US Weighs Banning TP-Link Router Over National Security Concerns

U.S. authorities are investigating Chinese router manufacturer TP-Link over national security risks and considering banning its devices, WSJ reported Wednesday, citing sources familiar with the matter. The Commerce, Defense and Justice departments have launched separate probes into the company, which controls approximately 65% of the U.S. home and small business router market.

Microsoft reported in October that Chinese hackers had compromised thousands of TP-Link routers to launch cyberattacks against Western targets, including government organizations and Defense Department suppliers. The company's routers are widely used across federal agencies, including the Defense Department and NASA. The Justice Department is also examining whether TP-Link's significantly lower pricing violates federal anti-monopoly laws, the report said.

Matters?

[markdavis]

Would this really matter? By they time they get around to banning anything, a different Chinese company will pop up and make the same thing with the same cheap price and same lax of security.

Re:Matters?

[aaarrrgggh]

TP-Link should have been banned a long time ago, so yes it is quite late. The reality though is that getting back that dominant market position requires significant time and resources, and until you have the large install base the scale of the security risk is limited. Similar measures should be made for other Chinese brands. Of course it is better to do it based on a security audit rather than nationality, but that is a little harder to implement.

Re:Matters?

[StormReaver]

Chinese relations need to revert back to how they were before Tricky Dick through us all under the bus.

Re:

[gtall]

It was also Kissinger, and they both threw Taiwan under the bus as well.

Re:

[GoTeam]

It was also Kissinger, ...

Looking like that, he talked his way into Jill St. John's bed. Enough said.

Re:

[laughingskeptic]

The strategy of engagement successfully led to the end of wars in South East Asia. The problem is that the entire point of the strategy was forgotten once U.S. businesses developed a taste for the cheap labor of China.

Re:Matters?

[butlerm]

By the mid 1970s China and Vietnam were on opposite sides due to a dispute over Cambodia so much so that China tried unsuccessfully to invade Vietnam in 1979. You could make the case that Nixon's withdrawal from Vietnam helped lead to the end of wars in South East Asia but selling out our friends in Taiwan to the People's Republic of China by stealing their seat on the UN Security Council, having them expelled from the UN, breaking off formal diplomatic relations, declaring them a non-country and ultimately breaking a thirty year military alliance and withdrawing our troops from the Republic of China did not so much as end war in South East Asia as set the stage for what could be a much more serious war than Vietnam five or six decades later. Betraying your closest friends is generally speaking not the way to win friends and influence people. More like the opposite.

Re:

[thegarbz]

TP-Link should have been banned a long time ago

Do you have anything to base this on other then xenophobia?

Re:

[alexgieg]

How about Chinese law itself [ft.com]?

Re:

[MikeMo]

It was Bill Clinton [forbes.com] who signed the Most Favored Nation pact.

Re:Matters?

[Zocalo]

Regardless of how you feel about TP-Link, or Chinese products in general, the spin on this one seems like it's pretty strong and probably trying to sway public opinion in favour of a potential ban. TP-Link has 65% of the market, so assuming a random sampling of compromised routers of *course* they're going to be the majority of compromised routers in the "CovertNetwork-1658" botnet Microsoft is referring to. And, of those compromised routers, how many were more likely compromised through some lame setup of the router by the ISP that provided it rather than a backdoor or other software flaw, e.g. a significant number of compromised devices of a given type all within the IP range of a single ISP?

Also, let's say they pull a Huawei style ban and demand the ISPs replace any devices they've supplied to end users as part of a service setup bundle, etc. (tinfoil: with one the US definitely has access to a backdoor on instead of a potential one that gives the PRC access)? Since TP-Link seems to be a very popular brand for ISP supplied packages, that's not going to be particularly cheap. As a quick guesstimate; 65% of approx 130m homes in the US (not all of which will have Internet) + businesses, etc. is likely to be somewhere around 75m routers deployed, many of which are probably ISP supplied. Who pays for that? My money is on the taxpaper, one way or another.

