If you’ve purchased a Wi-Fi router in the past year, there’s a good chance it was made by TP-Link. That might not be possible in 2025.
Investigators at the Commerce, Defense and Justice departments have all opened probes into the company due to its ties to Chinese cyberattacks and are weighing a potential ban on the sale of TP-Link routers, says a Wall Street Journal article published last week.
TP-Link has become increasingly dominant in the US router market since the pandemic. According to the Journal report, it grew from 20% of total router sales in 2019 to around 65% this year. TP-Link disputed these numbers to CNET, and a separate analysis from the IT platform Lansweeper found that 12% of home routers in the US are TP-Link.
While there have been high-profile cyberattacks involving TP-Link routers, this potential ban is more about the company’s ties to China than specific security issues that have been publicly identified, according to cybersecurity researchers I spoke with.
“People expect there to be some smoking gun or something in these devices from Chinese manufacturers, and what you end up finding is the exact same problems in every device. It's not like the Chinese devices are glaringly insecure,” Thomas Pace, the CEO of the cybersecurity firm NetRise and a former security contractor for the Department of Energy, told CNET. “That's not the risk. The risk is in the corporate structure of every Chinese company.”
TP-Link was founded in 1996 by brothers Zhao Jianjun and Zhao Jiaxing in Shenzhen, China. In October, it moved its headquarters to Irvine, California, two months after the House announced an investigation into the company. The company told CNET it had previously operated dual headquarters in Singapore and Irvine. Its newly opened headquarters in Shenzhen won an architecture award in 2017.
Watch this: Best Wi-Fi Routers for 2024: A Buying Guide
06:14
In my conversations with TP-Link representatives over the past few days, they’ve repeatedly distanced themselves from ties to China.
“TP-Link has a secure, vertically-integrated, and US-owned international supply chain,” a TP-Link representative told CNET. “Nearly all products sold in the United States are manufactured in Vietnam.”
Even so, the US government appears to see TP-Link as a Chinese entity. In August, the House Select Committee on the Chinese Communist Party urged an investigation into the company.
“TP-Link’s unusual degree of vulnerabilities and required compliance with [Chinese] law are in and of themselves disconcerting,” the lawmakers wrote. “When combined with the [Chinese] government’s common use of [home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming.”
Asked for comment, a TP-Link representative told CNET, “Like many consumer electronics brands, TP-Link Systems' routers have been identified as potential targets for hackers. However, there is no evidence to suggest our products are more vulnerable than those of other brands.”
CNET has several TP-Link models on our lists of the best Wi-Fi routers and will monitor this story closely to see if we need to reevaluate those choices. While our evaluation of the hardware hasn't changed, we're pausing our recommendations of TP-Link routers until we learn more.
A ban is more about TP-Link’s ties to China than a known technical issue
The cybersecurity experts I spoke with all agreed that TP-Link had security flaws -- but so do all router companies. It’s unclear whether the government has found a new issue that would lead to a potential ban on TP-Link sales.
The Wall Street Journal article cited federal contracting documents that show TP-Link routers purchased by agencies from the National Aeronautics and Space Administration to the Defense Department and Drug Enforcement Administration.
The potential ban comes at a time in Washington when there is growing bipartisan support for extracting Chinese products from US telecommunications. In an attack revealed in October dubbed “Salt Typhoon,” Chinese hackers reportedly broke into the networks of US internet providers like AT&T, Verizon and Lumen, which owns CenturyLink and Quantum Fiber.
Brendan Carr, Trump’s pick for Federal Communications Commission chairman, said in an interview with CNBC that a recent intelligence briefing on the Salt Typhoon attack “made me want to basically smash my phone at the end of it.”
“In many ways, the horse is out of the barn at this point,” Carr said. “And we need all hands on deck to try to address this and rein this in.”
TP-Link hasn’t been linked to the Salt Typhoon attacks, but it does show the current temperature for perceived threats from China.
The government may have identified a TP-Link vulnerability, but we don’t know for sure
Several of the cybersecurity experts I spoke with believe it’s likely that intelligence agencies have found something with TP-Link that warrants a ban.
“I think this comes from a deeper intelligence within the US government. Usually this happens before the information becomes public,” Guido Patanella, senior vice president of engineering at Lansweeper, told CNET.
In 2019, then-President Donald Trump issued an executive order that effectively banned US companies from using network equipment from Huawei, another Chinese company that came under fire over national security concerns.
