Banning TP-Link won't save America from its own terrible cybersecurity
Excellent reporting by Joseph Menn at The Washington Post ($):
More than a half-dozen federal departments and agencies backed a proposal to ban future sales of the most popular home routers in the United States on the grounds that the vendor’s ties to mainland China make them a national security risk, according to people briefed on the matter and a communication reviewed by The Washington Post.
Commerce officials concluded TP-Link Systems products pose a risk because the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government. TP-Link Systems denies that, saying that it fully split from the Chinese TP-Link Technologies over the past three years.
…If imposed, the ban would be among the largest in consumer history and a possible sign that the East-West divide over tech independence is still deepening amid reports of accelerated Chinese government-supported hacking.
The short version is that the U.S. government wants to ban TP-Link routers because several U.S. federal agencies believe — rightly or wrongly — that there are sufficient links tying TP-Link to China, and that could theoretically allow the Chinese government to force TP-Link to act in some nefarious capacity against U.S. national interests. The subtext is that this ostensible Chinese government control could force TP-Link to roll out malicious updates, or suddenly block its products from working en masse, such as at a time that would be advantageous to China.
For its part, TP-Link vehemently denies any links to China following the split from its Chinese parent company. TP-Link is fully headquartered in California, and its routers are manufactured in a TP-Link-owned facility in Vietnam, neither of which — for the geography enthusiasts out there — are China.
An important caveat, of course, is that much of this proposed ban remains up in the air and without any final decision — at least as of the time of this publication. The Post notes that the ban may not go ahead under the Trump administration, or a settlement could be reached with TP-Link preventing a ban.
The Wall Street Journal ($) covered the story as far back as December 2024. Wired ($) has also detailed TP-Link's since-divested Chinese roots, as has independent journalist Brian Krebs in a recent blog post, which you should read. All to say, there have been rumblings for some time that this ban may be in the works.
With absolutely no skin in the game — I'm not a TP-Link customer, and I kinda hate how the internet has turned out at large — I don't think banning TP-Link over its alleged ties to China will make the U.S. any meaningfully safer or better defended from cyberthreats. China, or any other advanced malicious actor in cyberspace, doesn't need to control a router manufacturer in order to spy on people's communications or prepare for causing widespread societal disruption. It's already possible to hack and take control of enormous clusters of internet-connected devices effectively, thanks to years of security rot that has opened the U.S. to the very cybersecurity threats that it's trying to avoid. And there's no hard evidence to suggest TP-Link makes products that are any more susceptible to security flaws than across the wider industry.
~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing-up for a paying subscription starting at $10/month for exclusive articles, analysis, and more.
Routers are our gateways to the internet, whether your home Wi-Fi router box or the racks of networking gear at your office. But these devices have always been a hotbed of security flaws. Router security is an industry-wide problem; a by-product of selling a one-time piece of hardware that their manufacturers have to keep supported with software updates for several years down the line. Consumers don't buy routers very regularly, and the companies selling routers haven't tended to make much money from them.
This means many routers on the internet today are easy targets, and not always because the hackers are targeting a specific victim. In reality, routers can also get ensnared by automated attacks that rely on mass-exploiting the same vulnerability across the entire internet. These attacks often abuse really simple security flaws, such as default passwords that have never been changed, which let the hackers login to your router as if they were you. From there, hackers make configuration changes that make it easier to take control of your router and the network traffic that flows through it — and this can happen silently and without your knowledge.
By taking control of a large number of hijacked routers, hackers can launch distributed denial-of-service (DDoS) attacks, which harness the collective internet traffic of thousands of hacked routers (known as a botnet) to pummel websites with huge amounts of junk internet traffic, knocking them offline. In other cases, hacked routers can be used passively as part of residential proxy networks, in which hackers and their malware funnel their malicious internet traffic through residential home routers so that the data looks less suspicious coming from an ordinary home address than, say, the Ministry of State Security in China.
There have been a lot of router security flaws over the years — some worse than others — leading to massive botnets capable of launching large-scale disruptive cyberattacks. CISA's running catalog of security vulnerabilities that have been actively exploited in hacking campaigns since 2021 shows that, to date, TP-Link had at least six actively exploited bugs; while router making rivals Juniper had at least eight bugs, SonicWall had 14, while D-Link had 24 bugs, and Cisco had at least 80. There are no angels here.
The best solution is to build routers with as much foundational security as possible, so that they can't be ensnared in cyberattacks — either government-sanctioned software updates, or by way of a malicious botnet made up of thousands of hacked devices. These aren't novel concepts, from using open-source software and updates so that no backdoors can be slipped in without being noticed, all the way through to removing default passwords so that every device sold has a unique login mechanism. Long term goals can include switching to memory-safe coding languages, which can eradicate an entire class of common security flaws that hackers have historically used to compromise routers.
The good news is that, generally speaking, routers sold today are more secure than routers that have already been on the internet for half a decade or more, so the industry is making some progress.
Router security has also improved in recent years, thanks to legislation passed in California, as well as the United Kingdom and beyond, effectively banning the sale of internet-connected devices that ship with default passwords and enforcing other basic cybersecurity measures. Plus, there has been a concerted effort by cybersecurity folks urging companies to employ Secure by Design principles, which bake-in defensive cybersecurity principles as part of the product design cycle. Even the hardware manufacturers now realize that cybersecurity is a selling point for consumers these days, especially for critical technologies like internet-connected devices.
With that in mind, if you can't remember the last time you replaced (or updated) your router, then it's probably been too long — and now would be a good time to check.
Thank you so much for reading ~this week in security~! Please reach out with any feedback, questions, or comments about this article: this@weekinsecurity.com.
