Texas sues TP-Link, alleging it allows China to hack into routers

Texas is suing networking equipment company TP-Link Systems for allegedly allowing the Chinese Communist Party (CCP) to hack into consumers’ devices even as it promised consumers strong security and privacy protections.

Attorney General Ken Paxton announced the lawsuit on Monday and said it is the first of several that will be filed this week against companies affiliated with the CCP.

In December, Paxton sued the Chinese television manufacturers Hisense and TCL, alleging that they capture what consumers watch in real time and could be allowing the data to be harvested by China.

Paxton alleges that TP-Link deceptively markets its products as protective of privacy and security when in reality they have been used by Chinese state-sponsored hacking groups to mount cyberattacks against the U.S.

His office cited a May 2023 report from Check Point Research, which alleged that Camaro Dragon hacking campaigns were enabled by TP-Link firmware vulnerabilities. Camaro Dragon is a Chinese state-sponsored hacking entity.

Because many of TP-Link’s parts are imported from China, the manufacturer is bound by that government’s national data laws, which require Chinese companies to support the country’s intelligence services by “divulging Americans’ data,” a Paxton press release said.

“With nearly all of its products’ parts imported from China, TP Link’s deliberate deception towards Texans regarding the nationality, privacy, and security capabilities of its networking devices is not just illegal — it is also a national security threat that enables the secret surveillance and exploitation of Texas consumers,” the press release said.

A spokesperson for TP-Link said in a statement that the lawsuit is “without merit and will be proven false.” 

TP-Link Systems Inc. is an independent American company, the statement noted, and its core operations and infrastructure are located entirely within the U.S. All U.S. users’ networking data is stored securely on Amazon Web Services servers, the statement said, and the company’s founder and CEO lives in California.

“We will continue to vigorously defend our reputation as a trusted provider of secure connectivity for American families,” the statement said.

The U.S. intelligence community has expressed similar concerns about the potential of TP-Link devices to enable Chinese government espionage, security consultant John Bambenek told Recorded Future News. 

However, the lawsuit will likely have little effect, he said.

“Using deceptive business practices seems to be a clever way of tackling this problem, but I am hard-pressed to see any scenario [where] any order by a Texas court would be respected in China,” he said. 

The lawsuit is an example of a significant evolution in cybersecurity enforcement and a broader regulatory trend, said Nakul Goenka, risk officer at security company ColorTokens.

“Security representations are increasingly being evaluated as consumer protection and disclosure issues, not merely technical ones — a shift already visible in FTC enforcement actions and SEC disclosure mandates, and now extending into state-level litigation,” he said. 

“The key legal question is not whether a vulnerability exists, but whether a company’s public statements about privacy, security, and product origin accurately reflect the underlying risk.”