Pace, the NetRise CEO, told me he thinks it’s likely that there’s a “zero-day” vulnerability in TP-Link devices -- a term that refers to a hidden flaw in which there have been zero days to fix it -- but he was quick to point out that there’s no evidence to back that up.
“But at least that claim is based in some sort of reality that we are aware of that exists, which is that the PRC (People's Republic of China) is involved in every Chinese corporation. And that's undeniable,” Pace said.
TP-Link has known security flaws, but so do all router companies
A TP-Link representative pointed us to the Cybersecurity and Infrastructure Security Agency’s (CISA) list of Known Exploited Vulnerabilities (KEV). TP-Link has two of these events catalogued, compared to eight for Netgear and 20 for D-Link; other popular router brands like Asus, Linksys and Eero have none.
By this measure, TP-Link isn’t exceptional in either direction, but that might not be all that useful of a measure.
“The problem with the CISA KEV [list] is, if everything's on the list, how good is that list?” Pace said. “Basically, every telecommunications device on the planet has at least one vulnerability on the CISA KEV. It's a big problem that there are not great answers to.”
There have also been several cybersecurity reports that have singled out TP-Link specifically. The most high-profile one came in October when Microsoft released details on a password spraying attack it had been tracking for over a year. In this type of attack, hackers use a single common password to access multiple accounts.
Microsoft referred to the attack as “nation-state threat actor activity” and said TP-Link made up most of the routers used.
In May 2023, Check Point Research also identified a firmware implant in TP-Link routers linked to a Chinese state-sponsored hacking group. In this case, the campaign targeted European foreign affairs entities. Still, the researchers emphasized that the attack was written in a “firmware-agnostic manner” and wasn’t designed to exploit TP-Link specifically.
“While our analysis focused on its presence in modified TP-Link firmware, previous incidents show that similar implants and backdoors have been used on devices from diverse manufacturers, including US based,” Itay Cohen, one of the authors of the Check Point Research report, told CNET.
“The broader implication is that this implant isn’t about targeting a specific brand -- it’s part of a larger strategy to exploit systemic vulnerabilities in internet infrastructure.”
Cohen said he doesn’t believe a TP-Link ban would improve security much. As I heard from other researchers, the security issues that have been identified are not unique to one company.
“The vulnerabilities and risks associated with routers are largely systemic and apply to a wide range of brands, including those manufactured in the US,” Cohen said. “We don’t believe that the implant we found was known to TP-Link or was knowingly inserted as a backdoor to their products.”
Is it safe to use a TP-Link router?
There are real risks associated with using a TP-Link router, but some level of risk is present no matter what brand of router you use. In general, cyberattacks tied to Chinese actors have targeted think tanks, government organizations, nongovernment organizations and Defense Department suppliers, according to the Journal’s reporting.
“I don't think that the average person is going to have this massive target on their back,” Pace told CNET. “They tend to go after the things they want to go after.”
That said, these kinds of attacks are often indiscriminate, with the goal of creating a chain of nodes between infected routers and hackers.
“This means regular users are at risk of being targeted as part of a broader attack campaign, even if they are not individually targeted,” said Cohen, the Check Point Security researcher.
How to protect yourself if you have a TP-Link router
To keep your network safe and secure, you should follow the same steps whether you have a TP-Link router or any other brand. Here’s what experts recommend:
- Keep your firmware updated: One of the most common ways hackers access your network is through outdated firmware. TP-Link told us that customers with TP-Link Cloud accounts can simply click the “Check for Updates” button in their product's firmware menu when logged into the TP-Link app or website. You can also find the latest updates in TP-Link’s download center.
- Strengthen your credentials: If you’ve never changed the default login credentials on your router, now’s the time to do it. Weak passwords are the culprit in many of the most common attacks. “Devices using default or weak passwords are easy targets,” Cohen told CNET. “Default or simple passwords can be easily brute-forced or guessed.” Most routers have an app that lets you update your login credentials from there, but you can also type your router’s IP address into a URL. These credentials are different from your Wi-Fi name and password, which should also be changed every six months or so. The longer and more random the password, the better.
- Consider using a VPN service: For an added layer of protection, a virtual private network will encrypt all of your internet traffic and prevent your internet provider (or anyone else) from tracking the websites or apps you’re using. You can find CNET’s picks for the best VPN services here.