The U.S. government is reportedly preparing to ban the sale of wireless routers and other networking gear from TP-Link Systems, a tech company that currently enjoys an estimated 50% market share among home users and small businesses. Experts say while the proposed ban may have more to do with TP-Link’s ties to China than any specific technical threats, much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box.
A TP-Link WiFi 6 AX1800 Smart WiFi Router (Archer AX20).
The Washington Post recently reported that more than a half-dozen federal departments and agencies were backing a proposed ban on future sales of TP-Link devices in the United States. The story said U.S. Department of Commerce officials concluded TP-Link Systems products pose a risk because the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government.
TP-Link Systems denies that, saying that it fully split from the Chinese TP-Link Technologies over the past three years, and that its critics have vastly overstated the company’s market share (TP-Link puts it at around 30 percent). TP-Link says it has headquarters in California, with a branch in Singapore, and that it manufactures in Vietnam. The company says it researches, designs, develops and manufactures everything except its chipsets in-house.
TP-Link Systems told The Post it has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies, and that it operates them without Chinese government supervision.
“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. “TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond.”
Cost is a big reason TP-Link devices are so prevalent in the consumer and small business market: As this February 2025 story from Wired observed regarding the proposed ban, TP-Link has long had a reputation for flooding the market with devices that are considerably cheaper than comparable models from other vendors. That price point (and consistently excellent performance ratings) has made TP-Link a favorite among Internet service providers (ISPs) that provide routers to their customers.
In August 2024, the chairman and the ranking member of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party called for an investigation into TP-Link devices, which they said were found on U.S. military bases and for sale at exchanges that sell them to members of the military and their families.
“TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law are in and of themselves disconcerting,” the House lawmakers warned in a letter (PDF) to the director of the Commerce Department. “When combined with the PRC government’s common use of SOHO [small office/home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming.”
The letter cited a May 2023 blog post by Check Point Research about a Chinese state-sponsored hacking group dubbed “Camaro Dragon” that used a malicious firmware implant for some TP-Link routers to carry out a sequence of targeted cyberattacks against European foreign affairs entities. Check Point said while it only found the malicious firmware on TP-Link devices, “the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk.”
In a report published in October 2024, Microsoft said it was tracking a network of compromised TP-Link small office and home office routers that has been abused by multiple distinct Chinese state-sponsored hacking groups since 2021. Microsoft found the hacker groups were leveraging the compromised TP-Link systems to conduct “password spraying” attacks against Microsoft accounts. Password spraying involves rapidly attempting to access a large number of accounts (usernames/email addresses) with a relatively small number of commonly used passwords.
TP-Link rightly points out that most of its competitors likewise source components from China. The company also correctly notes that advanced persistent threat (APT) groups from China and other nations have leveraged vulnerabilities in products from their competitors, such as Cisco and Netgear.
But that may be cold comfort for TP-Link customers who are now wondering if it’s smart to continue using these products, or whether it makes sense to buy more costly networking gear that might only be marginally less vulnerable to compromise.
Almost without exception, the hardware and software that ships with most consumer-grade routers includes a number of default settings that need to be changed before the devices can be safely connected to the Internet. For example, bring a new router online without changing the default username and password and chances are it will only take a few minutes before it is probed and possibly compromised by some type of Internet-of-Things botnet. Also, it is incredibly common for the firmware in a brand new router to be dangerously out of date by the time it is purchased and unboxed.
Until quite recently, the idea that router manufacturers should make it easier for their customers to use these products safely was something of anathema to this industry. Consumers were largely left to figure that out on their own, with predictably disastrous results.
But over the past few years, many manufacturers of popular consumer routers have begun forcing users to perform basic hygiene — such as changing the default password and updating the internal firmware — before the devices can be used as a router. For example, most brands of “mesh” wireless routers — like Amazon’s Eero, Netgear’s Orbi series, or Asus’s ZenWifi — require online registration that automates these critical steps going forward (or at least through their stated support lifecycle).
For better or worse, less expensive, traditional consumer routers like those from Belkin and Linksys also now automate this setup by heavily steering customers toward installing a mobile app to complete the installation (this often comes as a shock to people more accustomed to manually configuring a router). Still, these products tend to put the onus on users to check for and install available updates periodically. Also, they’re often powered by underwhelming or else bloated firmware, and a dearth of configurable options.
Of course, not everyone wants to fiddle with mobile apps or is comfortable with registering their router so that it can be managed or monitored remotely in the cloud. For those hands-on folks — and for power users seeking more advanced router features like VPNs, ad blockers and network monitoring — the best advice is to check if your router’s stock firmware can be replaced with open-source alternatives, such as OpenWrt or DD-WRT.
