TP-Link makes some of the most popular routers in the country, but they might not be available in the U.S. for long. Investigators from the Commerce, Defense, and Justice departments have launched probes into the company over its ties to Chinese cyberattacks. According to a Wall Street Journal article published last week, these departments are considering a possible ban on the sale of TP-Link routers.
TP-Link has quickly come to dominate the U.S. router market since the pandemic. Its share of total router sales has grown from 20% in 2019 to nearly 65% ​​this year, the Journal reports.
TP-Link disputed these numbers to CNET, and a separate analysis by IT platform Lansweeper found that 12% of home routers in the U.S. are from TP-Link.
Although there have been high-profile cyberattacks involving TP-Link routers, according to the cybersecurity researchers I spoke to, this potential ban is more about the company’s ties to China than the specific security issues that have been publicly identified.
“People expect that these devices from Chinese manufacturers will have some sort of vulnerability, but in the end you end up finding the same problems in every device,” Thomas Pace, CEO of cybersecurity firm NetRise and a former security contractor for the Department of Energy, told CNET. “It’s not that Chinese devices are so vulnerable. It’s not that the risk is there.
The risk is in the corporate structure of every Chinese company.” TP-Link was founded in 1996 in Shenzhen, China, by brothers Zhao Jianjun and Zhao Jiaxing. In October, it moved its headquarters to Irvine, California, two months after the House announced an investigation into the company.
The company told CNET that it previously operated dual headquarters in Singapore and Irvine. In my conversations with TP-Link representatives over the past few weeks, they have repeatedly distanced themselves from ties with China.
“TP-Link has a secure, vertically integrated, and U.S.-owned international supply chain,” a TP-Link representative told CNET. “Virtually all of its products sold in the United States are manufactured in Vietnam.”
Still, the U.S. government views TP-Link as a Chinese entity. In August, the House Select Committee on the Chinese Communist Party urged an investigation of the company.
“TP-Link’s unusually vulnerabilities and required compliance with [Chinese] law are troubling in and of themselves,” the lawmakers wrote. “When combined with the [Chinese] government’s common use of [home office] routers like TP-Link to execute widespread cyberattacks on the United States, it becomes significantly more concerning.”
When asked for comment, a TP-Link representative told CNET, “Like many consumer electronics brands, TP-Link systems’ routers have been identified as potential targets of hackers. However, there is no evidence to suggest that our products are more vulnerable than other brands.”
CNET has several TP-Link models on our list of the best Wi-Fi routers and we’ll be monitoring this story closely to see if we need to reevaluate those choices. Although our assessment of the hardware hasn’t changed, we’re holding off on our recommendations of TP-Link routers until we know more.
The ban is about TP-Link’s ties to China, not a known technical issue
The cybersecurity experts I spoke to all agreed that TP-Link had security flaws, but not all router companies believe the same. It’s unclear whether the government has found any new issues that could lead to a potential ban on TP-Link sales.
The Wall Street Journal article cites federal contract documents that show TP-Link routers have been purchased by agencies ranging from the National Aeronautics and Space Administration to the Department of Defense and the Drug Enforcement Administration.
The potential ban comes at a time in Washington when bipartisan support is growing to remove Chinese products from U.S. telecommunications. In an attack called Salt Typhoon in October, Chinese hackers reportedly broke into the networks of U.S. internet providers such as AT&T, Verizon and Lumen, which owns CenturyLink and Quantum Fiber.
“Vulnerabilities in embedded devices are not limited to any one manufacturer or country of origin,” said Sonu Shankar, chief product officer at Phosphorus Cybersecurity. “Nation-state actors often exploit vulnerabilities in devices from vendors around the world, including those sold by U.S. manufacturers.”
Brendan Carr, Trump’s pick to head the Federal Communications Commission, said in an interview with CNBC that the recent intelligence briefing on the Salt Typhoon attack “made me want to break my phone at the end of it.”
“In many ways, the horse is out of the barn at this point,” Carr said. “And we need all hands on deck to address it and rein it in.”
TP-Link has not been linked to the Salt Typhoon attacks, but it reflects the current temperature rise for alleged threats from China.