Drilling down on Uncle Sam's proposed TP-Link ban

Posted by todsacerdoti 8 hours ago

Drilling down on Uncle Sam's proposed TP-Link ban(krebsonsecurity.com)

138 points | 134 comments

riskable 7 hours ago|

The real lesson here: If you're successful, don't skimp on security/software! Also, don't abandon software/firmware security support for your products so quickly.

If I was in charge over at TP-Link, getting news that tens of thousands of MY company's routers were compromised would have me furious! I'd be freaking out, making sure that we take immediate steps to improve software/firmware quality and to make sure we're in a constant state of trying to compromise our own hardware... To ensure no one else finds vulnerabilities before we do.

Instead, TP-Link seems to have just laughed and focused strictly on profit margins.

blitzar 5 hours ago||

The real lesson here: don't forget to bribe the president of the US.

bashtoni 3 hours ago|||

If this was actually the lesson then they'd be banning Fortinet, but it seems these concerns about security don't apply to US listed companies.

protocolture 2 hours ago||

Bold of you to assume those Fortinet vulns arent just exposed government backdoors.

acdha 1 hour ago||

This is like seeing a food poisoning outbreak at a fast food restaurant and concluding that it must be CIA/FSB/Mossad bogeymen trying a bioweapon. These breaches are things like not validating authentication tokens (at all, not just correctly) and that would be a big drop in professionalism from what we’ve seen from nation-state level attacks:

https://labs.watchtowr.com/get-fortirekt-i-am-the-super_admi...

anonym29 18 minutes ago||

Hanlon's razor, paradoxically, is the perfect cover for surreptitious malice. We've already got a perfectly reasonable razor telling people not to assume malice, after all.

itopaloglu83 2 hours ago|||

Just make them liable for the damages and then they will start caring.

This might be one of the only cases where subscription model would work well to cover the maintenance cost.

ryandrake 2 hours ago||

Yea, in the real world, the CEO gets news that tens of thousands of his company's routers were compromised, and calls up his General Counsel and asks "are we liable for damages?" And if the answer is NO, he goes back to enjoying the house party in his luxurious third home.

itopaloglu83 1 hour ago||

Yeah, I know, at some point you cannot make them care for their customers wholeheartedly.

stldev 6 hours ago|||

Or maybe, don't capture 50% market share in a country that's decided your country of origin is the threat of the decade.

hekkle 2 hours ago||

TP-Link's Headquarters are in California, they have a branch in Singapore and they manufacture in Vietnam, which of those were the threat exactly?

This whole thing is reminiscent of the TikTok CEO Chew Shou Zi - "But, I'm Singaporean, Senator".

sarchertech 1 hour ago||

It was a completely Chinese company until last year. Then it split in 2. The US headquartered half has 11,000 employees in mainland China and 500 in the US based on what I could find when I googled it. It’s solely owned by the founder of the original company and his wife who are Chinese citizens.

I don’t know whether it’s worth banning them or not, but putting your hands up and saying “what Chinese company?” is just absurd.

hekkle 40 minutes ago||

1. The company was founded Zhao Jianjun and Zhao Jiaxing who are brothers, I don't know where you got the husband/wife sole ownership from.

2. As you admitted, they have completely separated into 2 separate companies, claiming that it is still Chinese is akin to saying "tea is Chinese", that's completely absurd, yes, it was at some point in history, that point is not now.

stefangordon 2 minutes ago|||

That is what TPLink PR would like you to think.

The reality is the only part that matters, the chipsets, are produced in Chinese factories owned by TPLink.

They moved everything that doesn’t matter to the US recently in an effort to give the illusion that they aren’t putting chips manufactured under the control of the Chinese government into the majority of routers used in the US.

I’m not agreeing with banning them, but I can certainly see how it creates significant risks that I would want to mitigate somehow.

Dylan16807 7 minutes ago|||

It's hard to believe you're saying 2 in good faith. Companies don't change that fast, and you skipped the part where so many of the employees are still in China.

duxup 2 hours ago|||

I think a lot of companies violate that lesson and continue to make money.

DANmode 30 minutes ago|||

But they got this far with $X in security spending, what’s the problem?

PeaceTed 2 hours ago|||

Until it hits their wallet, they will not do a thing. Now if they were more concerned about longer profits and how this could impact their image, maybe they would change but it is rare you see that nowadays.

harvey9 4 hours ago|||

Unfortunately people like you are hardly ever in charge of this kind of thing.

jmyeet 5 hours ago||

Yeah, that's not the lesson here at all. We're still in an era where you will suffer absolutely zero consequences for security lapses and breaches.

Everything that is happening with this administration is simply because it suits American foreign policy or the interests of one of the oligarchs. I mean this with absolutely no hyperbole: the pretense of there being any rule of law for the ultra-wealthy is gone. The White House is openly selling pardons, which have the added effect of cancelling out debts to the US government.

Tiktok getting banned? It had nothing to do with "national security". The government simply had less control over the content and the algorithm on Tiktok than they do on Meta and Google platforms.

Reading through this article, you have Microsoft pointing the finger at TP-Link. That's... rich. Becvause Microsoft has historically been horrible for security. It would take further investigation but I really wonder if TP-Link isn't just a convenient scapegoat.

Loughla 5 hours ago|||

I don't mean to be hateful with this, but what's the point of your post besides random conjecture and a sort of rant about something only vaguely related to the story?

cyanydeez 4 hours ago|||

That this is a political issue, not technical

mindslight 4 hours ago|||

I see the comment as quite on point. There are many longstanding real problems that have been allowed to fester (in this case, embedded security). While these problems are now being talked about, there is still zero intention to actually address them. Rather they're merely being abused as talking points by fascists pretending that "something is being done" when really the "solutions" are merely the consolidation of autocratic control.

Real reform here would be something like prohibiting tying software and hardware together as one product, source code escrow, etc. Things that actually create security and consumer choice, rather than merely one less vendor to pick from.

expedition32 5 hours ago||||

The Chinese see their exports rise because America no longer controls the world. They'll just sell their stuff to emerging markets.

parineum 5 hours ago|||

Sometimes I wonder if people talking about corruption in the US have ever been to a country that is as corrupt as they say the US is.

Pardons are not being openly sold. There is absolutely not great stuff going on with them but, really, the major difference I see is that it's happening during the administration, rather than in the last few hours.

The US is moving the wrong direction when it comes to corruption but let's not act like we're bottom of the barrel ir that this slide just started in 2024 (or 2016, if you'd like).

jmyeet 1 hour ago|||

So far Trum pardons have wiped out over $1 billion in decided and sought fines [1]. There are pardons for the likes of Geore Santos (convincted for a whole host of crimes) for no other reason than he was a reliable Republican vote. clearly sending the message that if you are loyal, you can commit crimes and you will be pardoned. There's also the Teenessee House Speaker convicted for corruption [2] and the Binance founder [3] who allegedly aided in Trump's rug pull (sorry, "crypto offering").

Now this sort of thing isn't new. Famously on Clinton's last day in office he pardoned Marc Rich [4], who was convicted (before fleeing the country) on breaking sanctions by trading with Iran. It was widely rumored his ex-wife, Denise Rich, who had a lot of access to the Clinton's brokered a deal.

But what changed is the disastrous Trump v. United STates [5] decision last year that granted almost absolute presidential immunity. Now there's not the slightest fear of repercussions so the whole operation has gone into overdrive and it's so incredibly brazen.

I stand by my original claim: the TP-Link ban isn't technical. It's political. And I would bet all th emoney in my pockets that if the CEO had "donated" $1 million to the inauguration (like all the Tech CEOs did including Bezos and Cook) we'd likely have a very different outcome.

[1]: https://www.aljazeera.com/news/2025/6/8/fact-checking-claims...

[2]: https://www.nbcnews.com/politics/donald-trump/trump-pardons-...

[3]: https://www.reuters.com/world/us/trump-pardons-convicted-bin...

[4]: https://www.pbs.org/newshour/show/clintons-pardon-of-marc-ri...

[5]: https://en.wikipedia.org/wiki/Trump_v._United_States

ThunderSizzle 4 hours ago|||

So the claim is that corruption only started in DC with Trump becoming President?

Did I read the last sentence correctly?

parineum 4 hours ago||

No, I'm saying that the slide didn't start with Trump. I also don't think much of what Trump is doing is much, if at all, worse than his predecessors but he has zero shame about it.

Since he's in the news and it's on my mind, I'm not sure the Cheney and the whole Iraq/Haliburton situation has been topped since then. Then there's ever member of Congress suddenly becoming a multimillionaire after they get into office.

The only norm Trump is breaking is that he doesn't care to sweep it under the rug

chatmasta 7 hours ago||

TP-Link makes really solid products, and if you don’t want to use their firmware then almost all of them can easily flash OpenWRT. In fact most of their routers are built from OpenWRT anyway.

I installed their mesh Wi-Fi system for my parents recently and was really impressed how seamless the process was. It did involve making a cloud account which I wasn’t thrilled about, however.

heavyset_go 5 hours ago||

You aren't thinking low enough for firmware.

All modern WiFi APs require closed firmware blobs that run below or parallel to OpenWRT.

You replacing the router OS with OpenWRT does nothing when the radio has full DMA access and runs its own OS on its own processor. The OpenWRT layer will have no idea what it's running/infiltrating/exfiltrating.

I say this as someone who has been running and building OpenWRT forever. It's great but it isn't a panacea.

chatmasta 5 hours ago|||

That's why I bought a PCEngines box (one of the last of their inventory before they went out of business) with completely transparent hardware and no Chinese manufacturer in the supply chain.

DANmode 12 minutes ago||

Neat.

If it dies tomorrow, what’s next, out of curiosity?

toast0 4 hours ago|||

Sure, but if you run OpenWRT you can pick the radio firmware image. And you can trust Qualcomm cause they're from San Diego and made Eudora; their firmware won't have intentional security issues.

wiredpancake 4 hours ago||

[dead]

jm4 2 hours ago|||

I use their Omada stuff for my business. I own a coffee shop where I have a few devices I need online and I provide free WiFi to customers. I needed something where I could run multiple networks, segregate my own devices, support a large number of clients, automatically turn off free wifi outside of business hours, run a captive portal, reserve a minimum amount of bandwidth for my own devices and prioritize my own traffic, etc. It’s absolutely packed with features and costs less than the stuff I run at home. It was a fraction of the cost of the Meraki gear I was considering. The performance is great too.

I don’t know how much I trust TP Link, but my risk level is very low. There’s not much an attacker could do if they get on my network. None of my data is accessible on that network and everything important has MFA anyway. The most sensitive things are my POS and menu displays and they are just client devices connecting to the internet. I probably wouldn’t run this stuff in an environment where I had complex security requirements.

daneel_w 3 hours ago|||

At some point it won't matter that you run OpenWRT on it. Obvious case in point: at a certain point it doesn't matter that you run Linux instead of Windows on your Intel PC, because it'll still be subjected to Intel ME, Intel AMT, Intel SGX and god knows what else.

adrian_b 1 hour ago||

On a PC, Intel ME and the like can be accessed remotely only through an Intel NIC, which can be avoided by using a PCIe Ethernet card from another manufacturer, if the motherboard does not have such an interface on it. Even many of the Intel Ethernet interfaces are supposed to have the remote access disabled from the factory, but you cannot be certain about this.

A more serious problem is caused by the laptops having Intel WiFi, which is difficult to replace. With such a laptop one would have to disconnect the internal antennas and use an external WiFi dongle, to be sure that remote control is not possible.

forinti 6 hours ago|||

TP-Link let me down twice.

I bought a cellphone from them many years ago and they never really supported it and I couldn't even buy a replacement battery.

Recently I bought a router with the firm intent of installing OpenWRT, but I received a newer revision that had a different CPU, less RAM, and less flash memory.

These events left a bad impression, but they do make affordable stuff with reasonable quality.

mbreese 6 hours ago||

> Recently I bought a router with the firm intent of installing OpenWRT, but I received a newer revision that had a different CPU, less RAM, and less flash memory.

This also happened many years ago with Linksys (prior to Cisco). It’s not that uncommon for manufacturers to release new revisions of hardware without necessarily making it clear to the purchaser. If their purpose is to deliver a router and they can shave a few cents off the BOM with less RAM, but it still works with their software, why would they care. And once new revisions have been released into the supply chain, it can be hard to know exactly what version you are buying.

In the Linksys case, IIRC they eventually re-released the first revision WRT54G as the WRT54GL (for Linux), so that people who wanted different firmware could get the exact hardware they wanted.

myself248 5 hours ago||

Wouldn't it be nice if that was illegal? Sell whatever, but label it accurately, it's different hardware so it needs to have a different version label in the listing or something.

We see this all the time with SSDs, where a high-spec model is released to reviewers, then a low-spec model is mass-produced and sold under the same model number. That's fraud, isn't it? Shouldn't it be?

tpmoney 12 minutes ago|||

It’s only fraud if they sold you or marketed to you on those specs. But at least for things like reflashing your router, short of a few explicit opener vendors (like glinet) and Linksys AFTER releasing the WRTGL version, router manufacturers aren’t usually advertising on how much ram or flash memory space they have, any more than car manufacturers are advertising how much flash memory is in their ECUs. It’s not an intended or marketed purpose, so they’re not going to be changing model numbers just because they made an internal update.

cesarb 3 hours ago|||

> but label it accurately, it's different hardware so it needs to have a different version label

In my experience, TP-Link always has the hardware revision on a label on the outside of the box.

forinti 2 hours ago||

It's small text on a small label that online vendors don't bother to check.

Loughla 5 hours ago|||

Hey, that's really timely for me.

I'm getting ready to set a mesh network for my older parents as well. Do you have any suggestions for hardware and software? I live a ways away from them so I need this to be pretty much faultless. I don't want to drive 4 hours for IT support.

slumberlust 3 hours ago|||

Go unifi and manage it remotely.

0cf8612b2e1e 8 minutes ago||

My paranoia goes against this idea. How sure are you that the remote management is hardened? Assuming that disabling external control is actually effective, that seems like it removes most practical exploits one would encounter. A network configuration for a non technical person should be so simple it does not require regular maintenance.

chatmasta 5 hours ago||||

The TP-Link option was great. If it was for myself, I'd build my own with OpenWRT but my goal was to minimize the chance of downtime in case I'm not available to help debug issues. They already had a TP-Link range extender running for 4+ years without ever needing to touch it, so I figured their mesh network was a good option too.

travoc 5 hours ago|||

ASUS routers with Merlin firmware work well in a mesh configuration.

kej 5 hours ago|||

Do any of TP-Link's mesh routers support OpenWrt? I didn't think there was overlap between the "easy to set up for my parents" and "easy to install custom firmware" subsets.

chatmasta 4 hours ago|||

From what I could tell in the admin panel, those mesh routers _are_ OpenWRT. And they have an advanced section where you can upload a firmware .bin.

oever 4 hours ago|||

OpenWRT runs well on Deco M5 with a custom build.

https://forum.openwrt.org/t/ipq4019-adding-support-for-tp-li...

jojobas 5 hours ago||

Assuming there isn't a hidden little core running a hidden little OS somewhere.

rs186 5 hours ago||

Yeah companies should be held guilty unless proven otherwise. Of course you can never actually prove anything, so they are all guilty by default. /s

heavyset_go 5 hours ago|||

You can't bootstrap nearly any embedded ARM SoC and run Linux without running some closed Chinese blob just to bring it up lol

cyanydeez 4 hours ago||

And in reverse, you think Palentir has a transparent business model to trust with your data? I don't get why people find china more suspect than most of these billionaire led monopolies buying politicians and laws and spout paranoid gibberish about Christianity and anti Christ etc.

Both might be fundamentally evil or being, but they aren't different in danger based solely on how white they are.

jojobas 3 hours ago||

What about whataboutism?

And yes an American company in cahoots with the government having the ability to snoop on traffic and turn entire networks off, while bad, is nowhere near as bad as a Chinese one having the exact same capability.

freeopinion 2 hours ago||

The US company and the US government are 1000x more likely to leverage their position in an antagonistic way against US customers.

jojobas 29 minutes ago||||

Devices from companies under direct or implicit CCP control should indeed be considered suspect until proven otherwise. Not just them, but them much more than local ones.

Sophira 1 hour ago||||

Their hypothetical does have weight, though. Damn near every desktop/laptop computer does have "a hidden little core running a hidden little OS" nowadays, after all.[0]

Obviously this particular one isn't in non-Intel equipment, but...

[0] https://en.wikipedia.org/wiki/Intel_Management_Engine

blitzar 5 hours ago|||

Of course there is probably a hidden little os running on hidden core within the hidden hardware running the hidden os.

0xbadcafebee 4 hours ago||

China isn't the major threat for consumer routers; it's crappy firmware. Millions of networks have been compromised from non-state actor attacks on crappy consumer routers. You wanna protect America? Impose a software building code on critical network infrastructure (which should include consumer routers and modems). But they aren't gonna do that, because they're just trying to score cheap political points and put pressure on China for trade concessions.

0cf8612b2e1e 1 hour ago|

Seemingly every year there is yet another Cisco vulnerability because of hard coded passwords. One as recently as July 2025. The entire network industry seems to YOLO the code running the world.

[0] https://sec.cloudapps.cisco.com/security/center/content/Cisc...

Waterluvian 3 hours ago||

The U.S. is the bigger threat anyways. This just feels like America is coming online as a mafia state and wants their cut and their backdoors in things, otherwise they’ll destroy your business.

hekkle 1 hour ago||

To be fair, I think this is most countries, they just don't have as much political power as the US. The UK's Online Safety Act is a good example.

My country (Australia) tried to legislate in 2016 that no one is allowed to use encryption, and if they were required to, for other obvious reasons like for medical data, then they were required to code in a back-door for law enforcement.

PeaceTed 2 hours ago||

An empire in every way except name.

imagetic 7 hours ago||

I have TP-Link Deco's for our WiFi, sitting behind a Firewalla Gold. This has been by far the nicest, simplest at home setup I've ever deployed. Do I love that I chose TP-Link? No. But price to purpose it was the best product available to me at the time.

If TP-Link gets banned, my concern is what that means for the massive market share in the US. Warranty? Software updates? Or maybe that action is what turns them into an agent of the state. Or do you horde all the hardware until its valuable like DJI parts are today?

ndiddy 6 hours ago|

My guess is they’ll be forced to sell their US division to whatever company gives the government the most money (sort of like the Oracle-Tiktok deal).

deaux 2 hours ago|||

> whatever company gives the government the most money

If only! Unfortunately it's whatever makes the Party leadership the most money.

hollerith 6 hours ago|||

I thought it was the Chinese owner of Tiktok that got paid money.

What is your evidence that the US government was paid any money as part of that deal (over and above any taxes that would have been incurred by any sale of any business).

cyanydeez 4 hours ago||

He's referring to whoever paid in America to be gifted the largest propaganda platform.

I'm sure money also went to Chinese owners.

hollerith 4 hours ago||

"Gifted" would be misleading if (as I suspect) the entity that ended up with American Tiktok is the entity that won a bidding war to make the most attractive offer to the Chinese owner.

garganzol 1 hour ago||

TP-Link produces solid and affordable network equipment. A great value for the money, which makes their products a popular choice for many customers around the world. But as almost all hardware vendors out there, TP-Link has weaknesses in their software. In a way, they are victims of their own success and popularity. I wish them to get their software security act together.

Banning such a bright tech company is totally unwarranted, unless there are proofs of their intentional wrongdoings.

BobbyTables2 6 hours ago||

Virtually every home router and a whole lot of small business routers should be considered “national security risks”.

TP-Link may be sore for getting singled out but they are certainly not unique.

ddtaylor 8 hours ago||

> The company says it researches, designs, develops and manufactures everything except its chipsets in-house.

So, the plastic bits?

hdgvhicv 8 hours ago||

Presumably the software, the boards, connectors, antenna design, etc.

tliltocatl 7 hours ago||

> connectors, antenna design

And also passives like SMD resistors. They are also refining copper and iron from raw ore. /s

thfuran 7 hours ago||

They actually make their own iron in the heart of a dying star.

R_D_Olivaw 6 hours ago||

They actually manufacture a synthetic star from which they gather their elements.

seizethecheese 7 hours ago|||

As a hardware founder, low quality plastic is not rocket science. On trips to China I’ve heard similar things about other companies, specifically that Foxconn makes everything it uses, including things like coolant or plastic for prototype production.

permo-w 4 hours ago||

I don't think they were saying the plastic bits are rocket science, proverbally or not

MomsAVoxell 7 hours ago||

Does anyone know what their chips are doing? Do you, really?

Until we have desk side silicon fabrication/placement, with accompanying tunnelling microscope features, we simply cannot trust our silicon in any way other than through utterly peaceful means, which is to say, through systems of human trustworthiness.

Technology never allows us humans to advance sufficiently well to do without it .. unless it is evenly distributed.

Right now we are all at the mercy of the masters of silicon. This is no joke!

ungreased0675 15 minutes ago|||

You can measure input and output with commodity equipment. That will give a good, but admittedly incomplete picture of what the chips are doing.

BobbyTables2 7 hours ago||||

Even with desk-side silicon fabrication, one would have to hope the hardware/software with the design tools wasn’t already backdoor-ed…

Meneth 7 hours ago||

Reflections on trusting trust...

matheusmoreira 6 hours ago|||

Absolutely. We'll never be 100% free until we can fabricate computers at home, just like we can write our own software at home.

rs186 5 hours ago||

> the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government.

These cowards have not yet finished banning TikTok

noitpmeder 5 hours ago|

Because Jeff Yass asked Trump not to

ComplexSystems 7 hours ago|

I don't get what to make of this. Is it all just security theater? The idea of having consumer networking hardware that isn't riddled with security vulnerabilities seems to be a ship that sailed long ago. I doubt this move will prevent major nation states from hacking into whatever they want.

More comments...