Re:

[ZipNada]

>> how many were more likely compromised through some lame setup of the router by the ISP

Maybe its just that "TP-Link routers are routinely shipped to customers with security flaws, which the company often fails to address" like the article states.

Re:Matters?

[DamnOregonian]

Maybe its just that "TP-Link routers are routinely shipped to customers with security flaws, which the company often fails to address" like the article states.

All do.

I was recently involved in 2 major patches to 2 ONT+RG devices from 2 different manufacturers deployed in many millions of homes in the US.
For one of them, a huge number had already been compromised. After a day of the vendor leading us all on wild goose chases to close the fucking door, I found the actual problem in about 30 minutes with binwalk and Ghidra. A hard-coded password on an open ACS port.

Beyond that, almost every device we deploy, I have found at least 1 vulnerability that lets me get into them in emergencies.
The software stacks on these things are cobbled together with open source parts and bash scripting by the lest competent people you can find, for the lowest dollar.

This includes US manufacturers.
The arguable *worst*, which I will not directly name due to close business relationship, is a very American brand.

Re:

[Zocalo]

The arguable *worst*, which I will not directly name due to close business relationship, is a very American brand.

Yeah, it's not good business practice to burn bridges, is it? ;-)

Re:

[geekmux]

Would this really matter? By they time they get around to banning anything, a different Chinese company will pop up and make the same thing with the same cheap price and same lax of security.

Probably doesn’t even take a company change to plasti-dip the same box in a different color and slap a new logo on it. Could probably be done in a couple of days. Or hours, if the graphics guy in Marketing is feeling it that morning after a third cup of coffee.

Yeah, it’s weird the invoice is coming from the same address, but the guy buying 5,000 of them only gives a shit about the number in the bottom right corner. They don’t put addresses there.

Re:

[thegarbz]

a different Chinese company will pop up

TP-Link isn't a small no-name company popping up on Alibaba to sell shit only to disappear in a smokebomb when you look at them. They are a massive brand globally that has been around for just shy of 30 years and manufacture their own products, not simply rebadge generic shit.

No a different company won't just pop up and take their place.

And webcams that *require* chinese server?

[greytree]

What about all the cheap webcams that *require* the use of a chinese server?

What we need is a blanket ban on any device not letting the purchaser simply choose what IPs the device will ever talk to.

Re:And webcams that *require* chinese server?

[geekmux]

What about all the cheap webcams that *require* the use of a chinese server? What we need is a blanket ban on any device not letting the purchaser simply choose what IPs the device will ever talk to.

Line up 100 consumers. Ask them what an “IP” is. Ask them if they know why they should know.

You’ll see rather quickly why GUIs are written for toddlers, and why admin functions were reduced to an touchscreen-enabled app permanently logged in, a while ago.

Re:

[gtall]

GUIs are also good for when you cannot be arsed to recall or look up arcane Unix CLI syntax because you are only using the particular command once every 5 years.

Apple had a good one for their MPW development system. It could either use some unixy-like text commands or you could pull up a dialog box for that command and use radio buttons, check boxes, and text fields. It built the command for you as you worked the GUI. Then you could execute it right there or copy and paste it into another window. It was won

Re:

[drinkypoo]

IBM AIX had a tool like for management tasks that was called SMIT. Same story, you manipulated the GUI and it built a command line for you. Great learning tool. It started as a text menu, but then got developed into an X11 version.

Re:

[laughingskeptic]

The vast majority of IoT apps on cell phones communicate with their devices via Chinese web services. It is not just webcams. Changing the color of light bulbs in a home informs China of your mood.

OpenWRT support

[drinkypoo]

I have a TP-Link router. I am not afraid of it because I have reflashed it with OpenWRT. A lot of their routers run Linux and are supported by OpenWRT.

Pretty much all consumer routers come from China so you don't really have a choice about where the hardware comes from. But you do have a choice about the software, if you look at the OpenWRT ToH [openwrt.org] before you buy. Buying a router which isn't supported by them is a very bad idea. Yes, there are some other distributions as well. Maybe you think one of them is better, you do you etc. But I want one well supported option and that's as close as you can get.

