The U.S. government is reportedly preparing to ban the sale of wireless routers and other networking gear from TP-Link Systems, a tech company that currently enjoys an estimated 50% market share among home users and small businesses. Experts say while the proposed ban may have more to do with TP-Link’s ties to China than any specific technical threats, much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box.
A TP-Link WiFi 6 AX1800 Smart WiFi Router (Archer AX20).
The Washington Post recently reported that more than a half-dozen federal departments and agencies were backing a proposed ban on future sales of TP-Link devices in the United States. The story said U.S. Department of Commerce officials concluded TP-Link Systems products pose a risk because the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government.
TP-Link Systems denies that, saying that it fully split from the Chinese TP-Link Technologies over the past three years, and that its critics have vastly overstated the company’s market share (TP-Link puts it at around 30 percent). TP-Link says it has headquarters in California, with a branch in Singapore, and that it manufactures in Vietnam. The company says it researches, designs, develops and manufactures everything except its chipsets in-house.
TP-Link Systems told The Post it has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies, and that it operates them without Chinese government supervision.
“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. “TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond.”
Cost is a big reason TP-Link devices are so prevalent in the consumer and small business market: As this February 2025 story from Wired observed regarding the proposed ban, TP-Link has long had a reputation for flooding the market with devices that are considerably cheaper than comparable models from other vendors. That price point (and consistently excellent performance ratings) has made TP-Link a favorite among Internet service providers (ISPs) that provide routers to their customers.
In August 2024, the chairman and the ranking member of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party called for an investigation into TP-Link devices, which they said were found on U.S. military bases and for sale at exchanges that sell them to members of the military and their families.
“TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law are in and of themselves disconcerting,” the House lawmakers warned in a letter (PDF) to the director of the Commerce Department. “When combined with the PRC government’s common use of SOHO [small office/home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming.”
The letter cited a May 2023 blog post by Check Point Research about a Chinese state-sponsored hacking group dubbed “Camaro Dragon” that used a malicious firmware implant for some TP-Link routers to carry out a sequence of targeted cyberattacks against European foreign affairs entities. Check Point said while it only found the malicious firmware on TP-Link devices, “the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk.”
In a report published in October 2024, Microsoft said it was tracking a network of compromised TP-Link small office and home office routers that has been abused by multiple distinct Chinese state-sponsored hacking groups since 2021. Microsoft found the hacker groups were leveraging the compromised TP-Link systems to conduct “password spraying” attacks against Microsoft accounts. Password spraying involves rapidly attempting to access a large number of accounts (usernames/email addresses) with a relatively small number of commonly used passwords.
TP-Link rightly points out that most of its competitors likewise source components from China. The company also correctly notes that advanced persistent threat (APT) groups from China and other nations have leveraged vulnerabilities in products from their competitors, such as Cisco and Netgear.
But that may be cold comfort for TP-Link customers who are now wondering if it’s smart to continue using these products, or whether it makes sense to buy more costly networking gear that might only be marginally less vulnerable to compromise.
Almost without exception, the hardware and software that ships with most consumer-grade routers includes a number of default settings that need to be changed before the devices can be safely connected to the Internet. For example, bring a new router online without changing the default username and password and chances are it will only take a few minutes before it is probed and possibly compromised by some type of Internet-of-Things botnet. Also, it is incredibly common for the firmware in a brand new router to be dangerously out of date by the time it is purchased and unboxed.
Until quite recently, the idea that router manufacturers should make it easier for their customers to use these products safely was something of anathema to this industry. Consumers were largely left to figure that out on their own, with predictably disastrous results.
But over the past few years, many manufacturers of popular consumer routers have begun forcing users to perform basic hygiene — such as changing the default password and updating the internal firmware — before the devices can be used as a router. For example, most brands of “mesh” wireless routers — like Amazon’s Eero, Netgear’s Orbi series, or Asus’s ZenWifi — require online registration that automates these critical steps going forward (or at least through their stated support lifecycle).
For better or worse, less expensive, traditional consumer routers like those from Belkin and Linksys also now automate this setup by heavily steering customers toward installing a mobile app to complete the installation (this often comes as a shock to people more accustomed to manually configuring a router). Still, these products tend to put the onus on users to check for and install available updates periodically. Also, they’re often powered by underwhelming or else bloated firmware, and a dearth of configurable options.
Of course, not everyone wants to fiddle with mobile apps or is comfortable with registering their router so that it can be managed or monitored remotely in the cloud. For those hands-on folks — and for power users seeking more advanced router features like VPNs, ad blockers and network monitoring — the best advice is to check if your router’s stock firmware can be replaced with open-source alternatives, such as OpenWrt or DD-WRT.
