News U.S. lawmakers request probe into Chinese router manufacturer TP-Link — letter cites cybersecurity vulnerabilities with TP-Link routers

[Admin]

Citing multiple vulnerabilities, hacking groups, and extensive use by military personnel and bases, two U.S. congressmen jointly requested the Department of Commerce investigate potential threats from TP-Link's Chinese-made routers.

U.S. lawmakers request probe into Chinese router manufacturer TP-Link — letter cites cybersecurity vulnerabilities with TP-Link routers : Read more

 

[vanadiel007]

They are cheap, this is why they are attractive. I am sure everyone will be happy if a Cisco product can be had for roughly the same price as these TP link devices.

I think it's rather difficult to make an argument they pose a threat, when they are in use in military bases. They had to pass a certain process to get there...

 

[dogenjoyer]

No mention in the article that TP-Link Corporation, maker of consumer networking equipment, separated from Chinese TP-Link and has been based in Singapore since 2022?

 

[bit_user]

I think it's rather difficult to make an argument they pose a threat, when they are in use in military bases. They had to pass a certain process to get there...

You can never achieve 100% test coverage, so it's no guarantee a device doesn't have backdoors or critical bugs. Not only that, but each firmware update should be tested on each hardware model, with the same rigor. That does seem like a tall order, given that 100% assurance can never be achieved.

In the age of cyber warfare, I don't see why IT suppliers shouldn't be subject to roughly the same policies as suppliers of conventional weapons systems.

 

[DS426]

Lol, pretty sure no truly thorough investigation could be completed by the end of August, so, what'll it be?:
*By the End of August, or
*Thorough

That said, a lot of non-military folks might not realize this but the PX (Post eXchange) and other military retailers sell most of the same stuff that you'd find at Wal-Mart or anywhere else; it's basically a thing like unless it's explicitly blacklisted, there's not a lot of writing to restrict what they can sell. Yeah, there's definitely less questionable cheap Chinese junk, some of which I'm thinking has more to do with [approved] supply chains.

Anyways, just remember we're talking about consumer products here, not SOHO routers actually used by a unit in the Army, DoD, etc.; additionally, consumer products are practically never scrutinized when being brought on base, unless they look physically dangerous like a weapon or bomb.

 

[magbarn]

This makes me nervous as I have a ton of tp link from wireless mesh to light switches. I miss when Apple used to make routers. Their last gen was awesome.

 

[MatheusNRei]

Considering how those routers are dirt cheap for the most part, it's hardly a surprise they're more vulnerable.

The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.

 

[bit_user]

The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.

I'm sure they're already spending every dime in their budget and they have lots of computers and network infrastructure. Increasing costs of that stuff by 2-3x would mean either needing more money or having to cut elsewhere.

Let's also not forget the DoD doesn't have complete control over their budget. Congress "helps" by earmarking funds for specific projects, programs, and weapons systems that are often coincidentally tied to the districts of influential members.

 

[MatheusNRei]

I'm sure they're already spending every dime in their budget and they have lots of computers and network infrastructure. Increasing costs of that stuff by 2-3x would mean either needing more money or having to cut elsewhere.

Let's also not forget the DoD doesn't have complete control over their budget. Congress "helps" by earmarking funds for specific projects, programs, and weapons systems that are often coincidentally tied to the districts of influential members.

Well, they'll have to find some funds for an upgrade if they're worried about their network security.

There's no such think as dirt cheap and secure when it comes to network equipment, it's one or the other.

 

[DS426]

Not hearing a seperation, folks: when you

The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.

What do you mean by "the military" here? Again, we're talking about military families (on base or off), maybe some soldiers in their barracks for their personal use, vets, etc. Actual units (companies, battalions, brigades, etc.) on internal military networks aren't using TP-Link. Yes, even the DoD down to DISA down to operating military networks have the money for Cisco networking equipment. There IS a mandate by the DoD for military equipment to be made in the U.S. (broadly speaking), for obvious national security reasons and partly out of principal.

 

[MatheusNRei]

Not hearing a seperation, folks: when you

What do you mean by "the military" here? Again, we're talking about military families (on base or off), maybe some soldiers in their barracks for their personal use, vets, etc. Actual units (companies, battalions, brigades, etc.) on internal military networks aren't using TP-Link. Yes, even the DoD down to DISA down to operating military networks have the money for Cisco networking equipment. There IS a mandate by the DoD for military equipment to be made in the U.S. (broadly speaking), for obvious national security reasons and partly out of principal.

That's not as bad then.
It's still quite terrible though.

 

[thestryker]

This just reminds me of the mandates for ISPs to remove Huawei hardware by Congress which they promptly didn't actually fund.

As for the security aspect we're living in a time where certain equipment cannot be setup without an app because there isn't a native interface. Tons of networking hardware has varying phone home settings and pushes cloud based services. Not to mention all of the consumer level hardware is built in the same places no matter who the manufacturer happens to be so the only real differentiation is on the software side. Cracking down on the industry as a whole would go a long way if security was really the goal here.

 

[bit_user]

Not to mention all of the consumer level hardware is built in the same places no matter who the manufacturer happens to be so the only real differentiation is on the software side.

Not sure where my Netgear router was made, but it has a Qualcomm Snapdragon SoC. I'm sure some Chinese brands will use Chinese SoCs.

That's also important regarding software, because an embedded systems designer typically has no choice but to use certain software components provided by the SoC vendor.

 

[Amdlova]

I have a asrock router here... but I'am not security fan by any means put my computer on DMZ because torrent reasons

 

[USAFRet]

The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.

Frequently, even usually, a LOT of the on-base infrastructure is handled by the local ISP. Cox, Charter, AT&T, Spectrum, etc.

