The U.S. is probing whether popular home internet routers sold by China’s TP-Link Technologies threaten national security and considering whether they should be banned, the Wall Street Journal reported Wednesday, after Microsoft linked the devices to a Chinese hacking group.
Some lawmakers called for a probe into the devices earlier this year, alleging they had an “unusual ... [+]
Officials from the Commerce, Defense and Justice departments have opened investigations into TP-Link’s routers and could ban the sale of the devices in the U.S. next year, according to the Wall Street Journal, which cited people familiar with the matter.
The routers are shipped to customers with security flaws and often have bugs regardless of their manufacturer, some of the people said.
An office of the Commerce Department has subpoenaed TP-Link as part of its investigation, and the Justice Department is probing whether TP-Link’s market dominance—reportedly accounting for 65% of the U.S. market—is a result of the company selling their products at a price lower than they cost to make, violating federal law, the Journal reported.
In October, Microsoft linked widespread hacking efforts to a network used by “multiple Chinese threat actors” that relied on “compromised” devices largely made by TP-Link, though the specific devices were not named.
TP-Link did not immediately respond to a request for comment from Forbes.
Get Forbes Breaking News Text Alerts: We’re launching text message alerts so you'll always know the biggest stories shaping the day’s headlines. Text “Alerts” to (201) 335-0739 or sign up here.
It’s not immediately clear whether TP-Link’s devices will be banned, though it’s likely that decision will be left to the incoming Trump administration, the Journal reported.
TP-Link labels its routers either on the back or underneath the device. The label features TP-Link’s logo in the top-left corner and the make and model of the device to the right. This is where internet service providers tell customers to look for the password to the device’s internet connection.
All TP-Link routers sold in the U.S. would be affected by the ban, according to the Journal, though some devices have previously been linked to hacking efforts. In May 2023, the Cybersecurity and Infrastructure Agency claimed TP-Link’s Archer AX21 router could be exploited. CyberNews, a cybersecurity publication, reported in 2021 the firmware in TP-Link’s Archer C50 router contained at least 24 vulnerabilities, including some that would allow hackers to gain access to the user’s network. TP-Link claims to distribute its routers through more than 300 internet service providers, including Spectrum, which provides TP-Link’s TC7650.
Rep. John Moolenaar, R-Mich., and Rep. Raja Krishnamoorthi, D-Ill., who lead the House Select Committee on China, requested the Commerce Department to probe TP-Link’s routers in August. Both lawmakers said TP-Link’s devices have an “unusual degree of vulnerabilities” and alleged the Chinese government of using the routers to “perpetrate extensive cyberattacks” in the U.S. In March, the House passed a bill requiring U.S. agencies to investigate whether routers, modems and other devices pose national security risks, though the bill does not directly name TP-Link. The Senate has yet to take up the bill. Michael O’Rielly, a former commissioner of the Federal Communications Commission, said cybersecurity officials in the U.S. have “documented vulnerabilities from home equipment vendors across the board,” though TP-Link’s devices have “had more than their fair share of citations.” O’Rielly noted there is “no evidence” to suggest TP-Link is negligent with the security of their devices.
The Indian government issued a warning for TP-Link’s routers in May, indicating the devices had a vulnerability allowing hackers to infiltrate connected devices. According to the warning, the vulnerability affects versions of TP-Link’s Archer devices.
Founded in 1996 in Shenzhen, China, TP-Link has expanded its business globally and reportedly provides devices for several U.S. agencies, including NASA, the Defense Department and the Drug Enforcement Administration. TP-Link announced it would move its global headquarters from Singapore to Irvine, California, to “solidify its presence in the U.S. market.” The company has boasted its dominance in the internet provider market, saying in 2022 it had reached 12 years of being the world’s top provider of internet devices, citing data from the International Data Corporation. The Biden administration has targeted other telecommunications firms over concerns about national security. The Commerce Department warned China Telecom’s U.S. subsidiary that its presence in American networks and cloud services posed a national security risk. The agency gave China Telecom 30 days to respond, suggesting a ban would be taken up by the Trump administration. Commerce Department officials banned Russian software firm Kaspersky from selling its products in the U.S. in June, citing issues with the company’s devices that allowed users’ sensitive information to be accessed.