U.S. lawmakers request probe into Chinese router manufacturer TP-Link — letter cites cybersecurity vulnerabilities with TP-Link routers

TP-Link Archer GE800
(Image credit: TP-Link)

The chairman of the ‘Select Committee on the Chinese Communist Party’ John Moolenar, and the ranking member Raja Krishnamoorthi have formally requested the Commerce Department and other agencies to investigate Chinese-made networking devices, particularly those made by TP-Link, regarding the potential cybersecurity risk they pose due to their unusual degree of vulnerabilities and other reasons mentioned in the letter. 

The letter mentions that TP-link manufactures multiple Wi-Fi products, including routers, and hence, it is concerning, given the documented vulnerabilities found in its Wi-Fi routers. Furthermore, TP-Link has the largest supply of Wi-Fi products worldwide, and 95% of Americans use SOHO routers as of 2023. It’s also being used in its military bases and by the military members and their families. The letter mentions companies like the ‘Army and Air Force Exchange Service’ and ‘My Navy Exchange,’ which sell products to authorized customers who are active duty military personnel, retirees, reservists, veterans, Department of Defense civilians, and family members. 

The other reason, as mentioned in the letter, is the company’s compliance requirement with the Chinese government as per their law. The congressmen said,” Companies like TP-Link are required to provide data to the PRC (People’s Republic of China) government and otherwise comply with the demands of its national security apparatus.” 

The letter further emphasizes threats from the Volt Typhoon and other PRC Advanced Persistent Threat (APT) groups. The Commerce Department has the power to restrict or ban certain products that pose a threat, as it did with networking technologies made by companies like ZTC and Huawei.

Security vulnerabilities are not exclusive to a particular company and include products other than networking devices. Multiple companies (including router manufacturers) faced situations where their vulnerabilities were exploited and patched eventually. However, the use of SOHO routers is particularly concerning in this case, given the position military personnel would have and the sensitive information passed on with any of these routers being used as a medium. 

The members jointly requested that the investigation be completed by the end of August. Hence, once the investigation is complete, we should receive information from the Department of Commerce and its actions against any potential threat if warranted.

Roshan Ashraf Shaikh
Contributing Writer

Roshan Ashraf Shaikh has been in the Indian PC hardware community since the early 2000s and has been building PCs, contributing to many Indian tech forums, & blogs. He operated Hardware BBQ for 11 years and wrote news for eTeknix & TweakTown before joining Tom's Hardware team. Besides tech, he is interested in fighting games, movies, anime, and mechanical watches.

  • vanadiel007
    They are cheap, this is why they are attractive. I am sure everyone will be happy if a Cisco product can be had for roughly the same price as these TP link devices.

    I think it's rather difficult to make an argument they pose a threat, when they are in use in military bases. They had to pass a certain process to get there...
    Reply
  • dogenjoyer
    No mention in the article that TP-Link Corporation, maker of consumer networking equipment, separated from Chinese TP-Link and has been based in Singapore since 2022?
    Reply
  • bit_user
    vanadiel007 said:
    I think it's rather difficult to make an argument they pose a threat, when they are in use in military bases. They had to pass a certain process to get there...
    You can never achieve 100% test coverage, so it's no guarantee a device doesn't have backdoors or critical bugs. Not only that, but each firmware update should be tested on each hardware model, with the same rigor. That does seem like a tall order, given that 100% assurance can never be achieved.

    In the age of cyber warfare, I don't see why IT suppliers shouldn't be subject to roughly the same policies as suppliers of conventional weapons systems.
    Reply
  • DS426
    Lol, pretty sure no truly thorough investigation could be completed by the end of August, so, what'll it be?:
    *By the End of August, or
    *Thorough

    That said, a lot of non-military folks might not realize this but the PX (Post eXchange) and other military retailers sell most of the same stuff that you'd find at Wal-Mart or anywhere else; it's basically a thing like unless it's explicitly blacklisted, there's not a lot of writing to restrict what they can sell. Yeah, there's definitely less questionable cheap Chinese junk, some of which I'm thinking has more to do with supply chains.

    Anyways, just remember we're talking about consumer products here, not SOHO routers actually used by a unit in the Army, DoD, etc.; additionally, consumer products are practically never scrutinized when being brought on base, unless they look physically dangerous like a weapon or bomb.
    Reply
  • magbarn
    This makes me nervous as I have a ton of tp link from wireless mesh to light switches. I miss when Apple used to make routers. Their last gen was awesome.
    Reply
  • MatheusNRei
    Considering how those routers are dirt cheap for the most part, it's hardly a surprise they're more vulnerable.

    The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.
    Reply
  • bit_user
    MatheusNRei said:
    The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.
    I'm sure they're already spending every dime in their budget and they have lots of computers and network infrastructure. Increasing costs of that stuff by 2-3x would mean either needing more money or having to cut elsewhere.

    Let's also not forget the DoD doesn't have complete control over their budget. Congress "helps" by earmarking funds for specific projects, programs, and weapons systems that are often coincidentally tied to the districts of influential members.
    Reply
  • MatheusNRei
    bit_user said:
    I'm sure they're already spending every dime in their budget and they have lots of computers and network infrastructure. Increasing costs of that stuff by 2-3x would mean either needing more money or having to cut elsewhere.

    Let's also not forget the DoD doesn't have complete control over their budget. Congress "helps" by earmarking funds for specific projects, programs, and weapons systems that are often coincidentally tied to the districts of influential members.
    Well, they'll have to find some funds for an upgrade if they're worried about their network security.

    There's no such think as dirt cheap and secure when it comes to network equipment, it's one or the other.
    Reply
  • DS426
    Not hearing a seperation, folks: when you
    MatheusNRei said:
    The military shouldn't be using bottom-shelf network hardware in the first place, it's not like they lack the funding to procure good quality hardware.
    What do you mean by "the military" here? Again, we're talking about military families (on base or off), maybe some soldiers in their barracks for their personal use, vets, etc. Actual units (companies, battalions, brigades, etc.) on internal military networks aren't using TP-Link. Yes, even the DoD down to DISA down to operating military networks have the money for Cisco networking equipment. There IS a mandate by the DoD for military equipment to be made in the U.S. (broadly speaking), for obvious national security reasons and partly out of principal.
    Reply
  • MatheusNRei
    DS426 said:
    Not hearing a seperation, folks: when you

    What do you mean by "the military" here? Again, we're talking about military families (on base or off), maybe some soldiers in their barracks for their personal use, vets, etc. Actual units (companies, battalions, brigades, etc.) on internal military networks aren't using TP-Link. Yes, even the DoD down to DISA down to operating military networks have the money for Cisco networking equipment. There IS a mandate by the DoD for military equipment to be made in the U.S. (broadly speaking), for obvious national security reasons and partly out of principal.
    That's not as bad then.
    It's still quite terrible though.
    Reply