US Weighs Banning TP-Link Router Over National Security Concerns (msn.com) 72
U.S. authorities are investigating Chinese router manufacturer TP-Link over national security risks and considering banning its devices, WSJ reported Wednesday, citing sources familiar with the matter. The Commerce, Defense and Justice departments have launched separate probes into the company, which controls approximately 65% of the U.S. home and small business router market.
Microsoft reported in October that Chinese hackers had compromised thousands of TP-Link routers to launch cyberattacks against Western targets, including government organizations and Defense Department suppliers. The company's routers are widely used across federal agencies, including the Defense Department and NASA. The Justice Department is also examining whether TP-Link's significantly lower pricing violates federal anti-monopoly laws, the report said.
Microsoft reported in October that Chinese hackers had compromised thousands of TP-Link routers to launch cyberattacks against Western targets, including government organizations and Defense Department suppliers. The company's routers are widely used across federal agencies, including the Defense Department and NASA. The Justice Department is also examining whether TP-Link's significantly lower pricing violates federal anti-monopoly laws, the report said.
Matters? (Score:5, Insightful)
Would this really matter? By they time they get around to banning anything, a different Chinese company will pop up and make the same thing with the same cheap price and same lax of security.
Re:Matters? (Score:5, Insightful)
TP-Link should have been banned a long time ago, so yes it is quite late. The reality though is that getting back that dominant market position requires significant time and resources, and until you have the large install base the scale of the security risk is limited. Similar measures should be made for other Chinese brands. Of course it is better to do it based on a security audit rather than nationality, but that is a little harder to implement.
Re:Matters? (Score:4, Insightful)
Chinese relations need to revert back to how they were before Tricky Dick through us all under the bus.
Re: (Score:2)
It was also Kissinger, and they both threw Taiwan under the bus as well.
Re: (Score:2)
It was also Kissinger, ...
Looking like that, he talked his way into Jill St. John's bed. Enough said.
Re: (Score:3)
Re:Matters? (Score:4, Informative)
By the mid 1970s China and Vietnam were on opposite sides due to a dispute over Cambodia so much so that China tried unsuccessfully to invade Vietnam in 1979. You could make the case that Nixon's withdrawal from Vietnam helped lead to the end of wars in South East Asia but selling out our friends in Taiwan to the People's Republic of China by stealing their seat on the UN Security Council, having them expelled from the UN, breaking off formal diplomatic relations, declaring them a non-country and ultimately breaking a thirty year military alliance and withdrawing our troops from the Republic of China did not so much as end war in South East Asia as set the stage for what could be a much more serious war than Vietnam five or six decades later. Betraying your closest friends is generally speaking not the way to win friends and influence people. More like the opposite.
Re: (Score:2)
TP-Link should have been banned a long time ago
Do you have anything to base this on other then xenophobia?
Re: (Score:2)
How about Chinese law itself [ft.com]?
Re: (Score:3)
Re:Matters? (Score:5, Interesting)
Also, let's say they pull a Huawei style ban and demand the ISPs replace any devices they've supplied to end users as part of a service setup bundle, etc. (tinfoil: with one the US definitely has access to a backdoor on instead of a potential one that gives the PRC access)? Since TP-Link seems to be a very popular brand for ISP supplied packages, that's not going to be particularly cheap. As a quick guesstimate; 65% of approx 130m homes in the US (not all of which will have Internet) + businesses, etc. is likely to be somewhere around 75m routers deployed, many of which are probably ISP supplied. Who pays for that? My money is on the taxpaper, one way or another.
Re: (Score:2)
>> how many were more likely compromised through some lame setup of the router by the ISP
Maybe its just that "TP-Link routers are routinely shipped to customers with security flaws, which the company often fails to address" like the article states.
Re:Matters? (Score:4, Informative)
Maybe its just that "TP-Link routers are routinely shipped to customers with security flaws, which the company often fails to address" like the article states.
All do.
I was recently involved in 2 major patches to 2 ONT+RG devices from 2 different manufacturers deployed in many millions of homes in the US.
For one of them, a huge number had already been compromised. After a day of the vendor leading us all on wild goose chases to close the fucking door, I found the actual problem in about 30 minutes with binwalk and Ghidra. A hard-coded password on an open ACS port.
Beyond that, almost every device we deploy, I have found at least 1 vulnerability that lets me get into them in emergencies.
The software stacks on these things are cobbled together with open source parts and bash scripting by the lest competent people you can find, for the lowest dollar.
This includes US manufacturers.
The arguable *worst*, which I will not directly name due to close business relationship, is a very American brand.
