TP–Link has pushed back on accusations it failed to address router security concerns after reports suggested the US government is considering banning the company’s devices.
The Wall Street Journal recently revealed that several federal agencies in the US were investigating whether the company poses a national security risk after questions were raised about its responsiveness to patching security vulnerabilities and potential ties to the Chinese government.
A spokesperson for TP-Link provided ITPro with a response to the allegations raised in the report, specifically challenging accusations that its devices are less secure than competing manufacturers.
“You may be aware of reports that our company’s routers are among the many brands of consumer electronics being targeted by PRC-based hackers. While we are the #1 router of choice in the US market, we are aware of no indications that our products are more vulnerable to hacking than other brands. We stand behind the quality, security, and integrity of our products,” the statement read.
“TP-Link Systems, which is headquartered in the United States, provides all products to UK customers. We take vulnerabilities very seriously and work closely with agencies and companies to resolve any product vulnerabilities immediately.”
“At all times we are fully compliant with all regional industry security standards and regulations.”
According to data published by Lansweeper, of a total of 730,000 devices identified using network scanning service Fing, 12% of US households and 2.15% of US businesses were using TP-Link routers.
TP-Link insists it has taken the necessary steps to ensure the security of its supply chain, citing its recent signing of the CISA’s Secure by Design pledge.
“TP-Link Systems carefully controls its own supply chains to optimize value and security, implements rigorous secure product development and testing processes, and takes timely and appropriate action to mitigate any vulnerabilities we become aware of. We are constantly assessing potential security risks to our U.S. and UK operations, customers, and supply chain,” they explained.
“TP-Link Systems supports efforts to increase product security and user data protections across the networking and connected device ecosystems. We recently signed the ‘Secure by Design’ pledge on secure product development sponsored by the US Cybersecurity and Infrastructure Security Agency, and are actively engaging with CISA and other cybersecurity stakeholders.”
TP-Link denies links to Chinese state
TP-Link came under fire after Microsoft warned a covert network used by a Chinese threat actor in a password spraying campaign predominantly consisted of compromised TP-Link routers.
The network, tracked as CovertNetwork-1658, was used to conduct brute-force attacks on Microsoft 365 accounts, as well as VPNs and SSH accounts.
Sonu Shankar, CPO at security company Phosphorus, noted recent espionage campaigns against US telecommunication companies linked to Chinese threat actors have heightened the level of attention on hardware firms founded or based in the country.
“Recent revelations about attacks on US telecommunications infrastructure have increased public scrutiny on Chinese-manufactured devices, particularly those with a significant presence in consumer and enterprise environments,” he explained.
“With TP-Link products being widely used across the US and reports that several models tend to ship with firmware vulnerabilities, I’m not surprised that the company is under investigation.”
TP-Link will continue to work with the US government to address lingering security concerns, the spokesperson added, challenging claims that the Chinese government has any influence over the design and production of its devices.
“TP-Link Systems is proactively seeking opportunities to engage with the U.S. government to demonstrate that our security practices are fully in line with security standards,” the spokesperson added.
“To be clear, the Chinese government does not have access to and control over the design and production of our routers and other devices. TP-Link Systems is no longer affiliated with China-based TP-LINK Technologies, which sells exclusively in mainland China. Further, TP-Link Systems and its subsidiaries do not sell any products to customers in mainland China.”