These open-source firmware options are compatible with a wide range of devices, and they generally offer more features and configurability. Open-source firmware can even help extend the life of routers years after the vendor stops supporting the underlying hardware, but it still requires users to manually check for and install any available updates.
Happily, TP-Link users spooked by the proposed ban may have an alternative to outright junking these devices, as many TP-Link routers also support open-source firmware options like OpenWRT. While this approach may not eliminate any potential hardware-specific security flaws, it could serve as an effective hedge against more common vendor-specific vulnerabilities, such as undocumented user accounts, hard-coded credentials, and weaknesses that allow attackers to bypass authentication.
Regardless of the brand, if your router is more than four or five years old it may be worth upgrading for performance reasons alone — particularly if your home or office is primarily accessing the Internet through WiFi.
NB: The Post’s story notes that a substantial portion of TP-Link routers and those of its competitors are purchased or leased through ISPs. In these cases, the devices are typically managed and updated remotely by your ISP, and equipped with custom profiles responsible for authenticating your device to the ISP’s network. If this describes your setup, please do not attempt to modify or replace these devices without first consulting with your Internet provider.
I have found TP-Link products to be feature-rich ( I particularly appreciate the VPN support in their routers), and good value. I’m not surprised that they have a good market share, nor am I surprised that there is lobbying against them, pdrehaps as a result. As for vulnerabilities, is there ANY major nation state that’s trustworthy?
So the supposition that other nation states COULD be threatening is somehow justification for using products influenced by a CONFIRMED cyber enemy and nemesis to our intellectual property and state secrets? Ok….
*shrugs*
There is a reason crypto used to be ‘marked’ “NOT FOR EXPORT”.
Pretty much every modern network device uses some form of ‘advanced crypto’, even if people do not generally recognize it as such.
Maybe the NIST is just gently relearning the dangers of common cryptography standards with Asian countries. Crypto is baked in.
Government contractors with TS-SCI w/poly clearances (and people without them) pretty much all have home routers now, with generally longer-range connectivity.
It doesn’t take a Wendy Testaberger (spelling?) to get a grasp on the potential ramifications of a potential weakness for even a single use and unfortunate timing.
Another example of how US propaganda against China leads to morons panicking and seeking “Commies under every bed.”
It is the US itself which is the major threat to world peace, not China or Russia or Iran.
Anyone who believes otherwise is a moron completely ignorant of the negative impact of US geopolitical behavior since WWII (if not before.)
“It is the US itself which is the major threat to world peace, not China or Russia or Iran.”
Nope. The major threat to world peace are the enablers of authoritarian government – oligarchs. Their interests are driven by avarice and cruelty. All other priorities are secondary.
The major threat to world peace is people who overuse “moron.”
>> It is the US itself which is the major threat to world peace, not China or Russia or Iran.
I’d say all four of them are a thread to world peace. The enemy of your enemy is not necessarily your friend.
He might just be another enemy.
This proposed ban on TP-Link seems overly broad and could hurt consumers. It’s essential to balance security concerns with access to affordable technology. I hope there’s a thorough discussion before any final decisions are made.
“by heavily steering customers toward installing a mobile app to complete the installation (this often comes as a shock to people more accustomed to manually configuring a router).”
Count me as one of those people. I hate having to install an app on my phone or tablet to anything (I wonder how long it will be before I have to use an app to flush a toilet?).
The big reason for app hatred is then I have to check the app to see what information I am giving away on the app. Even if I bothered to understand all the permissions and actually read the privacy policy (even reading it doesn’t mean I understand it). Plus having all these app means I have to manage my screens on my phone and wonder about which apps are chewing up memory and bandwidth.
And then the update gods MUST be appeased.
I just finished reading a physical book. I didn’t have to charge it, update it, reboot it, worry about my privacy, or having it get hacked. I’m glad I updated all my networking equipment this year, which included TP-Link equipment.
me too. First thing I do with any WiFi router is change the factory supplied password and update the firmware
Sigh, more yellow-peril scaremongering. The claims against TP-Link apply just as readily to pretty much every other manufacturer out there, including US ones. They’ve all got vulns, they’ve all been integrated into botnets at one time or another via those vulns, and app-based setup is an annoying creeping death that’s taking over more and more systems. So the only thing this move will do is (a) make things more expensive for almost everyone and (b) keep up the yellow-peril drumbeat coming from the US.
Such issues have long been of concern.
For several generations we have been well served by Apple Airport routers. AFAIK , they were the first to allow configuration, updates only by an app, and featured Apple proprietary code written in a language used by nasa (FWIW). They were rock solid performers which needed little care. They “just worked”.
Sadly Apple pulled the plug on Airports some years back. They subsequently stopped s/w updates a couple of years ago, and already/soon will not support Time Machine backups to Airport Time Capsule units.
