US reportedly mulls TP-Link router ban over national security risk

updated The Feds may ban the sale of TP-Link routers in the US over ongoing national security concerns about Chinese-made devices being used in cyberattacks.

Three federal departments — Commerce, Defense, and Justice — have opened investigations into the router manufacturer, according to a Wall Street Journal report, citing "people familiar with the matter." Plus, a Commerce Department office has reportedly subpoenaed TP-Link.

The Register reached out to TP-Link and and the Justice as well as Commerce Departments but thus far, all have declined comment. We will update this story if and when we hear back from them.

TP-Link has about 65 percent of the US router market for homes and small businesses. It also partners with more than 300 internet service providers in the US to supply routers for new customer installations, according to the WSJ. The China-based manufacturer's gear is also reportedly used by the Department of Defense and other federal government agencies.

In late October, Microsoft warned that Chinese government-backed threat actors had compromised thousands of internet-connected devices for password-spray attacks against its customers, and noted "routers manufactured by TP-Link make up most of this network."

After stealing credentials in these campaigns, the Beijing-backed crew that Microsoft tracks as Storm-0940 uses this access to break into organizations in North America and Europe, including think tanks, government and non-governmental organizations, law firms, and defense industrial base firms. 

These attacks have been ongoing since at least 2021, Redmond said.

We should also note that Chinese spies have also used American companies' gear to build botnets and launch cyberattacks against critical networks and organizations. 

Earlier this year, the Justice Department warned that another Chinese-government-linked crew Volt Typhoon had infected Cisco and Netgear boxes with malware so that the devices could be used to break into US energy, water, and manufacturing facilities as far back as 2021.

And just last month, reports emerged that Volt Typhoon was, once again, compromising old Cisco routers to break into critical infrastructure networks and kick off cyberattacks.

• China's Volt Typhoon crew and its botnet surge back with a vengeance
• China's Salt Typhoon recorded top American officials' calls, says White House
• Trump administration wants to go on cyber offensive against China
• US names Chinese national it alleges was behind 2020 attack on Sophos firewalls

However, it doesn't appear that TP-Link routers were used in Salt Typhoon's snooping campaign targeting US telecommunications companies.

Regardless, the move to ban Chinese devices will likely find an ally in President-elect Donald Trump, whose previous administration in 2019 labeled Huawei a national security threat and effectively banned that company's technology from being used in US telecom networks.

Trump's pick for national security advisor has also indicated that the incoming president wants to go on the cyber offensive against China, and the narrative of eliminating sales of TP-Link products in America would play into that tough-on-Beijing stance.

"We have been, over the years, trying to play better and better defense when it comes to cyber," Congressman Mike Waltz (R-FL) said to CBS News' Margaret Brennan on Face the Nation on Sunday. "We need to start going on offense and start imposing, I think, higher costs and consequences to private actors and nation state actors." ®

Updated to add at 1715 UTC on December 20, 2024

A TP-Link spokesperson reached out to The Register at 1056 UTC on Friday and said there is "no indication" that its routers are more vulnerable to hacks than any other brands.

"To be clear, the Chinese government does not have access to and control over the design and production of our routers and other devices," the spokesperson said. "TP-Link Systems is no longer affiliated with China-based TP-LINK Technologies, which sells exclusively in mainland China. Further, TP-Link Systems and its subsidiaries do not sell any products to customers in mainland China."

TP-Link Systems, which is based in Irvine, California, supplies networking gear to the company's US and UK customers, and "carefully controls its own supply chain," we are told.

Plus, the router maker said it has signed on to CISA's Secure by Design pledge. "TP-Link Systems is proactively seeking opportunities to engage with the US government to demonstrate that our security practices are fully in line with security standards."