News U.S. lawmakers request probe into Chinese router manufacturer TP-Link — letter cites cybersecurity vulnerabilities with TP-Link routers

Status
Not open for further replies.

vanadiel007

Distinguished
Oct 21, 2015
368
361
19,060
They are cheap, this is why they are attractive. I am sure everyone will be happy if a Cisco product can be had for roughly the same price as these TP link devices.

I think it's rather difficult to make an argument they pose a threat, when they are in use in military bases. They had to pass a certain process to get there...
 

bit_user

Titan
Ambassador
I think it's rather difficult to make an argument they pose a threat, when they are in use in military bases. They had to pass a certain process to get there...
You can never achieve 100% test coverage, so it's no guarantee a device doesn't have backdoors or critical bugs. Not only that, but each firmware update should be tested on each hardware model, with the same rigor. That does seem like a tall order, given that 100% assurance can never be achieved.

In the age of cyber warfare, I don't see why IT suppliers shouldn't be subject to roughly the same policies as suppliers of conventional weapons systems.
 

DS426

Upstanding
May 15, 2024
254
190
360
Lol, pretty sure no truly thorough investigation could be completed by the end of August, so, what'll it be?:
*By the End of August, or
*Thorough

That said, a lot of non-military folks might not realize this but the PX (Post eXchange) and other military retailers sell most of the same stuff that you'd find at Wal-Mart or anywhere else; it's basically a thing like unless it's explicitly blacklisted, there's not a lot of writing to restrict what they can sell. Yeah, there's definitely less questionable cheap Chinese junk, some of which I'm thinking has more to do with [approved] supply chains.

Anyways, just remember we're talking about consumer products here, not SOHO routers actually used by a unit in the Army, DoD, etc.; additionally, consumer products are practically never scrutinized when being brought on base, unless they look physically dangerous like a weapon or bomb.
 
  • Like
Reactions: KyaraM

magbarn

Reputable
Dec 9, 2020
155
148
4,770
This makes me nervous as I have a ton of tp link from wireless mesh to light switches. I miss when Apple used to make routers. Their last gen was awesome.
 

MatheusNRei

Great
Jan 15, 2024
55
38
60
Considering how those routers are dirt cheap for the most part, it's hardly a surprise they're more vulnerable.

The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.
 

bit_user

Titan
Ambassador
The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.
I'm sure they're already spending every dime in their budget and they have lots of computers and network infrastructure. Increasing costs of that stuff by 2-3x would mean either needing more money or having to cut elsewhere.

Let's also not forget the DoD doesn't have complete control over their budget. Congress "helps" by earmarking funds for specific projects, programs, and weapons systems that are often coincidentally tied to the districts of influential members.
 

MatheusNRei

Great
Jan 15, 2024
55
38
60
I'm sure they're already spending every dime in their budget and they have lots of computers and network infrastructure. Increasing costs of that stuff by 2-3x would mean either needing more money or having to cut elsewhere.

Let's also not forget the DoD doesn't have complete control over their budget. Congress "helps" by earmarking funds for specific projects, programs, and weapons systems that are often coincidentally tied to the districts of influential members.
Well, they'll have to find some funds for an upgrade if they're worried about their network security.

There's no such think as dirt cheap and secure when it comes to network equipment, it's one or the other.
 

DS426

Upstanding
May 15, 2024
254
190
360
Not hearing a seperation, folks: when you
The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.
What do you mean by "the military" here? Again, we're talking about military families (on base or off), maybe some soldiers in their barracks for their personal use, vets, etc. Actual units (companies, battalions, brigades, etc.) on internal military networks aren't using TP-Link. Yes, even the DoD down to DISA down to operating military networks have the money for Cisco networking equipment. There IS a mandate by the DoD for military equipment to be made in the U.S. (broadly speaking), for obvious national security reasons and partly out of principal.
 

MatheusNRei

Great
Jan 15, 2024
55
38
60
Not hearing a seperation, folks: when you

What do you mean by "the military" here? Again, we're talking about military families (on base or off), maybe some soldiers in their barracks for their personal use, vets, etc. Actual units (companies, battalions, brigades, etc.) on internal military networks aren't using TP-Link. Yes, even the DoD down to DISA down to operating military networks have the money for Cisco networking equipment. There IS a mandate by the DoD for military equipment to be made in the U.S. (broadly speaking), for obvious national security reasons and partly out of principal.
That's not as bad then.
It's still quite terrible though.
 
This just reminds me of the mandates for ISPs to remove Huawei hardware by Congress which they promptly didn't actually fund.

As for the security aspect we're living in a time where certain equipment cannot be setup without an app because there isn't a native interface. Tons of networking hardware has varying phone home settings and pushes cloud based services. Not to mention all of the consumer level hardware is built in the same places no matter who the manufacturer happens to be so the only real differentiation is on the software side. Cracking down on the industry as a whole would go a long way if security was really the goal here.
 

bit_user

Titan
Ambassador
Not to mention all of the consumer level hardware is built in the same places no matter who the manufacturer happens to be so the only real differentiation is on the software side.
Not sure where my Netgear router was made, but it has a Qualcomm Snapdragon SoC. I'm sure some Chinese brands will use Chinese SoCs.

That's also important regarding software, because an embedded systems designer typically has no choice but to use certain software components provided by the SoC vendor.
 
  • Like
Reactions: KyaraM

USAFRet

Titan
Moderator
The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.
Frequently, even usually, a LOT of the on-base infrastructure is handled by the local ISP. Cox, Charter, AT&T, Spectrum, etc.

