TP-Link routers made in China are national security risk, US lawmakers say


US lawmakers are calling for an investigation into routers manufactured by Chinese-owned TP-Link Technologies and sold in the US – over concerns the company’s WiFi devices can be used by China to launch state-sponsored hacking campaigns.

Two House members sent a letter to US Commerce Secretary Gina Raimondo dated August 13th, requesting the department launch an investigation into TP-Link and its affiliates. The letter stated that “the company may represent a serious threat to the US.”

“An increasing number of outside researchers and analysts have identified specific concerns about the risks posed by TP-Link,” the letter states.

Established in the People’s Republic of China (PRC) in 1996 by two brothers based in Shenzhen, TP-Link is one of the world’s largest providers of WiFi networking and smart home devices – including WiFi routers in the US – selling over 160 million products annually to more than 170 countries worldwide, according to its website.

With dual headquarters in Singapore and California, the company is said to have severed ties with the Chinese TP-Link in 2022, and in May began the process of a company restructuring.

But the two Congressmen behind the letter – Chairman John Moolenaar (R-MI) and ranking member Raja Krishnamoorthi (D-IL) of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party – state that TP-Link routers are still “made in the PRC with Chinese technology.”

The duo says more information is needed to determine if PCR state-sponsored hackers could more easily compromise TP-Link routers to infiltrate US systems.

Additionally, the letter pointed out that US cyber analysts have “documented vulnerabilities from home equipment vendors across the board,” with TP-Link products garnering a “fair share of citations.”

The lawmakers say they are further concerned that Beijing could force TP-Link to hand over sensitive US information, a sticking point used by many lawmakers supporting a ban on TikTok.

“TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law are in and of themselves disconcerting,” the lawmakers wrote in the letter.

“When combined with the PRC government’s common use of SOHO [small office/home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming,” they said.

History of exploitation

Last May, Microsoft threat researchers disclosed a massive government-backed hacking campaign, dubbed Volt Typhoon, targeting US critical infrastructure by taking advantage of end-of-life SOHO routers.

It is believed Volt Typhoon hackers may have infiltrated US systems up to five years earlier, although the US Justice Department in January said the vast majority of compromised devices appeared to be from Cisco and NetGear,

Also last year, it was revealed by security researchers that Chinese intelligence forces used TP-Link routers as part of a hacking campaign that targeted government officials across the European Union, the letter said.

At the time, FBI director Christopher Wray stated that PRC-sponsored hacking had “reached something closer to a fever pitch” calling the Chinese Advanced Persistent Threat (APT) the "defining threat of our generation,” the letter quoted.

TP-Link congress letter
Official letter by US lawmakers requesting the FTC launch an investigation into Chinese technology company TP-Link over national security concerns. Image by Cybernews.

Last February, the Cybernews research team produced its own exclusive report documenting numerous security flaws in the default firmware and the web interface app of the TP-Link AC1200 Archer C50 (v6) router.

Furthermore in 2023, the US Cybersecurity and Infrastructure Agency also identified a remote code exploitable flaw in TP-Link routers.

Moolenaar and Krishnamoorthi requested the Commerce put together a threat assessment and mitigation plan by August 30th using its ICTS [information and communication technology services] authority, which gives the agency power to restrict the movement of technology between US companies and those of ‘foreign adversaries.’

The Commerce Department said it would address the letter through appropriate channels, while TP-Link has not publicly commented on the charges.

The Chinese Embassy, in response to the accusations, said it hopes authorities will "have enough evidence when identifying cyber-related incidents, rather than make groundless speculations and allegations," reported Reuters.