Re: (Score:2)
Yeah, it's not good business practice to burn bridges, is it? ;-)
Re: (Score:3)
Would this really matter? By they time they get around to banning anything, a different Chinese company will pop up and make the same thing with the same cheap price and same lax of security.
Probably doesn’t even take a company change to plasti-dip the same box in a different color and slap a new logo on it. Could probably be done in a couple of days. Or hours, if the graphics guy in Marketing is feeling it that morning after a third cup of coffee.
Yeah, it’s weird the invoice is coming from the same address, but the guy buying 5,000 of them only gives a shit about the number in the bottom right corner. They don’t put addresses there.
Re: (Score:3)
a different Chinese company will pop up
TP-Link isn't a small no-name company popping up on Alibaba to sell shit only to disappear in a smokebomb when you look at them. They are a massive brand globally that has been around for just shy of 30 years and manufacture their own products, not simply rebadge generic shit.
No a different company won't just pop up and take their place.
And webcams that *require* chinese server? (Score:5, Insightful)
What we need is a blanket ban on any device not letting the purchaser simply choose what IPs the device will ever talk to.
Re:And webcams that *require* chinese server? (Score:5, Insightful)
What about all the cheap webcams that *require* the use of a chinese server? What we need is a blanket ban on any device not letting the purchaser simply choose what IPs the device will ever talk to.
Line up 100 consumers. Ask them what an “IP” is. Ask them if they know why they should know.
You’ll see rather quickly why GUIs are written for toddlers, and why admin functions were reduced to an touchscreen-enabled app permanently logged in, a while ago.
Re: (Score:3)
GUIs are also good for when you cannot be arsed to recall or look up arcane Unix CLI syntax because you are only using the particular command once every 5 years.
Apple had a good one for their MPW development system. It could either use some unixy-like text commands or you could pull up a dialog box for that command and use radio buttons, check boxes, and text fields. It built the command for you as you worked the GUI. Then you could execute it right there or copy and paste it into another window. It was won
Re: (Score:2)
OpenWRT support (Score:5, Informative)
I have a TP-Link router. I am not afraid of it because I have reflashed it with OpenWRT. A lot of their routers run Linux and are supported by OpenWRT.
Pretty much all consumer routers come from China so you don't really have a choice about where the hardware comes from. But you do have a choice about the software, if you look at the OpenWRT ToH [openwrt.org] before you buy. Buying a router which isn't supported by them is a very bad idea. Yes, there are some other distributions as well. Maybe you think one of them is better, you do you etc. But I want one well supported option and that's as close as you can get.
Re: (Score:3)
Do you feel there are any additional concerns above and beyond the software layer with using Chinese hardware?
You can't reasonably be sure that the chips are safe, but you can be reasonably sure that they're not phoning home on everyone all the time because it's too likely that someone would catch that.
So the question then becomes whether they would be vulnerable to some kind of magic packet attack. Looking at my router (the one I'm using right now is actually a Linksys, my TP-Link router is a backup) I can see that the wifi driver is running in user space. Consequently the bar for exfiltration of data is somewhat
Re: OpenWRT support (Score:3)
Thanks for the information.
Amazing that OpenWRT supports so many routers (269 TP-Link alone).
Good advice to ditch dodgy vendor software for quality open source.
Re: (Score:2)
Also how... often do you update OpenWRT. In my experience it was far behind on a lot of security updates for key parts, like openssl. I could have gone down the rabbit hole of trying to update the dependency and rebuilding but that was a pain I wasn't willing to accept. I moved on to a different platform not based on an existing consumer router.
Re: OpenWRT support (Score:2)
Routers with more RAM and flash are most likely to support newer OpenWRT. Buy one of those.
You can update packages, or where supported, you can update the whole system. More resources, more interest, more support.
Right to Repair (Score:3, Insightful)
The software and firmware of ALL devices must be open-sourced, or at least made public for inspection.
I distrust closed software, but currently it cannot be avoided. Then I have to decide - do I prefer the US or the Chinese to spy on me? Americans would chose Chinese spying, because China has less power over US citizens than Uncle Sam.
If the problem lies in hardware and hard-coded components, then the US government is duty-bound to reveal this and provide proper evidence. Simply banning Chinese stuff doe
Re: (Score:2)
But you do have a choice about the software, if you look at the OpenWRT ToH [openwrt.org] before you buy.
And one of the major problems with this method is that the list is somewhat limited relative to the hardware on the shelves, and the hardware on the shelves has a tendency to be retailer-specific. It's easy for Best Buy to make a price match guarantee when they have exclusivity on the model, rinse/repeat for most other retailers. Even worse are the revisions; Router X rev.1 might support OpenWRT, while rev.2 might not.