Re:OpenWRT support

[drinkypoo]

Do you feel there are any additional concerns above and beyond the software layer with using Chinese hardware?

You can't reasonably be sure that the chips are safe, but you can be reasonably sure that they're not phoning home on everyone all the time because it's too likely that someone would catch that.

So the question then becomes whether they would be vulnerable to some kind of magic packet attack. Looking at my router (the one I'm using right now is actually a Linksys, my TP-Link router is a backup) I can see that the wifi driver is running in user space. Consequently the bar for exfiltration of data is somewhat higher than it would be otherwise. But since flash memory can be so very small and hold so very much, you can never be sure that the wifi chip or SoC (sometimes the same chip and, sometimes different, but likely to be separate for recent wifi standards) isn't storing your data. All you can do is use encryption for anything passing through it, making that moot, and not reuse login credentials you use to log in to the router.

Odd how even after World War II, it doesnâ(TM)t seem like many sat around wondering if Made in Japan was suspect.

The devices were less sophisticated then. If a radio wanted to spy on you (I used to have a Sony receiver for example) it would have to broadcast what you were doing on another radio frequency, and that would be very easy to detect. You might even discover that by accident.

To my mind, the danger is in devices which normally phone home, with more danger for those devices which do it more. They might not be able to send MUCH data home during normal activity (unless it's a cloud-based camera or similar which is sending data all the time) but they could easily send something, like passwords or other types of access credentials. Hence the reloading of a router with OpenWRT, which never talks to the manufacturer again by design. This provides the maximum reasonable security in a world in which you can't fab your own open source hardware.

Re: OpenWRT support

[mspohr]

Thanks for the information.
Amazing that OpenWRT supports so many routers (269 TP-Link alone).
Good advice to ditch dodgy vendor software for quality open source.

Re:

[Bill, Shooter of Bul]

Yeah, I used to do that, but the OpenWRT ip V6 support was terrible. It had much fewer functions enabled than the stock TP-LINK. Which was sad.
Also how... often do you update OpenWRT. In my experience it was far behind on a lot of security updates for key parts, like openssl. I could have gone down the rabbit hole of trying to update the dependency and rebuilding but that was a pain I wasn't willing to accept. I moved on to a different platform not based on an existing consumer router.

Re: OpenWRT support

[drinkypoo]

Routers with more RAM and flash are most likely to support newer OpenWRT. Buy one of those.

You can update packages, or where supported, you can update the whole system. More resources, more interest, more support.

Right to Repair

[Tokolosh]

The software and firmware of ALL devices must be open-sourced, or at least made public for inspection.

I distrust closed software, but currently it cannot be avoided. Then I have to decide - do I prefer the US or the Chinese to spy on me? Americans would chose Chinese spying, because China has less power over US citizens than Uncle Sam.

If the problem lies in hardware and hard-coded components, then the US government is duty-bound to reveal this and provide proper evidence. Simply banning Chinese stuff doe

Re:

[Voyager529]

But you do have a choice about the software, if you look at the OpenWRT ToH [openwrt.org] before you buy.

And one of the major problems with this method is that the list is somewhat limited relative to the hardware on the shelves, and the hardware on the shelves has a tendency to be retailer-specific. It's easy for Best Buy to make a price match guarantee when they have exclusivity on the model, rinse/repeat for most other retailers. Even worse are the revisions; Router X rev.1 might support OpenWRT, while rev.2 might not.

A good amount of this has to do with the different chipsets that don't provide drivers for

Re:

[Col. Klink (retired)]

I don't suppose they're also going to ban Cisco and Netgear: US confirms takedown of China-run botnet targeting home and office routers [therecord.media]: "KV targets Cisco and Netgear"

Over and over, including with TP-Link, you find two common threads: (1) default/weak passwords, and (2) unpatched firmware. I haven't found a single reference to an attack that accused or implied that TP-Link intentionally installed backdoors to allow APTs to gain control, The problem is that consumers don't change their password or patch th

Re:

[drinkypoo]

The problem is that consumers don't change their password or patch their firmware.

