TP-Link routers may be banned next year. Are they really dangerous?

If you’ve purchased a Wi-Fi router in the past year, it’s very likely that it was manufactured by TP-Link. This may not be possible in 2025.

Investigators in the Departments of Commerce, Defense, and Justice I have opened all investigations The company has been suspended over its ties to Chinese cyberattacks and is considering a possible ban on the sale of TP-Link routers, a report says. Wall Street Journal article Published last week.

TP-Link has become increasingly dominant in the US router market since the outbreak of the pandemic. According to the magazine’s report, it has grown from 20% of total router sales in 2019 to about 65% this year. TP-Link disputed those numbers to CNET, and a separate analysis from IT platform Lansweeper found so 12% of home routers In the US it is TP-Link.

Although there have been high-profile cyberattacks involving TP-Link routers, this potential ban has more to do with the company’s ties to China than specific security issues that have been publicly identified, according to cybersecurity researchers I spoke with.

“People expect there to be some smoking gun or something in these devices from Chinese manufacturers, and what you end up finding is the exact same problems in every device,” said Thomas Pace, CEO of cybersecurity firm NetRise and a former security contractor. “It’s not like the Chinese devices are blatantly unsafe,” the Department of Energy told CNET. “It’s not the risk.” “The risk lies in the institutional structure of every Chinese company.”

TP-Link was founded in 1996 by brothers Zhao Jianjun and Zhao Jiaxing in Shenzhen, China. In October, it moved its headquarters to Irvine, California, two months after the House of Representatives announced an investigation into the company. The company told CNET that it previously operated dual headquarters in Singapore and Irvine. Its newly opened headquarters in Shenzhen It won the Architecture Prize in 2017.

In my conversations with TP-Link representatives over the past few days, they have repeatedly distanced themselves from ties with China.

“TP-Link has a secure, vertically integrated, and U.S.-owned international supply chain,” a TP-Link representative told CNET. “Almost all products sold in the United States are manufactured in Vietnam.”

However, the US government appears to view TP-Link as a Chinese entity. In August, the House Select Committee on the Communist Party of China urged an investigation into the company.

“TP-Link’s extraordinary degree of vulnerability and required compliance with (Chinese) law is alarming in itself.” “The lawmakers wrote. “When this is coupled with the (Chinese) government’s common use of (home office) routers like TP-Link to commit large-scale cyberattacks in the United States, it becomes incredibly concerning.”

In response to a request for comment, a TP-Link representative told CNET: “Like many consumer electronics brands, TP-Link Systems’ routers have been identified as potential targets for hackers. However, there is no evidence to suggest that our products are more vulnerable than Other brand products.

CNET has several TP-Link models in our lists of Best wifi routers We’ll be watching this story closely to see if we need to reevaluate those choices. Although our rating of the devices hasn’t changed, we’re pausing our recommendations for TP-Link routers until we learn more.

The ban has more to do with TP-Link’s ties to China than a known technical issue

All the cybersecurity experts I spoke to agreed that TP-Link has security flaws — but so do all router companies. It’s not clear whether the government has found a new issue that would lead to a potential ban on TP-Link sales.

The Wall Street Journal article cited federal contracting documents that show TP-Link routers were purchased by agencies from the National Aeronautics and Space Administration to the Department of Defense and the Drug Enforcement Administration.

The potential ban comes at a time when bipartisan support for extracting Chinese products from American communications is growing in Washington. In an attack revealed last October, called “Salt Typhoon”, it was carried out by Chinese hackers She reportedly stormed the networks From US ISPs such as AT&T, Verizon and Lumen, which owns CenturyLink and Quantum Fiber.

Brendan Carr, Trump’s pick to head the Federal Communications Commission, said: Interview with CNBC The recent intelligence briefing on the Salt Typhoon attack “made me want to smash my phone at the end of the attack.”

“In many ways, the horse is out of the barn at this point,” Carr said. “And we need all hands on deck to try to address this and rein it in.”

TP-Link has not been linked to the Salt Typhoon attacks, but it shows the current temperature of perceived threats from China.

The government may have identified a vulnerability in TP-Link, but we don’t know for sure

Several cybersecurity experts I spoke with believe it’s likely that intelligence agencies found something with TP-Link that would warrant a ban.

I believe this comes from deeper intelligence within the US government. “This usually happens before the information becomes public,” Guido Patanella, senior vice president of engineering at Lansweeper, told CNET.