The base facilities like Burger King, Pizza Hut, dormitories....all contracted outside of the 'military' infrastructure.
But personnel and their devices interact with those every day.

 

[thestryker]

Not sure where my Netgear router was made, but it has a Qualcomm Snapdragon SoC. I'm sure some Chinese brands will use Chinese SoCs.

That's also important regarding software, because an embedded systems designer typically has no choice but to use certain software components provided by the SoC vendor.

This is true of pretty much everything on the market as I'm sure you're aware not all Netgear routers use Qualcomm. I'd love to know who all is making the SoCs used in current routers as Broadcom had a lock during the earlier WiFi 6 days. The only brands I'm aware of that even make modern networking hardware are Broadcom, Qualcomm, MediaTek and Marvell.

Recently I've only looked at some WiFi 7 routers, but all of the identified ones use Qualcomm/Broadcom (where's the reviewers who take them apart to find out?!).

 

[Sluggotg]

People are getting confused about the use of these in "The Military". The Military is not using these for military purposes. These are just products available at the base store. They are only used for normal consumer use. They absolutely cannot store/access/transfer Classified material from their home computers. That will get you many years of jail time.
I bought my first computer on the base Exchange in 1985, it was a Commodore 64. Good Times!

 

[TheSecondPower]

No mention in the article that TP-Link Corporation, maker of consumer networking equipment, separated from Chinese TP-Link and has been based in Singapore since 2022?

Huh. I didn't know about this. This press release says that the split did happen.

TP-Link Corporation Group Announces Completion of Corporate Restructuring, Marking a New Era in its Future Evolution

TP-Link Corporation Group (TP-Link®), a global leader in high quality networking products, announces that it has completed a global restructuring marking a significant milestone in positioning TP-Link to advance key growth initiatives.

www.tp-link.com

It's a confusing though, and both entities are now called TP-Link. Motorola made a similar split but there was a clear buy-out involved and the bought portion was called Motorola Mobility.

I've avoided companies like TP-Link, Lenovo, Motorola Mobility, Zotac, and others that are or were Chinese-owned. It seems foolish to use Chinese hardware especially where there are other options.

 

[bit_user]

I've avoided companies like TP-Link, Lenovo, Motorola Mobility, Zotac, and others that are or were Chinese-owned. It seems foolish to use Chinese hardware especially where there are other options.

Related:

https://www.tomshardware.com/news/dell-plans-to-phase-out-chinese-chips-from-pcs-by-2024
​

However, I think I saw a more recent article with a timeline updated to a more realistic target, like 2027.

 

[Notton]

I avoid TP-link...
and D-link, netgear, linksys, and cisco (consumer grade) routers, not because of security issues, but because of my past experiences with their reliability and ease of configuration/GUI.

My Asus RT-AC68U has been reliable for several years, so if it breaks I will most likely replace it with whatever the cheapest Wifi-6 model they offer.

I only have an unmanaged switch from Trendnet, so no opinion.
Huawei, Acer, MSI, and Ubiquity: also no opinion because no experience.

 

[ThomasKinsley]

You can never achieve 100% test coverage, so it's no guarantee a device doesn't have backdoors or critical bugs. Not only that, but each firmware update should be tested on each hardware model, with the same rigor. That does seem like a tall order, given that 100% assurance can never be achieved.

Sounds like a new company could net a lucrative contract with the government doing exactly that kind of vetting.

 

[KyaraM]

They certainly use Cisco products for their internal networks, both hard and software, for their network, even unclassified ones. So it's not as if these routers have any amount of highly sensitive traffic, or are any less secure than some moron going on Facebook and posting the location and date of their next/current training exercise there, and most like they are actually still more secure than that. They have bigger security holes I'm sure.

<Political content removed by moderator>

 

[bit_user]

This, however, just smells like their most recent anti-China crusade. Not putting much stock in it, especially since there seems to be no specific suspicion, it's just "Chinese company bad" all over.

Chinese cyberattacks on US government systems are an actual fact of recent history - not theoretical. When you have an adversary with a track record of hostility, only a fool would cede the strategic high ground to them.

https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
​

Now, I'm not weighing in on the particulars of the TP-Link case, in part because I don't & can't know whether they've severed themselves as completely as they claim from the Chinese entity, but I just wanted to address the dismissive subtext of your post.

 

[KyaraM]

It is fearmongering to an extent, given that everyone spies on everyone else and China is neither the most prolific nor the most effective actor, be it in cybersecurity or in general espionage.

It is still unwise to make a rival's job easier of course, but in this case the motivation behind the probe is most likely political and not a matter of security.

Exactly my point, yes. Of course, you have to be wary, but they have other things they should be wary of inside their actual network long before targeting privately used devices if their concern is that these devices are sold on-post.

Reading a bit further into it, there seems to be a known vulnerability in their code, at least in some products; however, this should be fixable, if that didn't happen already. I can't say how bad it actually is, though, I'm not an expert. I also found the above info that the company severed ties with their Shenzen parent, so China shouldn't be actually able to directly meddle with them anymore. There was a cyberattack in Europe targeting their hardware, but there also was an attack in the US that used Cisco and Netgear hardware. So, now what, ban them, too? If every company that ever had vulnerabilitiesis to be banned, what computers do they want to work on now, since that applies to basically all actors? And about production in China... yes, that applies to most stuff nowadays, though. If not, prices will go through the roof for many things.

 

[bit_user]

if TP-Link is Singapore-based, then it's not clear that the China connection is there anymore so that does sound political.

Just being based there doesn't tell you about their supply chain or whether they have any contract employees located in China, etc. To the extent it matters, it's not a bad idea to take a closer look at how well isolated they really are.