A good amount of this has to do with the different chipsets that don't provide drivers for
Re: (Score:3)
I don't suppose they're also going to ban Cisco and Netgear: US confirms takedown of China-run botnet targeting home and office routers [therecord.media]: "KV targets Cisco and Netgear"
Over and over, including with TP-Link, you find two common threads: (1) default/weak passwords, and (2) unpatched firmware. I haven't found a single reference to an attack that accused or implied that TP-Link intentionally installed backdoors to allow APTs to gain control, The problem is that consumers don't change their password or patch th
Re: (Score:2)
What I do is run a dedicated OPNSense (FreeBSD) firewall/router on a mini PC appliance and have a few stand-alone WIFI access points. Everything goes through a dedicated managed switch, so only the OPNSense device sees internet traffic.
I actually use Omada APs, which happen to be made by TP-Link. If there are back doors that could be exploited by someone else, well, I keep my management network on a separate VLAN from my WIFI and "public" ethernet drops with no internet access, so no TP-Link/Omada hardware
Re: (Score:2)
At the level of consumer-tier routers there aren't actually just tons of SoC vendors (Broadcomm, Mediatek and Qualcomm seem to be the big ones that do fully
You wanted cheap electronics (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Consequence : various "hackers" move on ... (Score:2)
Actually, "they" almost certainly have multiple zero-day attacks in the bag, and will just devote more time to finding new ones in less popular systems.
I wonder how many are targetting TP-Links flashed with OpenWRT. Very unlikely to be no attention there, if "flashing your router" was ever a significant thing.
"Toilet Paper Link"? (Score:1, Funny)
Who the sh** named this company?
Re: "Toilet Paper Link"? (Score:1)
Someone who isn't familiar with the Americanism "TP".
Re: (Score:1)
So the same people who named Siemens Inc.?
Re: (Score:2)
Werner Siemens didn't choose his family name
Re: (Score:3)
A couple of brothers who were very into networking, TP == twisted pair.
Re: (Score:1)
Not an improvement :-)
Re: (Score:3)
America attempts to confiscate foreign businesses (Score:3, Interesting)
"The Justice Department is also examining whether TP-Link's significantly lower pricing violates federal anti-monopoly laws"
Do you know what's exactly NOT characteristic of a monopoly? Lower prices. TP-Link doesn't own nearly enough of the market to have a monopoly, either. Not like Microsoft! But, hey, Microsoft is an American monopoly.
This looks like yet another ploy to steal foreign businesses to benefit greedy American corporations. It has nothing to do with security and everything to do with the Almighty Dollar.
Re: (Score:2)
The US Government does not subsidize Microsoft in an attempt to skew the market.
What do you call not holding them accountable for violating antitrust law in basically every way possible under the Bush administration? They should have been broken up there, but they weren't. Instead they got a less-than-a-handslap punishment and kept doing business just the same way as always.
Re: (Score:2)
Re: (Score:2)
That natural monopoly was ill-gotten- to be sure.
But it's not going to go away now, nor was it then. Not when 80-something% of all applications and games used by users of computers are Windows-only.
There is an obscenely high barrier to entry for replacing Windows outside of dumbshit dork circles.
Re: (Score:2)
What do you call not holding them accountable for violating antitrust law in basically every way possible under the Bush administration?
They literally were held accountable.
They should have been broken up there, but they weren't.
They won an appeal. The justice system favoring their argument against being broken up is not government malfeasance or protectionism.
Instead they got a less-than-a-handslap punishment and kept doing business just the same way as always.
They signed a binding consent decree.
They did, in fact, change the aspects of their business they were required to.
The fact that your personal belief about what needed to change was not agreed to upon by the courts and attorneys doesn't mean some kind of conspiracy to protect them took place.
Your take on this is complete shit.
Re: (Score:2)
The justice system favoring their argument against being broken up is not government malfeasance or protectionism.
Yes, in fact it is. Bush's AG Ashcroft said out loud that they weren't breaking them up because it wouldn't be in the best interest of the nation, by which he meant the MIC and Five Eyes because Microsoft is a member of PRISM and a defense contractor.
Your take on this is complete shit.
By all means, keep covering your eyes and ears and letting shit flow out of your mouth.
Re: (Score:2)
Yes, in fact it is. Bush's AG Ashcroft said out loud that they weren't breaking them up because it wouldn't be in the best interest of the nation, by which he meant the MIC and Five Eyes because Microsoft is a member of PRISM and a defense contractor.
This is bullshit.