The base facilities like Burger King, Pizza Hut, dormitories....all contracted outside of the 'military' infrastructure.
But personnel and their devices interact with those every day.
 
Not sure where my Netgear router was made, but it has a Qualcomm Snapdragon SoC. I'm sure some Chinese brands will use Chinese SoCs.

That's also important regarding software, because an embedded systems designer typically has no choice but to use certain software components provided by the SoC vendor.
This is true of pretty much everything on the market as I'm sure you're aware not all Netgear routers use Qualcomm. I'd love to know who all is making the SoCs used in current routers as Broadcom had a lock during the earlier WiFi 6 days. The only brands I'm aware of that even make modern networking hardware are Broadcom, Qualcomm, MediaTek and Marvell.

Recently I've only looked at some WiFi 7 routers, but all of the identified ones use Qualcomm/Broadcom (where's the reviewers who take them apart to find out?!).
 

Sluggotg

Honorable
Feb 17, 2019
214
176
10,760
People are getting confused about the use of these in "The Military". The Military is not using these for military purposes. These are just products available at the base store. They are only used for normal consumer use. They absolutely cannot store/access/transfer Classified material from their home computers. That will get you many years of jail time.
I bought my first computer on the base Exchange in 1985, it was a Commodore 64. Good Times!
 

TheSecondPower

Distinguished
Nov 6, 2013
133
124
18,760
No mention in the article that TP-Link Corporation, maker of consumer networking equipment, separated from Chinese TP-Link and has been based in Singapore since 2022?
Huh. I didn't know about this. This press release says that the split did happen.

It's a confusing though, and both entities are now called TP-Link. Motorola made a similar split but there was a clear buy-out involved and the bought portion was called Motorola Mobility.

I've avoided companies like TP-Link, Lenovo, Motorola Mobility, Zotac, and others that are or were Chinese-owned. It seems foolish to use Chinese hardware especially where there are other options.
 
  • Like
Reactions: ThomasKinsley

bit_user

Titan
Ambassador

Notton

Commendable
Dec 29, 2023
866
764
1,260
I avoid TP-link...
and D-link, netgear, linksys, and cisco (consumer grade) routers, not because of security issues, but because of my past experiences with their reliability and ease of configuration/GUI.

My Asus RT-AC68U has been reliable for several years, so if it breaks I will most likely replace it with whatever the cheapest Wifi-6 model they offer.

I only have an unmanaged switch from Trendnet, so no opinion.
Huawei, Acer, MSI, and Ubiquity: also no opinion because no experience.
 

ThomasKinsley

Notable
Oct 4, 2023
385
384
1,060
You can never achieve 100% test coverage, so it's no guarantee a device doesn't have backdoors or critical bugs. Not only that, but each firmware update should be tested on each hardware model, with the same rigor. That does seem like a tall order, given that 100% assurance can never be achieved.
Sounds like a new company could net a lucrative contract with the government doing exactly that kind of vetting.
 

KyaraM

Admirable
They certainly use Cisco products for their internal networks, both hard and software, for their network, even unclassified ones. So it's not as if these routers have any amount of highly sensitive traffic, or are any less secure than some moron going on Facebook and posting the location and date of their next/current training exercise there, and most like they are actually still more secure than that. They have bigger security holes I'm sure.

<Political content removed by moderator>
 

bit_user

Titan
Ambassador
This, however, just smells like their most recent anti-China crusade. Not putting much stock in it, especially since there seems to be no specific suspicion, it's just "Chinese company bad" all over.
Chinese cyberattacks on US government systems are an actual fact of recent history - not theoretical. When you have an adversary with a track record of hostility, only a fool would cede the strategic high ground to them.

Now, I'm not weighing in on the particulars of the TP-Link case, in part because I don't & can't know whether they've severed themselves as completely as they claim from the Chinese entity, but I just wanted to address the dismissive subtext of your post.
 

KyaraM

Admirable
It is fearmongering to an extent, given that everyone spies on everyone else and China is neither the most prolific nor the most effective actor, be it in cybersecurity or in general espionage.

It is still unwise to make a rival's job easier of course, but in this case the motivation behind the probe is most likely political and not a matter of security.
Exactly my point, yes. Of course, you have to be wary, but they have other things they should be wary of inside their actual network long before targeting privately used devices if their concern is that these devices are sold on-post.

Reading a bit further into it, there seems to be a known vulnerability in their code, at least in some products; however, this should be fixable, if that didn't happen already. I can't say how bad it actually is, though, I'm not an expert. I also found the above info that the company severed ties with their Shenzen parent, so China shouldn't be actually able to directly meddle with them anymore. There was a cyberattack in Europe targeting their hardware, but there also was an attack in the US that used Cisco and Netgear hardware. So, now what, ban them, too? If every company that ever had vulnerabilitiesis to be banned, what computers do they want to work on now, since that applies to basically all actors? And about production in China... yes, that applies to most stuff nowadays, though. If not, prices will go through the roof for many things.
 

bit_user

Titan
Ambassador
if TP-Link is Singapore-based, then it's not clear that the China connection is there anymore so that does sound political.
Just being based there doesn't tell you about their supply chain or whether they have any contract employees located in China, etc. To the extent it matters, it's not a bad idea to take a closer look at how well isolated they really are.
 
Last edited:
  • Like
Reactions: TheSecondPower
Status
Not open for further replies.