News TP-Link investigated by US government over national security concerns — investigation probes TP-Link routers used in recent cyberattacks

[Admin]

Washington is investigating TP-Link for national security reasons, with some sources saying a ban for the popular router brand is in the works.

TP-Link investigated by US government over national security concerns — investigation probes TP-Link routers used in recent cyberattacks : Read more

 

[JamesJones44]

I had no idea TP-Link had grown so much. Reviews of their equipment were typically so-so, I didn't think they had grabbed so much of the market.

 

[Notton]

This is reminiscent of the Windows vs. Apple vs. Linux and perceived vs. actual security.
Are TP-link routers the target of attacks because they are popular, because they are easily exploited, or a mix of both?

Can they be patched with OpenWRT or similar?

 

[TheSecondPower]

Because of TP Link's China roots, I don't buy any TP Link products, which is actually kind of hard. TP Link has the largest selection and the lowest prices. It's no surprise that it controls so much of the market today.

 

[bill001g]

It was not long ago asus also had a major flaw in there firmware. Even cisco commercial routers had issue. It might just be the media twisting things for clicks. I doubt the government uses cheap consumer grade equipment for anything that has actually national security concerns. Have to assume any device can have a software issue and is why good security design has mulitple layers and assumes no single device failure can bypass your security. The largest issue is still the humans not the technology.

Huawei is a different issue they actually got caught sending call and location data back to china from the cell towers. This was a very long time ago and as big a deal as the government still makes about this I suspect is was much more than them accidentally leaving on some debugging code.

 

[thestryker]

Can they be patched with OpenWRT or similar?

Unfortunately this is usually entirely based on the SoC being used in the router.

MediaTek based routers tend to be the only ones with good OpenWRT type support. They also tend to be late to the party for advanced wireless networking so aren't used in many of the higher end models. Broadcom is outright toxic to the open source community and Qualcomm isn't much better.

While the information can generally be found companies don't tend to be transparent about what SoC they're using in their routers which makes it more difficult to know what you're buying.

 

[thestryker]

Because of TP Link's China roots, I don't buy any TP Link products, which is actually kind of hard. TP Link has the largest selection and the lowest prices. It's no surprise that it controls so much of the market today.

Pretty much all consumers routers are made in the same places these days so if there was a supply chain attack they'd all be vulnerable. That pretty much just leaves the possibility of compromised software. Due to the poor open source support for wireless hardware in general I made the leap to using pfsense so none of my wireless hardware is directly internet facing.

 

[bit_user]

Because of TP Link's China roots, I don't buy any TP Link products,

I would still buy their layer-2 switches, but just the "dumb" ones. Perhaps I should rethink even that policy, but it does seem like Chinese switches dominate the low end of that market quite decisively.

Like you, I've been avoiding other networking gear from Chinese companies going on probably about a decade, now.

 

[bit_user]

Have to assume any device can have a software issue and is why good security design has mulitple layers and assumes no single device failure can bypass your security. The largest issue is still the humans not the technology.

There's a big difference between a device having a vulnerability vs. a designed-in backdoor. If all of your equipment is potentially compromised, it's virtually impossible to build a secure network.

Maybe Google's Zero-Trust approach is the only option left, at that point. However, lots of people and organizations use legacy devices and services which don't support such technologies. So, we do still need to care about getting devices from trusted manufacturers and we do still need to be vigilant about their vulnerabilities and any signs of compromise.

 

[DS426]

I'm thinking that they wouldn't get banned from consumer use, but for government and military agencies, yes, I'd be highly surprised at this point if they weren't.

 

[_Shatta_AD_]

Cisco, D-Link, Netgear, pretty much most of the major players in the networking world have been hacked or compromised before. So specifically singling out TP-Link because of their place of origin and using another national security veil to target a legit company just goes to show no matter what you do to try and satisfy US regulations and specs, you’ll never be out of the woods just because of where it’s started. Sounds pretty anticompetitive to me.

 

[93QSD5]

Not surprisingly in the least. This was known within the agency over a decade ago.

 

[atomicWAR]

I would still buy their layer-2 switches, but just the "dumb" ones. Perhaps I should rethink even that policy, but it does seem like Chinese switches dominate the low end of that market quite decisively.

