TP-Link routers may be banned next year. Are they really dangerous?

If you’ve bought a Wi-Fi router in the last year, there’s a good chance it was made by TP-Link. This may not be possible in 2025.

Investigators in the Departments of Commerce, Defense, and Justice have all probes open into the company because of its links to Chinese cyberattacks and is considering a potential ban on the sale of TP-Link routers, says Wall Street Journal article published last week.

TP-Link has become increasingly dominant in the US router market since the pandemic. According to the Journal report, it grew from 20% of total router sales in 2019. to about 65% this year. TP-Link disputed those numbers to CNET, and a separate analysis by IT platform Lansweeper found that 12% of home routers in the US it’s TP-Link.

While there have been high-profile cyberattacks involving TP-Link routers, this potential ban is more about the company’s ties to China than specific security issues that have been publicly identified, according to cybersecurity researchers I spoke with.

“People expect there to be some smoking gun or something in these devices from Chinese manufacturers, and what you end up finding are the same problems in every device. It’s not like the Chinese devices are obviously insecure,” Thomas Pace, CEO of cybersecurity firm NetRise and a former Department of Energy security contractor, told CNET. “That’s not the risk. The risk is in the corporate structure of every Chinese company.

TP-Link was founded in 1996. by brothers Zhao Jianjun and Zhao Jiaxing in Shenzhen, China. In October, it moved its headquarters to Irvine, California, two months after the House announced an investigation into the company. The company told CNET that it previously operated two headquarters in Singapore and Irvine. Its newly opened headquarters in Shenzhen won an architecture award in 2017.

Watch this: Best Wi-Fi Routers 2024: Buying Guide

06:14 a.m

In my conversations with TP-Link representatives over the past few days, they have repeatedly distanced themselves from ties to China.

“TP-Link has a secure, vertically integrated US-owned international supply chain,” a TP-Link representative told CNET. “Almost all products sold in the United States are made in Vietnam.”

However, the US government seems to see TP-Link as a Chinese enterprise. In August, the House of Representatives of the Chinese Communist Party demanded an investigation into the company.

“TP-Link’s unusual degree of vulnerability and the required compliance with (Chinese) law is in itself disconcerting.” the lawmakers wrote. “When combined with the (Chinese) government’s routine use of (home office) routers like TP-Link to launch large-scale cyberattacks in the United States, it becomes significantly worrisome.”

Asked for comment, a TP-Link representative told CNET: “Like many consumer electronics brands, TP-Link Systems routers have been identified as potential targets for hackers. However, there is no evidence to suggest that our products are more vulnerable than those of other brands.

CNET has several TP-Link models in our lists best wifi routers and will be watching this story closely to see if we need to re-evaluate these choices. While our assessment of the hardware hasn’t changed, we’re suspending our recommendations for TP-Link routers until we know more.

The ban is more about TP-Link’s ties to China than a known technical issue

The cybersecurity experts I spoke with agreed that TP-Link has security flaws — but so do all router companies. It is unclear whether the government has discovered a new problem that would lead to a potential sales ban on TP-Link.

The Wall Street Journal article cited federal contract documents that show TP-Link routers purchased by agencies from the National Aeronautics and Space Administration to the Defense Department and the Drug Enforcement Administration.

The potential ban comes at a time in Washington when there is growing bipartisan support for pulling Chinese products out of U.S. telecoms. In an attack disclosed in October, dubbed “Salty Typhoon,” Chinese hackers has reportedly infiltrated the networks of US internet providers such as AT&T, Verizon and Lumen, which owns CenturyLink and Quantum Fiber.

Brendan Carr, Trump’s pick to chair the Federal Communications Commission, said in CNBC interview that a recent intelligence briefing on the Salt Typhoon attack “made me want to smash my phone at the end of the attack.”

“In many ways, the horse is out of the barn at this point,” Carr said. “And we need all hands on deck to try to deal with it and bring it under control.”

TP-Link is not related to the Salty Typhoon attacks, but it shows the current temperature for suspected threats from China.

The government may have identified a TP-Link vulnerability, but we don’t know for sure

Several of the cybersecurity experts I spoke to believe it’s likely that intelligence agencies have found something with TP-Link that warrants a ban.

“I think it comes from deeper intelligence within the US government. This usually happens before the information becomes public,” Guido Patanella, senior vice president of engineering at Lansweeper, told CNET.

