80 comments

[ 5.7 ms ] story [ 95.1 ms ] thread
> The company says it researches, designs, develops and manufactures everything except its chipsets in-house.

So, the plastic bits?

If only there were US manufacturers that could produce things at a decent price and didn't actively hate their customers.
(comment deleted)
I don't have any particular opinion on TP-Link (never used their products), but the idea that a low-cost vendor targeting home and SMB users is somehow a state-level agent trying to compromise those users... needs evidence.

I mean, in the case of actors like Huawei, you can at least credibly make the argument that the continued access of their support staff to internal provider networks is a significant risk, but that vector is entirely absent here.

Sure, embedded firmware has been, is, and will continue to be a tire fire prone to embarrassing compromises, but containing those is mostly about notification and containment by government agencies (which the current US administration is doing their utmost best to kneecap) and/or large ISPs (which in the US have traditionally never cared).

Forcing "foreign" products off the market in favor of "domestic" replacements with the exact same, if not worse, flaws won't fix a thing, unless you put some pretty significant controls into place that nobody is willing to enforce or even outline.

^^^THIS 100%. They are manufacturing low-cost products for home users. That is, if these claims are true, they have neglected a poignant question, why would they bother? They are targeting poor people's personal data, not businesses, not high-profile people, not government bodies.
The real lesson here: If you're successful, don't skimp on security/software! Also, don't abandon software/firmware security support for your products so quickly.

If I was in charge over at TP-Link, getting news that tens of thousands of MY company's routers were compromised would have me furious! I'd be freaking out, making sure that we take immediate steps to improve software/firmware quality and to make sure we're in a constant state of trying to compromise our own hardware... To ensure no one else finds vulnerabilities before we do.

Instead, TP-Link seems to have just laughed and focused strictly on profit margins.

I think a lot of companies violate that lesson and continue to make money.
Just make them liable for the damages and then they will start caring.

This might be one of the only cases where subscription model would work well to cover the maintenance cost.

Until it hits their wallet, they will not do a thing. Now if they were more concerned about longer profits and how this could impact their image, maybe they would change but it is rare you see that nowadays.
But they got this far with $X in security spending, what’s the problem?
People in the comments are defending TPLink for how 'solid' their products are. As someone who just switched to UniFi APs from a Deco Mesh (wired), I have to admit that the difference is deep dark hole and bright sunshine day. Maybe people are comparing to spectrum charter modem combos but I definitely don't see how a router that loses firmware updates in a year can be praised. And it needs reboots so frequently. The Deco has an option now to reboot 'everyday'. This sounds something maybe needed for rare cases where the ISP expects a reboot, but the fact that your routers have that as a feature to keep it stable is a big red flag.

I was so used to this that when I started looking for this setting in UniFi OS I had forgotten the part 'networks are not supposed to be rebooted frequently!'.

The Ubiquity hardware might be good, but the firmware is so shit, especially for IPv6, that I had to replace it with OpenWRT to get it to work (offer IPv6 prefixes for delegation).
It occurred to me recently while driving in a high traffic area that (a) this area is congested every single day at this time and (b) if I shipped a piece of software that literally crawled to a stop for a two hour period every morning and a two hour period every evening that I would be deeply ashamed of myself and my work and that if I ran a department that did that I would have no priorities other than fixing this bug until it was fixed.

Yet we all know so many industries and products that just do not work like that and in fact the longer something is broken and it doesn’t seem to stop people from using it, the more it is accepted that it is ok for it to remain broken. I think that is somehow just a part of human psychology.

> The real lesson here: If you're successful, don't skimp on security/software!

cough Microsoft, Google, Apple cough

> The real lesson here: If you're successful, don't skimp on security/software! Also, don't abandon software/firmware security support for your products so quickly.

Why? Microsoft and Cisco also skimp on security.

> Instead, TP-Link seems to have just laughed and focused strictly on profit margins.

Wait, what? TP-link provides security updates for about as long as their competitors - including providing security patches for devices that are officially out of their support window.

For example, last year they provided a critical security patch for a number of out-of-support routers, including the 14-year-old TL-WR841ND [1].

[1]: https://www.tp-link.com/us/support/faq/4308/

I really miss AirPort, it was the only router/ap with totally solid and easy software. Took the consumer market years to catch up with its mesh features, and they're still annoying with online registration.
TP-link are definitely the worst of the worst. My cousin insisted they were fine as long as you kept the firmware updated, but then he lost all his bitcoins to hackers. TP-link, never again.
I'm not sure what news you are speaking of, can you link to specify?
I've been really happy with the TP-Link smart plugs. I keep upgrading them as The Latest Standard That's Definitely The Real One This Time Trust Us Bro comes out, and the Matter ones are excellent. Getting an instant response from them is really nice. I see no reason to buy others.

I would buy only Hue but that's because I have more money than sense, and they don't actually make smart plugs last time I looked, they make plugs but label them all as lights in the app, which is more annoying than it sounds.

The real problem to solve ditching TP-Link _routers_ is that all routers are uniformly fucking awful, and all you are doing is choosing your particular poison. This is especially true after Apple exited the game so long ago. I use Google Wifi because it mostly works most of the time, but that's not glowing praise. But the world has become trained that rebooting a router once a week and praying that it works when it comes back is a perfectly normal state of affairs and we couldn't possibly do this any better.

> all routers are uniformly fucking awful [...] the world has become trained that rebooting a router once a week and praying that it works when it comes back is a perfectly normal state of affairs

My OPNsense router currently has 74 days of uptime, and that's just because I ran an update 74 days ago. I've never rebooted it to solve a problem. The only wrinkle is OPNsense (and pfSense) is at least an order of magnitude more complicated than your average consumer router.