Yeah I upgraded my old 1G tp link 8 port over to a 2.5G Trendtech 8 port switch for my daily driver this year. The reason I ditched tp link was over security concerns with Chinese kit.

I could have saved cash had I gone with tp link again. And to think I was worried I was 'just' being paranoid. Making sure I had an USA based company's switch (or more accurately not a Chinese one) ...now it appears like my fears may have been justified. Or is this a case of brand saturation leading to targeted explotation? Either way I can rest better not running tp link hardware. Fingers crossed.

 

[thestryker]

Yeah I upgraded my old 1G tp link 8 port over to a 2.5G Trendtech 8 port switch for my daily driver this year. The reason I ditched tp link was over security concerns with Chinese kit.

TP-Link doesn't make anything in China (for their NA products), uses the same hardware as everyone else and manufactures where all of the biggest companies do (Vietnam). The only concern with their products that has any potential rationality is software side. Personally I wouldn't use any of their hardware which wasn't effectively a dumb device, but so long as it's not directly internet facing anything that might be compromised can be mitigated.

There has certainly been a flood of cheap switches from China, but TP-Link isn't these.

 

[jp7189]

Depending on how you feel about the secure nature of grey market/used vs new Chinese equipment... you can pick up old Cisco datacenter class gear for very cheap. The truly ancient nexus 5548 which is packed full of 10G ports, sells for around $100 on ebay which is way cheaper than any brand of new equipment regardless of origin. You can even get a 100G switch for around $2k now.

The downside is they tend to be power hungry and loud... and there's always the chance the reseller could load something malicious on there, but if your already buying outside of a verified secure supply chain channel...

 

[bit_user]

The downside is they tend to be power hungry and loud... and there's always the chance the reseller could load something malicious on there,

It could also be unreliable. Sometimes, fully-working units are pulled as part of a planned upgrade. Other times, units are pulled due to problems. It might all end up in the same E-waste stream, which is probably where the sellers are getting these units.

The only way I'd touch a used network switch is from a trusted (i.e. long track-record and high feedback score), domestically-based reseller with a decent money-back guarantee. Even then, I'd tend to steer away from used, if I could afford something new that met my needs and got decent reviews. ServeTheHome reviews a lot of network gear, especially the lower-cost stuff people like to use in homelabs and small businesses. However, a lot of the stuff they review is purchased via AliExpress, but they also reviewed the Netgear multi-gigabit switch I bought.

 

[phead128]

US gov't: Only we can back-door into your network and telecom network!

 

[t3t4]

Blocking a product or company just because it is China based? Well, nobody is gonna take away nor stop me from using my BE19000! If/when somebody, anybody, makes an equivalent device for the same or less cost locally, maybe then I'll consider a different brand. Until then, My middle finger flag stays at full mast!
Just sayin.

 

[93QSD5]

Blocking a product or company just because it is China based? Well, nobody is gonna take away nor stop me from using my BE19000! If/when somebody, anybody, makes an equivalent device for the same or less cost locally, maybe then I'll consider a different brand. Until then, My middle finger flag stays at full mast!
Just sayin.

and nobody cares

 

[bill001g]

I would be careful about buying used cisco gear. First you are going to get whatever firmware is loaded on the device and have no way to upgrade it. Most their stuff requires yearly software contract and once things reach end of life/support they will no longer even allow you to buy a support contract. Next they try very hard to prevent sale of used equipment. The laws in a lot of countries prevent them from directly saying you can't resell your property what they do to get around this is claim you only have a license to use the software and do not own it and can not transfer it. You technically are required to wipe it off the device if you sell it.
So in the end it high risk to buy older used cisco gear. Many years ago you could get bootleg firmware images that is much harder now.

 

[Pei-chen]

Do they have proof or is this another “they might if they could” wink wink wink situation?

 

[Sh4veD4ve]

I have been avoiding TP Link for exactly this reason.
They are good quality products with premium cloud features at below market prices - they don't show signs of mismanagement, so my logical conclusion was that someone was subsidizing them to maximize their market adoption - and it makes sense that it is the Chinese government.