In 2019 then-President Donald Trump issued an executive order which effectively banned US companies from using networking equipment from Huawei, another Chinese company that has come under fire over national security concerns.

Pace, NetRise’s CEO, told me he believed there was likely a “zero-day” vulnerability in TP-Link’s devices – a term that refers to a hidden flaw that took zero days to fix – but he was quick to point out that there was no evidence to support this.

“But at least that claim is based on some reality that we know exists, which is that the PRC (People’s Republic of China) is involved in every Chinese corporation. And that’s undeniable,” Pace said.

TP-Link has known security flaws, but so do all router companies

A TP-Link representative referred us to the Cyber ​​Security and Infrastructure Security Agency (CISA) list of Known Exploited Vulnerabilities (KEV). TP-Link has two of these events cataloged, compared to eight for Netgear and 20 for D-Link; other popular router brands like Asus, Linksys, and Eero don’t have these.

By this measure, TP-Link isn’t exceptional either way, but that might not be all that useful a measure.

“The problem with the CISA KEV (list) is, if everything is on the list, how good is that list?” Pace said. “Basically every telecommunications device on the planet has at least one CISA KEV vulnerability. This is a big problem for which there are no great answers.

There are also several cybersecurity reports that single out TP-Link specifically. The most famous was in October when Microsoft issued details for a password spraying attack that has been tracking for more than a year. In this type of attack, hackers use one common password to access multiple accounts.

Microsoft called the attack “nation-state threat activity” and said TP-Link made up most of the routers used.

In May 2023 Check Point Research too identifies a firmware implant in TP-Link routers linked to a Chinese state-sponsored hacking group. In this case, the campaign was aimed at European foreign policy structures. However, the researchers stress that the attack was written in a “firmware-dependent manner” and was not intended to exploit TP-Link specifically.

“While our analysis focused on its presence in TP-Link’s modified firmware, previous incidents have shown that similar implants and backdoors have been used on devices from various manufacturers, including US-based ones,” Itai Cohen, one of the report’s authors of Check Point Research, told CNET.

“The broader implication is that this implant is not targeting a specific brand — it’s part of a larger strategy to exploit systemic vulnerabilities in the Internet infrastructure.”

Cohen said he doesn’t believe banning TP-Link will improve security much. As I have heard from other researchers, the security issues identified are not unique to one company.

“The vulnerabilities and risks associated with routers are largely systemic and affect a wide range of brands, including those made in the US,” Cohen said. “We do not believe that the implant we discovered was known to TP-Link or was knowingly inserted as a backdoor into their products.”

Is it safe to use a TP-Link router?

There are real risks associated with using a TP-Link router, but some level of risk is present no matter what brand of router you use. Cyberattacks linked to Chinese actors have generally targeted think tanks, government organizations, non-governmental organizations and Defense Department suppliers, according to the Journal report.

“I don’t think the average person is going to have this massive target on their back,” Pace told CNET. “They tend to pursue the things they want to pursue.”

However, these types of attacks are often indiscriminate, with the goal of creating a chain of nodes between infected routers and hackers.

“This means that ordinary users are at risk of being attacked as part of a broader attack, even if they are not individually attacked,” said Cohen, a researcher at Check Point Security.

How to protect yourself if you have a TP-Link router

To keep your network safe and secure, you should follow the same steps whether you have a TP-Link router or another brand. Here’s what the experts recommend:

• Keep your firmware updated: One of the most common ways for hackers to access your network is through outdated firmware. TP-Link told us that customers with TP-Link Cloud accounts can simply click the “Check for Updates” button in their product’s firmware menu when logged into the TP-Link app or website. You can also find the latest updates at TP-Link download center.
• Strengthen your credentials: If you’ve never changed your router’s default login credentials, now is the time to do so. Weak passwords are the culprit behind many of the most common attacks. “Devices using standard or weak passwords are easy targets,” Cohen told CNET. “Default passwords or simple passwords can easily be forced or known.” Most routers have an app that lets you update your login credentials from there, but you can also enter your router’s IP address in a URL. These credentials are different from your Wi-Fi name and password, which should also be changed every six months. The longer and more random the password, the better.
• Consider using a VPN service: For an added layer of protection, a virtual private network will encrypt all your internet traffic and prevent your ISP (or anyone else) from tracking the websites or apps you use. You can find CNET’s picks for the best VPN services here.