Using a single default password is a design flaw. Assign a different password to each device. Have it generate the password itself on first run. Don't allow packets to pass through the WAN side until the password is changed. There's a reset button on the router, so there's no user problem with having different passwords for each device since they can be cleared. You could use a short press to allow a one time login, and a long press to clear settings. You could also hold up activity if the user has failed t

Re:

[flink]

What I do is run a dedicated OPNSense (FreeBSD) firewall/router on a mini PC appliance and have a few stand-alone WIFI access points. Everything goes through a dedicated managed switch, so only the OPNSense device sees internet traffic.

I actually use Omada APs, which happen to be made by TP-Link. If there are back doors that could be exploited by someone else, well, I keep my management network on a separate VLAN from my WIFI and "public" ethernet drops with no internet access, so no TP-Link/Omada hardware

Re:

[fuzzyfuzzyfungus]

This might just be a reflection of working with a limited toolset, or of it being more politically palatable to suggest that the PRC is up to something than to suggest that there's something glorious private sector is failing to do; but focusing on one bottom-feeding vendor seems like a really stupid choice if you actually care about router security.

At the level of consumer-tier routers there aren't actually just tons of SoC vendors (Broadcomm, Mediatek and Qualcomm seem to be the big ones that do fully

You wanted cheap electronics

[xack]

Assume any device is backdoored, that includes chips from "allies" as well.

Re:

[leptons]

If the product is free (cheap), then you are the product.

Re:

[Bill, Shooter of Bul]

I mean you make a point, but TP-Link has had such very basic issues in the firmware that makes it a tempting low hanging fruit to improve security by just not having their software run anywhere.

Consequence : various "hackers" move on ...

[RockDoctor]

... to target the largest of the remaining 35%.

Actually, "they" almost certainly have multiple zero-day attacks in the bag, and will just devote more time to finding new ones in less popular systems.

I wonder how many are targetting TP-Links flashed with OpenWRT. Very unlikely to be no attention there, if "flashing your router" was ever a significant thing.

"Toilet Paper Link"?

[Tablizer]

Who the sh** named this company?

Re: "Toilet Paper Link"?

[dwater]

Someone who isn't familiar with the Americanism "TP".

Re:

[Tablizer]

So the same people who named Siemens Inc.?

Re:

[Synonymous Homonym]

Werner Siemens didn't choose his family name

Re:

[Pimpy]

A couple of brothers who were very into networking, TP == twisted pair.

Re:

[Tablizer]

Not an improvement :-)

Re:

[pak9rabid]

Cornholio, Inc.

America attempts to confiscate foreign businesses

[zephvark]

"The Justice Department is also examining whether TP-Link's significantly lower pricing violates federal anti-monopoly laws"

Do you know what's exactly NOT characteristic of a monopoly? Lower prices. TP-Link doesn't own nearly enough of the market to have a monopoly, either. Not like Microsoft! But, hey, Microsoft is an American monopoly.

This looks like yet another ploy to steal foreign businesses to benefit greedy American corporations. It has nothing to do with security and everything to do with the Almighty Dollar.

Re:

[drinkypoo]

The US Government does not subsidize Microsoft in an attempt to skew the market.

What do you call not holding them accountable for violating antitrust law in basically every way possible under the Bush administration? They should have been broken up there, but they weren't. Instead they got a less-than-a-handslap punishment and kept doing business just the same way as always.

Re:

[Bill, Shooter of Bul]

Absolutely, without a monopoly Microsoft wouldn't have been able to survive the longhorn/Vista nightmare at the same time as the zoom/windows phone blunders.

Re:

[DamnOregonian]

Microsoft's monopoly is natural at this point (and at the point they were subjected to antitrust enforcement)
That natural monopoly was ill-gotten- to be sure.
But it's not going to go away now, nor was it then. Not when 80-something% of all applications and games used by users of computers are Windows-only.
There is an obscenely high barrier to entry for replacing Windows outside of dumbshit dork circles.