It wasn't the AG's choice. It was the court's.
This is what actually happened. [nytimes.com]
I don't know where your recollection of this comes from, but it's not reality.
By all means, keep covering your eyes and ears and letting shit flow out of your mouth.
Bullshit, dude. Quit trying to make a conspiracy out of a legal matter.
Re: (Score:2)
Of course it does, they just go about it in different ways: https://subsidytracker.goodjob... [goodjobsfirst.org]
The US is even more up its ass than China when it comes to giving money to private companies and trying to create favourable market conditions through protectionism. It's not China that came up with "too big to fail" while unironically babbling like a toddler about how the market will "regulate itself".
Re: (Score:2)
Unlike in the USA, where there is no such thing as PRISM, and laws don't apply to private companies.
Re: (Score:2)
Do you know what's exactly NOT characteristic of a monopoly? Lower prices.
Actually that is false. Lower pricing is something that could explicitly be an anti-trust violation if you have market power, while being legal if you don't have market power. History is rich with large companies cutting prices to undercut new entrants while eating the losses they make - propping up their business from other income or from external investment until their competitors go bankrupt. History is full of companies found guilty of this as well.
Look up "predatory pricing".
That said I doubt that is w
Re: (Score:2)
Do you know what's exactly NOT characteristic of a monopoly? Lower prices.
The practice is called "dumping", and it's something monopolizers use to build their monopoly, and is illegal under US (Federal) anti-trust (anti-monopoly) laws.
How old are you, and why the fuck didn't you learn this shit in high school?
Re: (Score:2)
Attribution is practically impossible. If there is a security hole (intentional or not), anyone can use it. The only way to be sure who did it is if it was yourself. Or if you catch them in the act at their own machine.
That's from a technical point of view. From a political point of view, you can always attribute it to whoever it is most beneficial to you for them to have done it. (Which can be embarrassing if the foreign state actors du jour turn out to have been a bored teenager in California again.)
Spectrum (Score:2)
All of this consumer router stuff is garbage. I remember a few years ago when I had some cable modem from Spectrum. Now, the configuration I had was basically that my Spectrum crap fed into my own access point so I could control it. Unfortunately, I found out that Spectrum kept "updating" their access point, and every time they turned some kind of built-in wireless functionality on. And they had the (outer) network password and everything else. Now, that wasn't really a security problem because my own equip
Re: (Score:2)
some neighbor kid started pirating my wireless
Sounds like you were using WEP at the time or no WiFi security at all.
Software-wise, OpenWrt is the way to go with these consumer routers.
Gargoyle is nice too (and easier to use) while still being OpenWrt based, if your router is supported.
Re: (Score:2)
some neighbor kid started pirating my wireless
Sounds like you were using WEP at the time or no WiFi security at all.
Wow...So, wireless connectivity has changed up since 2004; it's been well over a decade since routers shipped with either WEP or a truly open SSID.
Spectrum's modems now are all-in-one appliances that are modems, routers, switches, and APs in a single box. For the general public, this is probably a net positive, but Spectrum also has a habit of letting that appliance broadcast "SpectrumWIFI", which enables people to use that public-ish system from the modem of its customers (it has a captive portal login so
list growing (Score:2)
The list keeps growing... and now the scope is expanding. Kinda surprising that the government is using so much TP-Link. I'm sure contractors that care won't install it.
https://www.acquisition.gov/df... [acquisition.gov].
Zyxel Routers (Score:1)
Re: (Score:3)
Solid German engineering
Can you point out on a map of Germany where I can find Taiwan? You know, Zyxel being a Taiwanese company which has much of their manufacturing in *checks notes* oh dear ... China.
Re: (Score:2)
They have a STUN bug that they don't seem to care about fixing.
Beyond that, their interface was put together by a toddler.
Otherwise, as long as you never interact with the thing, or don't need it to do anything advanced, I agree, they're a great price point for physical feature set.
Re: (Score:2)
I am Cornholio! (Score:2, Funny)
TP-Link used to be the king of open source (Score:2)
I have used a lot of TP-Link routers with OpenWRT in the past. They were awesome (except hardware quality. They all needed replacement in a few years, but then the wifi tech was also advancing)
https://openwrt.org/toh/hwdata... [openwrt.org]
They just worked out of the box, and even sometimes using the original firmware's update page. (Yes, just download the open source firmware, open router, upload, and reboot).
At one point they locked the bootloader.
And everything went downhill from there.
Their excuse? US people installi
Re:TP-Link used to be the king of open source (Score:4, Informative)
Almost all brands are made in china (Score:2)
Re: (Score:2)