In 2019, then-President Donald Trump He issued an executive order Which effectively banned US companies from using networking equipment from Huawei, another Chinese company that has been criticized over national security concerns.

Pace, NetRise’s CEO, told me he believed there was likely a “zero-day” vulnerability in TP-Link devices — a term for a hidden flaw that there was no day to fix — but he was quick to point out that there was no evidence. Supports that.

“But at least this claim is based on the kind of reality that we recognize exists, which is that the People’s Republic of China is involved in every Chinese company. And that is undeniable,” Pace said.

TP-Link has known security flaws, but so do all router companies

A TP-Link representative directed us to the Cybersecurity and Infrastructure Security Agency (CISA) list. Known exploited vulnerabilities (how). TP-Link indexed two of these events, compared to eight for Netgear and 20 for D-Link; Other popular router brands like Asus, Linksys, and Eero don’t have any.

By that measure, the TP-Link isn’t exceptional in either direction, but that may not be very useful in this measure.

“The problem with the CISA KEV (list) is that if everything is on the list, how good is that list?” Pace said. “Basically, every communications device on the planet has at least one CISA KEV vulnerability. It’s a big problem for which there are no great answers.

There have also been several cybersecurity reports that have specifically singled out TP-Link. The most famous event came in October when Microsoft Details released In a password-spraying attack that has been tracked for more than a year. In this type of attack, hackers use one shared password to access multiple accounts.

Microsoft referred to the attack as “nation-state threat actor activity” and said TP-Link made up most of the routers used.

In May 2023, Check Point Research also Determined the firmware transplant process In TP-Link routers linked to a Chinese state-sponsored hacking group. In this case, the campaign targeted European foreign affairs entities. However, researchers confirmed that the attack was written in a “firmware-neutral” manner and was not designed to specifically exploit TP-Link.

“While our analysis focused on its presence in TP-Link’s modified firmware, previous incidents show that similar implants and backdoors have been used in devices from various manufacturers, including US-based ones,” said Itai Cohen, one of the authors of the Check Point report. Research, CNET said.

“The broader implication is that this implantation is not about targeting a specific brand – rather, it is part of a larger strategy to exploit systemic vulnerabilities in the internet infrastructure.”

Cohen said he doesn’t think banning TP-Link would improve security much. As I’ve heard from other researchers, the security issues identified are not unique to one company.

“The vulnerabilities and risks associated with routers are largely systemic and apply to a wide range of brands, including those manufactured in the United States,” Cohen said. “We do not believe that the implant we found was known to TP-Link or was intentionally introduced as a back door to their products.”

Is it safe to use a TP-Link router?

There are real risks associated with using a TP-Link router, but there is a certain level of risk no matter what brand of router you use. In general, cyberattacks linked to Chinese actors targeted research centers, government organizations, NGOs, and Department of Defense suppliers, according to the newspaper’s report.

“I don’t think the average person would have this huge target on their back,” Pace told CNET. “They tend to go after the things they want to go after.”

However, these types of attacks are often random, with the goal of creating a chain of nodes between infected routers and hackers.

“This means that ordinary users are at risk of being targeted as part of a broader attack campaign, even if they are not targeted individually,” said Cohen, the researcher at Check Point Security.

How to protect yourself if you have a TP-Link router

To keep your network safe and secure, you need to follow the same steps whether you have a TP-Link router or any other brand. Here’s what experts recommend:

• Keep your firmware updated: One of the most common ways hackers gain access to your network is through outdated firmware. TP-Link told us that customers with TP-Link Cloud accounts can simply click the “Check for updates” button in their product’s firmware menu when logging into the TP-Link app or website. You can also find the latest updates at TP-Link Download center.
• Boost your credentials: If you’ve never changed the default login credentials on your router, now is a good time to do so. Weak passwords are the reason behind many of the most common attacks. “Devices that use default or weak passwords are easy targets,” Cohen told CNET. “Default or simple passwords can easily be forced or guessed.” Most routers have an app that lets you update your login credentials from there, but you can also type your router’s IP address into the URL. These credentials are different from your Wi-Fi network name and password, which should also be changed every six months or so. The longer and more random the password, the better.
• Consider using a VPN service: For an extra layer of protection, a VPN will encrypt all of your internet traffic and prevent your internet provider (or anyone else) from tracking the websites or apps you use. Find CNET’s picks for The best VPN services are here.