It is ironic that with Apple’s efforts to facilitate the growth of smart homes, their emphasis on privacy and security, and ease of operation and maintenance, they abandoned a product segment that underpins all of these objectives.
If Apple relaunched Airport line, I would be in line to buy an Airport.
That product is still available marketed as Unifi by Ubiquiti This company was formed by the former Airport division employees. Switched to them after my own TP link concerns particularly regarding IP traffic mirror functions built into the product.
I have sold thousands of these TP-Link device and have yet to come across any foul play. They are easy to setup and use! The US Goverment needs to take of business and stay out of the public sector and go back to work.
I audited TP-Link, Dlink, and some other network-related products intermittently between 2009 and 2017. I found some particularly concerning things in 2013-2015 (around the same time as the Meltdown and Rowhammer issues were found; I remember researching TP-Link in October 2014 through September 2015).
There are good reasons to be wary of companies like TP-Link and Huawei.
I’d actually be interested in real details of your audits. Did you write some research-papers?
Else it sounds the same as the fear mongering the US gov is attempting.
I unmentioned resource about router security is routersecurity [ . ] org, hosted by Michael Horowitz. It is a remarkable compilation about the topic (his interest) with some specific thoughts about securing consumer routers along with other recommendations.
We really need more info on which tp-link routers are vulnerable, what the vulnerabilities are, and whether anything can be done (e.g., changing passwords) that will make them safer. If this is just a matter of anything made in China is bad, then half of the things in my house are a threat. If Commerce wants us to care about this in needs to divulge more info and prove it to us.
Obviously it’s quite risky to have American data running on so many home routers from a Chinese company. Whether it has ties with China or not, the company would say the same thing. But why can’t any American tech company or any non-Chinese company build excellent low-cost home routers?
The trouble is your data runs not only over YOUR home router but every router on the route between you and each site/server you interact with. Even if you bought a router for your home from a country you trusted then your data would still almost certainly flow over at least one Chinese router on its journey between you and a web server, as you have no control of where these routers come from.
It’s important to keep the risk in perspective. Provided you are using TLS, as the vast majority of Internet traffic is, the content of your traffic is opaque to your router, which can only see the source address, destination address, port number and an encrypted blob of content. Although that reduces what a malicous or compromised router could do, some risks remain. In principle could still be used to block access to certain sites (at least if you didn’t use a VPN) or types of traffic, block all Internet access, or monitor which sites you visit and report back to whoever controls it. The same is true of your ISP of course.
shouldve listened to my warnings there, huawei gay chatham.
Argh, I thought this FUD campaign petered out. For anyone new to this dumpster fire, because some users left their management interface (think https://192.168.1.1) wide open to the internet and were compromised, somehow this witch hunt started. News flash, opening management interfaces to the internet being a vulnerability is not unique to any brand of router. Sophos XG won’t even allow it, one must allowlist to public IP addresses.
No, it’s not because of that, it’s because of TP-Link being insecure crap owned by the Chinese.
It’s not just routers that are an issue. TP-Link has the Tapo line of home automation devices.
Checking the open source code for some of it I found heavily outdated code – even if it’s not been updated since launch, it’d likely have been vulnerable then. This is for stuff designed to take photos and video at home.
They do have a firmware updater in the app, but on the forurm it was revealed that said updates have also broken things like streaming video to third party devices at times.
The day when Brian hates Trump so much he downplay Chinese crap hardware and their ties to the Chinese government, have come.
not sure whose uncle you are purporting to be, but you may have noticed that the article does not mention the current US president anywhere.
If you claim to explain something with an alleged claim that was not even mentioned in the source, you are hurling your body out of the window of reason with a surprising stamina, without knowing at all from which floor you jumped or how padded/hard the ground may be.
I find this kind of “thinking” – if the US politicans can even do that – interesting. Last I checked Dell products, for example, are also all showing “Made in China” labels. Weirdly none of those politicians are crying wolf about that.
In relation to the app configs – if there is no way around the forced app BS I will never buy that product, as simple as.
These are garbage routers. I volunteer at a thrift store, and TP-Link routers are a common donation. I have seen a bunch of them that flat out are dead. But if you run them they are slow. Not so much in the Bps in vs Bps out, but the in between part (message processing) is very slow. Maybe it’s trying to send too much info to their Chinese servers? I wouldn’t own one. Yes, they are cheap, but not worth it. Get an ASUS router, they are far better.