OTOH, my ubiquity access point reboots itself every time I change any setting at all.

> all routers are uniformly fucking awful,

The mikrotik I've been using has been pretty solid, and super super customizable.

I don’t get the end game here D-link isn’t any better. Are we heading for isp enforced hardware in our homes?
Made by a company who's boss contributes to Trump's re-election campaign obv.
TP-Link makes really solid products, and if you don’t want to use their firmware then almost all of them can easily flash OpenWRT. In fact most of their routers are built from OpenWRT anyway.

I installed their mesh Wi-Fi system for my parents recently and was really impressed how seamless the process was. It did involve making a cloud account which I wasn’t thrilled about, however.

I use their Omada stuff for my business. I own a coffee shop where I have a few devices I need online and I provide free WiFi to customers. I needed something where I could run multiple networks, segregate my own devices, support a large number of clients, automatically turn off free wifi outside of business hours, run a captive portal, reserve a minimum amount of bandwidth for my own devices and prioritize my own traffic, etc. It’s absolutely packed with features and costs less than the stuff I run at home. It was a fraction of the cost of the Meraki gear I was considering. The performance is great too.

I don’t know how much I trust TP Link, but my risk level is very low. There’s not much an attacker could do if they get on my network. None of my data is accessible on that network and everything important has MFA anyway. The most sensitive things are my POS and menu displays and they are just client devices connecting to the internet. I probably wouldn’t run this stuff in an environment where I had complex security requirements.

I have TP-Link Deco's for our WiFi, sitting behind a Firewalla Gold. This has been by far the nicest, simplest at home setup I've ever deployed. Do I love that I chose TP-Link? No. But price to purpose it was the best product available to me at the time.

If TP-Link gets banned, my concern is what that means for the massive market share in the US. Warranty? Software updates? Or maybe that action is what turns them into an agent of the state. Or do you horde all the hardware until its valuable like DJI parts are today?

I don't get what to make of this. Is it all just security theater? The idea of having consumer networking hardware that isn't riddled with security vulnerabilities seems to be a ship that sailed long ago. I doubt this move will prevent major nation states from hacking into whatever they want.
I don’t like that TP Link routers regularly force you to accept new terms of service within their app. If you don’t, then you can’t access much of their configuration options. Basically you get locked out of your own device. I feel like these dark patterns should be illegal.
"TP-Link Systems told The Post it has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies, and that it operates them without Chinese government supervision."

Is that even possible? Or do you always have to be on good terms with the Chinese government to own engineering, design, and manufacturing capabilities in China?

Virtually every home router and a whole lot of small business routers should be considered “national security risks”.

TP-Link may be sore for getting singled out but they are certainly not unique.

There are many many risks.

If TP-Link is pathologically creating unsecure products -- through incorporation of enemy government backdoors or through other improperly handled security vulnerabilities, they deserve to be singled out as making the problem worse and imposing potentially wild cost of risk-mitigation on others.

Similarly, AI (just speaking about current AI), and the reasonably-predictable future AGI / super-intelligences (remember: more than one!) will present humanity with Enormous risk, and we'll (humanity) have no choice but spend the unbounded cost to mitigate that risk.

German avm fritz! is quite good at security maintenance.

are there us equivalents to them?

Per company government acquisition "bans" are stupid for PR and security reasons. Brand-specific banlists are whackamole when the same hardware and software will be immediately duplicated with another cat-walks-on-keyboard brand name that will disappear within a year.

Instead, there should be in-depth, enforced audit, compliance, and evaluation standards for gear for particular purposes. If it doesn't meet particular standard(s), then it can't be purchased or used.

> the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government.

These cowards have not yet finished banning TikTok

OpenWRT is the way to go. If it doesn't run on it, I'd skip such router.
China isn't the major threat for consumer routers; it's crappy firmware. Millions of networks have been compromised from non-state actor attacks on crappy consumer routers. You wanna protect America? Impose a software building code on critical network infrastructure (which should include consumer routers and modems). But they aren't gonna do that, because they're just trying to score cheap political points and put pressure on China for trade concessions.
It would be great to use this moment and do something like Cyber Resilience Act CRA to force companies to deal with the cybersecurity issues.
The U.S. is the bigger threat anyways. This just feels like America is coming online as a mafia state and wants their cut and their backdoors in things, otherwise they’ll destroy your business.
An empire in every way except name.
To be fair, I think this is most countries, they just don't have as much political power as the US. The UK's Online Safety Act is a good example.

My country (Australia) tried to legislate in 2016 that no one is allowed to use encryption, and if they were required to, for other obvious reasons like for medical data, then they were required to code in a back-door for law enforcement.

Regardless of what TP-Link says, the damage is done. I was recently looking for a bigger switch. I went with a use switch instead of buying a new TP-Link because I don't trust them. Now I just need more projects to fill my extra ports on the 24 port switch haha
An unmanaged switch is not going to realistically have exploitable vulnerabilities, the chances of that are dim.

A router, a managed switch or something having an OS is another story.

This is a very one sided article. Shouldn't there be a comparison with TP-Link and all other brands available in-terms of security? Otherwise they're just targeting a company for political reasons.
We are unfortunately getting to the point where the only option for non-power users will be to create an online account to run local hardware you own; just like Windows 11.

I run OPNsense with a collection of Unifi radios (local controller) with great success.

TP-Link produces solid and affordable network equipment. A great value for the money, which makes their products a popular choice for many customers around the world. But as almost all hardware vendors out there, TP-Link has weaknesses in their software. In a way, they are victims of their own success and popularity. I wish them to get their software security act together.

Banning such a bright tech company is totally unwarranted, unless there are proofs of their intentional wrongdoings.