Will the US government's proposed ban on TP-Link products really work?
The US government has conducted a risk assessment of TP-Link routers, concluding that a ban on their sale is warranted for national security reasons, and has proposed restricting their use. Security advisor Brian Krebs has questioned the proposed ban on TP-Link products in a blog post.
Drilling Down on Uncle Sam’s Proposed TP-Link Ban – Krebs on Security
The US government is investigating TP-Link Systems, a US-based company with Chinese roots, as a potential national security risk and has concluded that its use poses risks.
Multiple government agencies support the US Department of Commerce's proposal to ban the sale of TP-Link routers - GIGAZINE
Under the proposed ban, the US Department of Commerce would notify TP-Link of the ban and provide a 30-day period for the company to appeal. The Commerce Department would then have 30 days to consider any appeals and then formally impose the ban.
However, TP-Link Systems claims to be completely separate from its parent company, TP-Link Technologies, and denies any involvement by the Chinese government, stating that all research, development, design, and manufacturing, except for chipsets, is carried out by TP-Link Systems.
by
'TP-Link firmly refutes any allegations that its products pose a national security risk to the United States,' said TP-Link Systems spokesperson Ricca Silverio in a statement. 'TP-Link is an American company committed to supplying high-quality, secure products to the U.S. market and beyond.'
The incident began in August 2024 when the House Select Committee on Strategic Competition between the United States and the People's Republic of China sent a letter of warning to the Secretary of Commerce, citing the use of TP-Link devices at U.S. military bases.
The letter cites a blog post by cybersecurity provider Check Point, which reported that ' a Chinese government-backed hacker group carried out a cyber attack by embedding malicious firmware into some TP-Link routers .' However, Check Point stated, 'While the malicious firmware was found only in TP-Link devices, the fact that the embedded component is firmware-independent suggests that a wide range of devices and vendors may be at risk.'
TP-Link also pointed out that 'many of our competitors also source components from China, and vulnerabilities in products from other companies, such as Cisco and Netgear, have been exploited by APT (advanced persistent threat) groups,' a claim that Krebs confirmed.
'TP-Link customers are faced with a dilemma: should they continue to use these products or should they upgrade to more expensive alternatives that may be slightly more secure?' Krebs said.
Most consumer routers, not just TP-Link products, ship with default settings like default usernames and passwords that you should change before connecting to the internet, and even brand new routers often come with dangerously outdated firmware.
In recent years, many manufacturers have begun to force users to implement basic security measures like changing default passwords and updating firmware. Mesh routers like Amazon's Eero and Netgear's Orbi automate these steps by requiring online registration, and traditional, budget-friendly routers like Belkin and Linksys have also gone the same route by strongly recommending setup via a mobile app. However, even with these products, checking for and installing updates is often still the user's responsibility.
For users who want advanced features like VPNs or ad blocking, or who don't like cloud management, Krebs says it's important to see if you can replace your router's stock firmware with an open-source alternative like
Many TP-Link routers also support open-source firmware like OpenWRT, which, while not eliminating hardware-specific flaws, can be an effective defense against common vendor-specific vulnerabilities, such as undocumented user accounts or credentials embedded directly in programs, Krebs argued.
'Regardless of brand, if you have a router that's more than four or five years old, it's probably worth considering a firmware upgrade just to improve performance, especially if you use it primarily on Wi-Fi,' Krebs said.
Related Posts:
