Possible Ban on TP-Link Routers
One of our commercial clients recently called with an urgent request: “Please get rid of my TP-Link router!” This month we are going to speak further about the Salt Typhoon hack and briefly cover two other espionage campaigns taking up our news feed. (Flax Typhoon and Volt Typhoon). The Salt Typhoon attack has increased government officials’ urgency for taking action against Chinese technology companies. Included in actions to be considered is a possible ban on TP-Link routers.
As you recall in our last article, reports suggested that China has embedded itself inside our aging networking equipment for years. This includes routers and smart switches. There are ongoing investigations, new sanctions and an increase in concern with cyber-espionage campaigns from the PRC. (People’s Republic of China)
APT campaigns (Advanced Persistent Threats) are on the rise. Volt Typhoon has been active since 2021. This group has been able to threaten U.S. critical infrastructure in large part because of their ability to compromise SOHO routers like those manufactured by TP-Link. SOHO networks are Small Office, Home Office networks generally used by 1-10 people. CISA and Microsoft have warned that Volt attacks typically exploited vulnerabilities in routers, firewalls and other network devices to gain an initial foothold.
Flax Typhoon, also active since mid-2021, has targeted government agencies, education and IT organizations in Taiwan, Southeast Asia, North America and Africa. More than 260,000 SOHO routers, firewall and IoT devices (Internet of Things) have been compromised. Members of Congress in the House and Senate have expressed concerns over these breaches and have called on U.S. companies and federal agencies to provide information about these incidents. Salt Typhoon as we reported, targeted ISPs (Internet Service Providers) and telecommunication companies.
On January third of this year, the Treasury Department sanctioned Integrity Technology Group Inc., a Beijing-based cybersecurity company for its role in multiple computer intrusion incidents against U.S. victims. These incidents have been attributed to Flax Typhoon. The Treasury’s own IT infrastructure was targeted, and the accusation is that Integrity Technology employs workers responsible for the Flax Typhoon hacks. You can read about it at: https://home.treasury.gov/news/press-releases/jy2769. These sanctions will prevent Integrity Technology from accessing the U.S. banking system and will block the possibility of conducting legal business with U.S. citizens.
Reports from the Wall Street Journal indicate U.S. authorities are now investigating whether TP-Link poses a national security risk and are seriously considering banning the devices. TP-Link is the top choice for routers on Amazon.com and powers Internet communications for the Defense Department and other federal government agencies. Officials are concerned that routers made by TP-Link could offer a foothold for China-backed hackers into the US infrastructure. Representatives from the House Select Committee on China requested the Commerce Department probe TP-Links’s routers back in August. The Commerce Department has opened a probe. The concern remains that the Chinese government may exploit TP-Link routers in order to spy on Americans.
Founded in China in 1996, TP-Link has headquarters in both Singapore and in the US. They have grown to become one of the largest wi-fi router providers and a dominant player in the global market for wireless internet routers. A ban would affect nearly sixty-five percent of Internet users in the US. There is no evidence that TP-Link equipment was exploited in the Salt Typhoon hack on telecom networks, but TP-Link routers are routinely shipped with security flaws and the company has been resistant to engage with security researchers when flaws are identified.
In October 2024, Microsoft found that TP-Link routers made up most of the compromised devices in a Chinese “password spraying” ransomware attack. Password spraying is a technique used when a hacker tries to access several targeted accounts with a single password. Hackers on behalf of the Chinese government were using a botnet of thousands of routers, cameras and other Internet-connected devices to perform highly evasive password spray attacks against users of Microsoft’s Azure cloud service. Anyone interested can look up CovertNetwork-1658 which explains Microsoft’s report of compromised SOHO routers manufactured by TP-Link.
The Justice Department is also probing TP-Link’s pricing strategies, investigating whether the company’s practice of selling routers below production costs violates U.S. antitrust laws. TP-Link claims that it does undercut competitor prices, but it does not sell any products below cost. TP-Link adds that the company’s “security practices are fully in line with industry security standards in the US. We implement rigorous secure product development and testing processes and take timely and appropriate action to mitigate known vulnerabilities.”
Finally, with regards to the Salt Typhoon hack, the majority of people whose call records had been stolen by Chinese hackers have not been notified and there is no indication that telecommunication companies will notify affected people in the near future. AT&T and Verizon both declined to clarify plans for alerting people whose metadata was accessed under the attack. The FCC mandates telecom companies notify customers only when it’s been established that customers have been or could be harmed by the breach. Telecom networks remain tightlipped over the breach.
It is worth noting that the recently passed defense bill included $3 billion to assist telecom companies in removing equipment from Chinese firms like Huawei and ZTE aiming to mitigate security risks associated with foreign technology in our critical infrastructure. The chairman of the Senate Intelligence Committee has warned however that China-linked threat actors are still inside U.S. telecom networks and evicting them will require replacing “thousand and thousands and thousands of network devices.” AT&T and Verizon put out a statement on 12/30/24 that their networks are secure and out of threat from Sallt Typhoon hackers. “No activity by nation-state actors remain in our networks at this time.” AT&T also added that the PRC targeted a small number of individuals of foreign intelligence interest.
The Bottom Line: The future of TP-Link in the U.S. market hangs in the balance. It is not clear if TP-Link’s devices will be banned, and that decision will be left to the incoming Trump administration. TP-Link this year announced a corporate restructuring, establishing a headquarters in California that it says is separate from its China operations.
Consumers rely on affordable networking solutions. TP-Link had security flaws, but so do all router companies. TP-Link hasn’t been linked to the Salt Typhoon attacks, but it does show the current temperature for perceived threats from China. 80 to 90 percent of our trade is with China and they own a trillion of the U.S. Treasury.
Vulnerabilities in our critical infrastructure opens the U.S. up to hostile actor intelligence gathering, foreign technological advantages and exerting leverage in the event of full-scale war. China hacking U.S. infrastructure is believed to be ongoing and a threat that China consistently denies. FBI Director Christopher Wray has warned in the past that China is developing the “ability to physically wreak havoc on our critical infrastructure at a time of its choosing.” The FBI continues to investigate Integrity Technology Group and Flax Typhoon’s computer intrusion activities. John Hultquist, the chief analyst at Mandiant, warns that threat actors are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down.
If you are looking for an alternative to a TP-Link router, you can find Asus, Synology and D-Link. They are all manufactured in Taiwan and not in China. D-Link products are affordable and efficient, but we have seen reports of bad actors targeting these devices as well. With any router purchased, you need to keep your firmware updated and replace any default device password with stronger passwords. The status quo has to change. We are not confident that enough companies are taking cybersecurity seriously.
Two Techs – your locally owned computer support company. Find Two Techs on the web at www.twotechs.com or email us at: support@twotechs.com or call 352-200-2365. USF, MIS, MCP, A+, Network+ & CISSP (References used (Techcrunch, MSN, Cyberexpress, PCMag, CNN, BleepingComputer, Forbes, Congressional Research Service, Microsoft)