These open-source firmware options are compatible with a wide range of devices, and they generally offer more features and configurability. Open-source firmware can even help extend the life of routers years after the vendor stops supporting the underlying hardware, but it still requires users to manually check for and install any available updates.
Happily, TP-Link users spooked by the proposed ban may have an alternative to outright junking these devices, as many TP-Link routers also support open-source firmware options like OpenWRT. While this approach may not eliminate any potential hardware-specific security flaws, it could serve as an effective hedge against more common vendor-specific vulnerabilities, such as undocumented user accounts, hard-coded credentials, and weaknesses that allow attackers to bypass authentication.
Regardless of the brand, if your router is more than four or five years old it may be worth upgrading for performance reasons alone — particularly if your home or office is primarily accessing the Internet through WiFi.
NB: The Post’s story notes that a substantial portion of TP-Link routers and those of its competitors are purchased or leased through ISPs. In these cases, the devices are typically managed and updated remotely by your ISP, and equipped with custom profiles responsible for authenticating your device to the ISP’s network. If this describes your setup, please do not attempt to modify or replace these devices without first consulting with your Internet provider.
I have found TP-Link products to be feature-rich ( I particularly appreciate the VPN support in their routers), and good value. I’m not surprised that they have a good market share, nor am I surprised that there is lobbying against them, pdrehaps as a result. As for vulnerabilities, is there ANY major nation state that’s trustworthy?
Another example of how US propaganda against China leads to morons panicking and seeking “Commies under every bed.”
It is the US itself which is the major threat to world peace, not China or Russia or Iran.
Anyone who believes otherwise is a moron completely ignorant of the negative impact of US geopolitical behavior since WWII (if not before.)
“It is the US itself which is the major threat to world peace, not China or Russia or Iran.”
Nope. The major threat to world peace are the enablers of authoritarian government – oligarchs. Their interests are driven by avarice and cruelty. All other priorities are secondary.
The major threat to world peace is people who overuse “moron.”
This proposed ban on TP-Link seems overly broad and could hurt consumers. It’s essential to balance security concerns with access to affordable technology. I hope there’s a thorough discussion before any final decisions are made.
“by heavily steering customers toward installing a mobile app to complete the installation (this often comes as a shock to people more accustomed to manually configuring a router).”
Count me as one of those people. I hate having to install an app on my phone or tablet to anything (I wonder how long it will be before I have to use an app to flush a toilet?).
The big reason for app hatred is then I have to check the app to see what information I am giving away on the app. Even if I bothered to understand all the permissions and actually read the privacy policy (even reading it doesn’t mean I understand it). Plus having all these app means I have to manage my screens on my phone and wonder about which apps are chewing up memory and bandwidth.
And then the update gods MUST be appeased.
I just finished reading a physical book. I didn’t have to charge it, update it, reboot it, worry about my privacy, or having it get hacked. I’m glad I updated all my networking equipment this year, which included TP-Link equipment.
Sigh, more yellow-peril scaremongering. The claims against TP-Link apply just as readily to pretty much every other manufacturer out there, including US ones. They’ve all got vulns, they’ve all been integrated into botnets at one time or another via those vulns, and app-based setup is an annoying creeping death that’s taking over more and more systems. So the only thing this move will do is (a) make things more expensive for almost everyone and (b) keep up the yellow-peril drumbeat coming from the US.
Such issues have long been of concern.
For several generations we have been well served by Apple Airport routers. AFAIK , they were the first to allow configuration, updates only by an app, and featured Apple proprietary code written in a language used by nasa (FWIW). They were rock solid performers which needed little care. They “just worked”.
Sadly Apple pulled the plug on Airports some years back. They subsequently stopped s/w updates a couple of years ago, and already/soon will not support Time Machine backups to Airport Time Capsule units.
It is ironic that with Apple’s efforts to facilitate the growth of smart homes, their emphasis on privacy and security, and ease of operation and maintenance, they abandoned a product segment that underpins all of these objectives.
If Apple relaunched Airport line, I would be in line to buy an Airport.
I have sold thousands of these TP-Link device and have yet to come across any foul play. They are easy to setup and use! The US Goverment needs to take of business and stay out of the public sector and go back to work.
I unmentioned resource about router security is routersecurity [ . ] org, hosted by Michael Horowitz. It is a remarkable compilation about the topic (his interest) with some specific thoughts about securing consumer routers along with other recommendations.
We really need more info on which tp-link routers are vulnerable, what the vulnerabilities are, and whether anything can be done (e.g., changing passwords) that will make them safer. If this is just a matter of anything made in China is bad, then half of the things in my house are a threat. If Commerce wants us to care about this in needs to divulge more info and prove it to us.