Re:

[DamnOregonian]

What do you call not holding them accountable for violating antitrust law in basically every way possible under the Bush administration?

They literally were held accountable.

They should have been broken up there, but they weren't.

They won an appeal. The justice system favoring their argument against being broken up is not government malfeasance or protectionism.

Instead they got a less-than-a-handslap punishment and kept doing business just the same way as always.

They signed a binding consent decree.
They did, in fact, change the aspects of their business they were required to.

The fact that your personal belief about what needed to change was not agreed to upon by the courts and attorneys doesn't mean some kind of conspiracy to protect them took place.

Your take on this is complete shit.

Re:

[drinkypoo]

The justice system favoring their argument against being broken up is not government malfeasance or protectionism.

Yes, in fact it is. Bush's AG Ashcroft said out loud that they weren't breaking them up because it wouldn't be in the best interest of the nation, by which he meant the MIC and Five Eyes because Microsoft is a member of PRISM and a defense contractor.

Your take on this is complete shit.

By all means, keep covering your eyes and ears and letting shit flow out of your mouth.

Re:

[DamnOregonian]

Yes, in fact it is. Bush's AG Ashcroft said out loud that they weren't breaking them up because it wouldn't be in the best interest of the nation, by which he meant the MIC and Five Eyes because Microsoft is a member of PRISM and a defense contractor.

This is bullshit.
It wasn't the AG's choice. It was the court's.
This is what actually happened. [nytimes.com]
I don't know where your recollection of this comes from, but it's not reality.

By all means, keep covering your eyes and ears and letting shit flow out of your mouth.

Bullshit, dude. Quit trying to make a conspiracy out of a legal matter.

Re:

[Pimpy]

Of course it does, they just go about it in different ways: https://subsidytracker.goodjob... [goodjobsfirst.org]

The US is even more up its ass than China when it comes to giving money to private companies and trying to create favourable market conditions through protectionism. It's not China that came up with "too big to fail" while unironically babbling like a toddler about how the market will "regulate itself".

Re:

[Synonymous Homonym]

Unlike in the USA, where there is no such thing as PRISM, and laws don't apply to private companies.

Re:

[thegarbz]

Do you know what's exactly NOT characteristic of a monopoly? Lower prices.

Actually that is false. Lower pricing is something that could explicitly be an anti-trust violation if you have market power, while being legal if you don't have market power. History is rich with large companies cutting prices to undercut new entrants while eating the losses they make - propping up their business from other income or from external investment until their competitors go bankrupt. History is full of companies found guilty of this as well.

Look up "predatory pricing".

That said I doubt that is w

Re:

[DamnOregonian]

Do you know what's exactly NOT characteristic of a monopoly? Lower prices.

The practice is called "dumping", and it's something monopolizers use to build their monopoly, and is illegal under US (Federal) anti-trust (anti-monopoly) laws.

How old are you, and why the fuck didn't you learn this shit in high school?

Re:

[Synonymous Homonym]

Attribution is practically impossible. If there is a security hole (intentional or not), anyone can use it. The only way to be sure who did it is if it was yourself. Or if you catch them in the act at their own machine.

That's from a technical point of view. From a political point of view, you can always attribute it to whoever it is most beneficial to you for them to have done it. (Which can be embarrassing if the foreign state actors du jour turn out to have been a bored teenager in California again.)

Spectrum

[Randseed]

All of this consumer router stuff is garbage. I remember a few years ago when I had some cable modem from Spectrum. Now, the configuration I had was basically that my Spectrum crap fed into my own access point so I could control it. Unfortunately, I found out that Spectrum kept "updating" their access point, and every time they turned some kind of built-in wireless functionality on. And they had the (outer) network password and everything else. Now, that wasn't really a security problem because my own equip

Re:

[Samare]

some neighbor kid started pirating my wireless

Sounds like you were using WEP at the time or no WiFi security at all.

