US Weighs Banning TP-Link Router Over National Security Concerns (msn.com) 28
U.S. authorities are investigating Chinese router manufacturer TP-Link over national security risks and considering banning its devices, WSJ reported Wednesday, citing sources familiar with the matter. The Commerce, Defense and Justice departments have launched separate probes into the company, which controls approximately 65% of the U.S. home and small business router market.
Microsoft reported in October that Chinese hackers had compromised thousands of TP-Link routers to launch cyberattacks against Western targets, including government organizations and Defense Department suppliers. The company's routers are widely used across federal agencies, including the Defense Department and NASA. The Justice Department is also examining whether TP-Link's significantly lower pricing violates federal anti-monopoly laws, the report said.
Microsoft reported in October that Chinese hackers had compromised thousands of TP-Link routers to launch cyberattacks against Western targets, including government organizations and Defense Department suppliers. The company's routers are widely used across federal agencies, including the Defense Department and NASA. The Justice Department is also examining whether TP-Link's significantly lower pricing violates federal anti-monopoly laws, the report said.
Matters? (Score:4, Insightful)
Would this really matter? By they time they get around to banning anything, a different Chinese company will pop up and make the same thing with the same cheap price and same lax of security.
Re:Matters? (Score:4, Interesting)
TP-Link should have been banned a long time ago, so yes it is quite late. The reality though is that getting back that dominant market position requires significant time and resources, and until you have the large install base the scale of the security risk is limited. Similar measures should be made for other Chinese brands. Of course it is better to do it based on a security audit rather than nationality, but that is a little harder to implement.
Re:Matters? (Score:5, Insightful)
Chinese relations need to revert back to how they were before Tricky Dick through us all under the bus.
Re: (Score:2)
It was also Kissinger, and they both threw Taiwan under the bus as well.
Re:Matters? (Score:5, Interesting)
Also, let's say they pull a Huawei style ban and demand the ISPs replace any devices they've supplied to end users as part of a service setup bundle, etc. (tinfoil: with one the US definitely has access to a backdoor on instead of a potential one that gives the PRC access)? Since TP-Link seems to be a very popular brand for ISP supplied packages, that's not going to be particularly cheap. As a quick guesstimate; 65% of approx 130m homes in the US (not all of which will have Internet) + businesses, etc. is likely to be somewhere around 75m routers deployed, many of which are probably ISP supplied. Who pays for that? My money is on the taxpaper, one way or another.
Re: (Score:2)
>> how many were more likely compromised through some lame setup of the router by the ISP
Maybe its just that "TP-Link routers are routinely shipped to customers with security flaws, which the company often fails to address" like the article states.
Re: (Score:3)
Would this really matter? By they time they get around to banning anything, a different Chinese company will pop up and make the same thing with the same cheap price and same lax of security.
Probably doesn’t even take a company change to plasti-dip the same box in a different color and slap a new logo on it. Could probably be done in a couple of days. Or hours, if the graphics guy in Marketing is feeling it that morning after a third cup of coffee.
Yeah, it’s weird the invoice is coming from the same address, but the guy buying 5,000 of them only gives a shit about the number in the bottom right corner. They don’t put addresses there.
And webcams that *require* chinese server? (Score:5, Insightful)
What we need is a blanket ban on any device not letting the purchaser simply choose what IPs the device will ever talk to.
Re:And webcams that *require* chinese server? (Score:5, Insightful)
What about all the cheap webcams that *require* the use of a chinese server? What we need is a blanket ban on any device not letting the purchaser simply choose what IPs the device will ever talk to.
Line up 100 consumers. Ask them what an “IP” is. Ask them if they know why they should know.
You’ll see rather quickly why GUIs are written for toddlers, and why admin functions were reduced to an touchscreen-enabled app permanently logged in, a while ago.
Re: (Score:2)
GUIs are also good for when you cannot be arsed to recall or look up arcane Unix CLI syntax because you are only using the particular command once every 5 years.
