Routers from China-based TP-Link a national security threat, US lawmakers claim

Two members of Congress are calling on the Commerce Department to investigate the cybersecurity risks posed by Wi-Fi routers from Chinese company TP-Link Technologies. 

In a letter sent this week to Commerce Secretary Gina Raimondo, Reps. John Moolenaar (R-MI) and Raja Krishnamoorthi (D-IL) claimed TP-Link’s routers have been found to have an “unusual degree of vulnerabilities.” They called on the department to respond with findings on the company’s security risks by the end of August, and to determine if TP-Link products should be restricted in the U.S.

Amid China’s “increasingly draconian data protectionist and national security-focused legal regime,” the lawmakers wrote, “companies like TP-Link are required to provide data to the PRC [People’s Republic of China] government and otherwise comply with the demands of its national security apparatus.” 

The congressmen, who lead the House Select Committee on China, cited the cyber activity by the Chinese APT group Volt Typhoon as a reason for concern around home and office routers. A hallmark of the group’s hacking campaign against U.S. critical infrastructure is the infiltration of home routers for the purpose of launching other attacks.

The Justice Department dismantled a botnet created by Volt Typhoon actors in December 2023 that featured hundreds of NetGear and Cisco Routers.

For years, critical vulnerabilities in TP-Link routers have been abused by hackers who use them as cover for subsequent attacks or add them to powerful botnets that disrupt websites with bogus traffic. 

In May 2023, researchers at the cybersecurity firm Check Point attributed cyberattacks on “European foreign affairs entities” to a Chinese state-sponsored group they called “Camaro Dragon.” The hackers used a firmware implant for TP-Link routers to get control of infected devices and access networks.  

In a statement cited by Reuters, TP-Link reportedly claimed that it does not sell routers in the U.S. In May, the company announced it had “completed a global restructuring” and that TP-Link Corporation Group — with headquarters in Irvine, California and Singapore — and TP-Link Technologies Co., Ltd. in China are “standalone entities.” 

National security agencies in the U.S. have long expressed concern about recently instituted regulations in China that mandate security researchers report vulnerabilities to the government before publicizing them. While never confirmed, there has been significant debate over whether the rules have effectively allowed Chinese government hackers to exploit vulnerabilities before they are widely reported. 

Additional reporting by Jonathan Greig