Software-wise, OpenWrt is the way to go with these consumer routers.
Gargoyle is nice too (and easier to use) while still being OpenWrt based, if your router is supported.

Re:

[Voyager529]

some neighbor kid started pirating my wireless

Sounds like you were using WEP at the time or no WiFi security at all.

Wow...So, wireless connectivity has changed up since 2004; it's been well over a decade since routers shipped with either WEP or a truly open SSID.

Spectrum's modems now are all-in-one appliances that are modems, routers, switches, and APs in a single box. For the general public, this is probably a net positive, but Spectrum also has a habit of letting that appliance broadcast "SpectrumWIFI", which enables people to use that public-ish system from the modem of its customers (it has a captive portal login so

list growing

[awwshit]

The list keeps growing... and now the scope is expanding. Kinda surprising that the government is using so much TP-Link. I'm sure contractors that care won't install it.

https://www.acquisition.gov/df... [acquisition.gov].

Zyxel Routers

[KlomDark]

Solid German engineering, much better and still reasonably affordable.

Re:

[thegarbz]

Solid German engineering

Can you point out on a map of Germany where I can find Taiwan? You know, Zyxel being a Taiwanese company which has much of their manufacturing in *checks notes* oh dear ... China.

Re:

[DamnOregonian]

Hah. I just rejected Zyxel for an 80,000 customer deployment.
They have a STUN bug that they don't seem to care about fixing.

Beyond that, their interface was put together by a toddler.

Otherwise, as long as you never interact with the thing, or don't need it to do anything advanced, I agree, they're a great price point for physical feature set.

Re:

[Zocalo]

As others have noted, Zyxel is Taiwanese. Perhaps you meant AVM [wikipedia.org], makers of the FRITZ!Box range, which is pretty well regarded as a higher-end and SoHo router and firewall vendor?

I am Cornholio!

[KlomDark]

I need TP-Link for my bunghole!

TP-Link used to be the king of open source

[stikves]

I have used a lot of TP-Link routers with OpenWRT in the past. They were awesome (except hardware quality. They all needed replacement in a few years, but then the wifi tech was also advancing)

https://openwrt.org/toh/hwdata... [openwrt.org]

They just worked out of the box, and even sometimes using the original firmware's update page. (Yes, just download the open source firmware, open router, upload, and reboot).

At one point they locked the bootloader.

And everything went downhill from there.

Their excuse? US people installing EU firmware to unlock illegal bands (airports and all). However this was when they started selling "mesh" routers and other changes, which makes me at least suspicious.

Anyway, if you have an older TP-Link with lots of RAM and internal storage, look up support on that page. If not, just use a better router.

Re:TP-Link used to be the king of open source

[ThatGuyThere]

TP-Link wasn't exactly the only one to do that. In 2015, The US FCC (Federal Communications Commission) passed legislation designed to block people from changing certain WiFi settings, to avoid radio interference with other devices. WiFi radio power had to be implemented in hardware so that end users couldn't modify it. For example, the FCC wanted to make sure end users didn't override country settings or power limits which might affect radio power. Some hardware vendors reacted to the legislation in an extreme way, blocking third-party firmware from being flashed at all. (The FCC did not actually require anything like this). As a result, some companies' hardware could not be flashed with third-party firmware from within the factory firmware interface. If you tried to do so, you'd simply receive an error stating it wasn't possible. This resulted in a lot of controversy. ArsTechnica.com: FCC: Open source router software is still legal under certain conditions: https://arstechnica.com/inform... [arstechnica.com] SLATE: FCC Support for hackable routers is a win for all of us: https://slate.com/technology/2... [slate.com]

Almost all brands are made in china

[aldousd666]

Cicso routers are even made in china, and even many of the ones labelled 'made in the USA' were only assembled here. The chips are still in their original chinese manufactured state. Banning things from china is a bad idea until AFTER you have the supply chain in place to replace them. We don't and won't have this for a long time.

Re:

[wwphx]

My thoughts exactly. I know of no manufacturers off-hand who make routers here, and I have to buy one every two years or so. Not looking forward to this.