Apple had a good one for their MPW development system. It could either use some unixy-like text commands or you could pull up a dialog box for that command and use radio buttons, check boxes, and text fields. It built the command for you as you worked the GUI. Then you could execute it right there or copy and paste it into another window. It was won
OpenWRT support (Score:5, Informative)
I have a TP-Link router. I am not afraid of it because I have reflashed it with OpenWRT. A lot of their routers run Linux and are supported by OpenWRT.
Pretty much all consumer routers come from China so you don't really have a choice about where the hardware comes from. But you do have a choice about the software, if you look at the OpenWRT ToH [openwrt.org] before you buy. Buying a router which isn't supported by them is a very bad idea. Yes, there are some other distributions as well. Maybe you think one of them is better, you do you etc. But I want one well supported option and that's as close as you can get.
Re: (Score:2)
Do you feel there are any additional concerns above and beyond the software layer with using Chinese hardware?
You can't reasonably be sure that the chips are safe, but you can be reasonably sure that they're not phoning home on everyone all the time because it's too likely that someone would catch that.
So the question then becomes whether they would be vulnerable to some kind of magic packet attack. Looking at my router (the one I'm using right now is actually a Linksys, my TP-Link router is a backup) I can see that the wifi driver is running in user space. Consequently the bar for exfiltration of data is somewhat
Re: OpenWRT support (Score:2)
Thanks for the information.
Amazing that OpenWRT supports so many routers (269 TP-Link alone).
Good advice to ditch dodgy vendor software for quality open source.
You wanted cheap electronics (Score:5, Insightful)
Consequence : various "hackers" move on ... (Score:2)
Actually, "they" almost certainly have multiple zero-day attacks in the bag, and will just devote more time to finding new ones in less popular systems.
I wonder how many are targetting TP-Links flashed with OpenWRT. Very unlikely to be no attention there, if "flashing your router" was ever a significant thing.
"Toilet Paper Link"? (Score:2)
Who the sh** named this company?
Re: "Toilet Paper Link"? (Score:1)
Someone who isn't familiar with the Americanism "TP".
America attempts to confiscate foreign businesses (Score:2, Interesting)
"The Justice Department is also examining whether TP-Link's significantly lower pricing violates federal anti-monopoly laws"
Do you know what's exactly NOT characteristic of a monopoly? Lower prices. TP-Link doesn't own nearly enough of the market to have a monopoly, either. Not like Microsoft! But, hey, Microsoft is an American monopoly.
This looks like yet another ploy to steal foreign businesses to benefit greedy American corporations. It has nothing to do with security and everything to do with the Almigh
Re: (Score:2)
The US Government does not subsidize Microsoft in an attempt to skew the market.
What do you call not holding them accountable for violating antitrust law in basically every way possible under the Bush administration? They should have been broken up there, but they weren't. Instead they got a less-than-a-handslap punishment and kept doing business just the same way as always.
Crock of... (Score:1)
Like the CIA can't fake all these hacks to look like they're from China.
Spectrum (Score:2)
All of this consumer router stuff is garbage. I remember a few years ago when I had some cable modem from Spectrum. Now, the configuration I had was basically that my Spectrum crap fed into my own access point so I could control it. Unfortunately, I found out that Spectrum kept "updating" their access point, and every time they turned some kind of built-in wireless functionality on. And they had the (outer) network password and everything else. Now, that wasn't really a security problem because my own equip
list growing (Score:2)
The list keeps growing... and now the scope is expanding. Kinda surprising that the government is using so much TP-Link. I'm sure contractors that care won't install it.
https://www.acquisition.gov/df... [acquisition.gov].
Zyxel Routers (Score:2)
I am Cornholio! (Score:2)
TP-Link used to be the king of open source (Score:2)
I have used a lot of TP-Link routers with OpenWRT in the past. They were awesome (except hardware quality. They all needed replacement in a few years, but then the wifi tech was also advancing)
https://openwrt.org/toh/hwdata... [openwrt.org]
They just worked out of the box, and even sometimes using the original firmware's update page. (Yes, just download the open source firmware, open router, upload, and reboot).
At one point they locked the bootloader.
And everything went downhill from there.
Their excuse? US people installi