TP-Link routers may be banned in the US in the next year, The Wall Street Journal reports.
The Shenzhen-based router manufacturer is under investigation by the Commerce, Defense and Justice Departments over security concerns and ties to Chinese cyberattacks. Sources told the Journal that TP-Link routers are routinely shipped with security flaws and that the company has been resistant to engaging with security researchers when those flaws are identified.
In October, Microsoft released its own analysis that found that TP-Link routers made up most of the compromised devices in a Chinese “password spraying” hack, referring to the attack as “nation-state threat actor activity.”
TP-Link was already under the microscope when Microsoft released its report: In August, the House Select Committee on the Chinese Communist Party urged an investigation into TP-Link.
“TP-Link’s unusual degree of vulnerabilities and required compliance with [Chinese] law are in and of themselves disconcerting,” the lawmakers wrote. “When combined with the [Chinese] government’s common use of [home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming.”
This latest report says that the Commerce Department’s investigation is underway, along with separate probes from the Defense and Justice Departments. Sources told The Wall Street Journal that an office of the Commerce Department has subpoenaed TP-Link and could ban the sale of TP-Link devices in the next year.
“We welcome any opportunities to engage with the US government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the US market, US consumers, and addressing US national security risks,” a spokeswoman for TP-Link told the Journal.
Full disclosure: CNET has a number of TP-Link models on our lists of the best Wi-Fi routers and will be monitoring this story closely to see if we need to reevaluate those choices. TP-Link did not respond to a request for comment.
The Biden administration is already exploring action against TP-Link in response to a slew of recent China-backed cyberattacks, but a ban on TP-Link routers would likely be up to the Trump administration, which is expected to take an aggressive stance on Chinese companies. In 2019, Trump issued an executive order that effectively banned US companies from using network equipment from Huawei, another Chinese company that came under fire over national security concerns.
A TP-Link ban would affect millions of users
When Huawei was banned in the US, almost no one in the country was using its smartphones. The same can’t be said for TP-Link.
According to Journal's report, TP-Link routers make up 64.9% of the US router market. (For comparison, iPhones have a 53% market share of smartphones in the US.) The company took off around the pandemic when it had around 20% market share.
TP-Link routers are often much cheaper than competitors. Its latest Wi-Fi 7 router currently costs $108 on Amazon; routers with comparable specs cost around $300 from Asus, a Taiwanese company, and $230 from Netgear, a US company.
The Journal's report notes that the Justice Department is investigating whether these cheap prices violate a federal law that prohibits attempts on monopolies by selling products for less than they cost to manufacture. The TP-Link spokesperson denied that it engages in these practices.
In addition to being the most common router choice for consumers who purchase their own equipment, TP-Link also makes the routers that more than 300 US internet providers send to you when you opt to rent equipment from them. They’re also widely used by government agencies, showing up in contracting documents from the Defense Department and Drug Enforcement Administration.
What to do if you have a TP-Link router
If you’re one of the millions of internet users who has a TP-Link router in their home, you may be concerned that your device has been compromised. Microsoft’s report found that TP-Link routers have been used in “password spray attacks” since August 2023, which typically take place when the router is using a default password. As always, with your home networking equipment, a few basic security steps will go a long way in protecting your data. Here’s what you can do right away:
- Update your login credentials: A shocking amount of cybersecurity breaches can be traced back to using the default login credentials set by the router manufacturer (or internet provider if you’re renting your equipment). Most routers have an app that lets you update your login credentials, but you can also type your router’s IP address into a URL. These credentials are different from your Wi-Fi name and password, which should also be changed every six months or so. Some good rules of thumb for your passwords: Avoid common words and character combinations, longer passwords are better and don’t reuse passwords from multiple accounts.
- Turn on the firewall and Wi-Fi encryption: These are usually on by default, but I recommend making sure they’re activated. This will make it more difficult for hackers to eavesdrop on the data sent between your router and the devices that connect to it. You can also find these settings by logging into your router from its app or website.
- Consider buying a new router: We always recommend buying your own router instead of renting one from your internet service provider. This is primarily a cost-saving tip, but if your ISP uses TP-Link equipment, now might be a good time to make the jump to another brand. Whichever router you choose, look for WPA3 certification -- the most up-to-date security protocol for routers.