology and the potential risks associated with it do present security concerns for users that should be taken seriously, whether at the consumer level or a national security consideration for government entities,” he said.
If a ban is to come, it is more likely going to be spurred by the national security concerns, and the implications the routers could have on military readiness and national security, than the risk to home internet consumers. Segal said if momentum for a ban picks up inside the government, the action would have to be implemented in phases, given the ubiquity of the TP-Link router. The most practical approach would be to start by banning use in the federal and defense sectors.
The letter from the Congressional group to Commerce last summer cited a PRC government that has demonstrated a willingness to sponsor hacking campaigns using PRC-affiliated SOHO routers, “particularly those offered by the world’s largest manufacturer, TP-Link — and consider using its ICTS authorities to properly mitigate this glaring national security issue.”
Matt Radolec, vice president of incident response and cloud operations at security company Varonis, says that the government is on the right track, and consumers should not ignore the issue even if the threat of a ban on home devices may not be imminent. “Banning routers from certain manufacturers is a sound security decision,” Radolec said. “Consumers, in general, should be aware of the implications to their personal privacy.”
The underlying problem with the TP-Link routers, he said, is unencrypted communication, and it is an issue where the public is underinformed.
“All unencrypted communications on these routers could be compromised, which is worrisome because intra-network communication is often unencrypted for performance’s sake. You’ll get faster internet speeds, but you could be risking your personal data,” Radolec said.
Even if banking information, for instance, is encrypted, that wouldn’t protect all the unprotected personal data that passes through an unprotected, vulnerable home router.
“It’s time for the general public to be aware of the differences between encrypted and unencrypted communications, and browser and device manufacturers must do a better job informing the public about the privacy risks when you send your data over unencrypted links,” Radolec said. “I think we need to ask ourselves, as consumers, is that something we want to be potentially exposed to?”