“they are far better”
-> There are reports of an ongoing botnet campaign targeting ASUS routers to deploy persistent Secure Shell (SSH) backdoors. Users and administrators of affected products are advised to upgrade to the latest versions as soon as possible
ALL hardware is prone to having issues, there is no exception. Also I am not surprised that you’re seeing a “bunch of TP-Link routers” in thrift stores. Market share dictates that 🙂
I began replacing all our TP-Link SOHO equipment a few years ago when the first major vulnerabilities became known. Strictly going with a normal EOL attrition rate. We’re nearly done with them entirely. Not an emergency, but something worth doing over time, at least back then. Now, I would be much more worried about it and probably require a 6 month rip and replace operation. As it stands, we’ll hit that window with something like 10 of 70 sites left to go. I’d tell you what I was using instead, but I don’t tell the Internet what to attack next.
Your post on such an teresting subject has left me speechless. I regularlyly check out your blogs and stay current by reading the material that you offer; nevertheless, the blog that you have posted today is the one that I appreciate the most.
I would take the fearmongering more seriously if equally vigorous critical analysis were applied to other brands. As a consumer we can only work with the alternatives in front of us, and I know of no reason why other brands do not share similar geopolitical risk when you get down to the lowest-level underlying components. And from what bits and pieces I know, other brands don’t have a superior history of discovered vulnerabilities. None are spotless, AFAIK, in the consumer space.
At the highest level, my experience with TP-Link has been pretty good. The user interface is easy to understand and manage, they last as long as any other router, they are moderately priced at most, and in many cases (including my own) I can flash OpenWRT firmware when it runs out of support. The only bad experience I had, if it can even be called that, is that official support ran out rather quickly, maybe 3 years from model release … and through a combo of a) not buying mine near the model release date, but much later, and b) not deploying it til I needed it, that end-of-support hit me kind of quickly. But thankfully OpenWRT is easy to flash.
I understand that there can be sneaky, unwanted code beneath the firmware level, perhaps in chips. And no, of course I don’t want that. But: is that risk factor any more favorable under other brands? Not that I’m aware of. I’d be glad to learn more about my options and risks, though.
I came here to read Brian’s article, which I found interesting and, as always, infomative and well-researched. Then I read the comments made to the article, and feel I should say this…
Some of the reasons the USA is, for me, the major security threat in this world of ours are on show for all to see in this thread. Different points of view are responded to, by some, with hateful language, or more-precisely language mis-used to signify prejudice or hate (such as ‘moron’, ‘gay’ and the like as used above).”
Even such mis-guided comments like “The day when Brian hates Trump so much … have come” are an obvious attempt to harass, and mis-label the author (Brian), seemingly by an ‘accusation’ (in their mind) that ‘discredits’ him.
Let’s be clear here, there are those in positions of power in the US (both inside and outside of the government) who are so extreme and deluded that they distort and discredit actual truth by purporting to be believers in the notion of ‘Free speech’, when what they are actually promoting is the notion that “Free speech is anything said in support of *us* and *our* beliefs. Everything else said or written that *we* deem is not in accordance with *our* beliefs, or people who are not like *us* (and that includes all 1st or 2nd generation immigrants – but excepting, of course, those of us who are, in actuality, part of that group) are a security threat that will be met with undue denigration, anger, insult, aggression, threat and/or violence”.
The USA has a lot of decent, honest and fair people (I would like to say who mostly live in coastal regions, but that would be disingenuous of me to say so, so I will admit that I said that in a devishly spirit of jest and not a little over-simplification), but I contend it (the USA) has a dangerous, and growing influential cohort of others who seem hell-bent on imposing their ‘values’ and punishments on their own country-folk (and, increasingly, those of other countries) to such an extent that makes the US the current most dangerous country there is.
If there’s a way for dear leader (orange man) to make money off this, these government concerns would suddenly disappear. See ‘Crypto is a SCAM’ & ‘Tick Tok’ for issues that have disappeared.
There used to be a thing called “science”. Just like there used to be a thing called “law” and another called “truth”.
In those good old days, life was simple. People with some sort of credentials (degrees) adjudged concepts which they understood. These days, all you need, is a TV presenter job. Anyway, those “scientists” used to test the technology in controlled environments, and publish findings, which then the TV presenters would echo. Not so much today.
the guv’ment should provide details here. It really doesn’t sound like there’s malware pre-installed on the chips, but that hackers are able to install new firmware? If you can install some open-source firmware like OpenWrt, then the device is not secure enough. It should always check the signature of firmware files before flashing. Maybe part of this is that Chinese-sponsored hackers might have the keys necessary to create signatures, but it also sounds like TP-Link (and maybe other routers) may allow flashing un-signed files.
Not really a big fan of banning products like this or Tick-Tock… I’d rather see them release the actual exploits/problems with these products so that consumers can decide for themselves. Maybe even labeling like they do with cigarettes or something…
Thank you for the article, I was almost ready to purchase a TP-Link router from Amazon when I checked here and purchased another brand. Whew!