US investigates Chinese router maker TP-Link over national security concerns

The investigation marks a new step in US efforts to rein in China-linked technology companies, which are seen as potential threats to national cybersecurity and data.

This time, the target is TP-Link, a company that has long avoided security attention despite dominating the home and small office router market.

TP-Link's devices play a key role in transmitting information from the internet to devices like computers and smartphones, making the company a new focal point in the fight to protect America's cyberspace.

Investigators from the U.S. Commerce Department subpoenaed TP-Link representatives this month, asking for details about the company’s organizational structure, according to people familiar with the matter who asked not to be identified because of the sensitivity of the matter. The investigation was reported by the Wall Street Journal on December 18.

The investigation was initiated in response to a letter sent in August from the co-chairs of the House's special bipartisan committee on China, the source said.

In the letter, the lawmakers called on the agency to look into the “serious national security threat” posed by TP-Link's large market share in the US.

They stressed that Chinese law compels businesses to support the state's intelligence and military goals, and pointed to Chinese government-backed cyberattacks that routinely exploit vulnerabilities in routers.

The executive order that underpins the investigation gives the US government significant powers to ban the operations of information and communications technology companies with ties to adversary nations. If these companies are determined to pose an “unacceptable risk” to national security, they can be excluded from the US market.

Regarding this issue, a TP-Link Systems spokesperson said that the company "is ready to cooperate closely with the US government to demonstrate that our security processes are fully compliant with industry security standards. We are strongly committed to continuing to serve the US market and consumers with the highest transparency and responsibility."

TP-Link has stepped up efforts to distance itself from its Chinese roots in recent times. TP-Link Systems, now headquartered in Irvine, California, was renamed in July this year, according to a spokesperson.

The company is no longer affiliated with TP-Link Technologies, which was founded in China in 1996 and was once owned by brothers Zhao Jianjun and Zhao Jiaxing.

A TP-Link Systems spokesperson added that after the restructuring process that took place this year, Zhao Jiaxing now holds a 97.5% stake in the Chinese business, while Zhao Jianjun and his wife own 100% of the US business and other businesses, which have now been consolidated under a legal entity in California.

The move to separate the company from China comes as other companies are facing increased scrutiny from U.S. regulators, according to people familiar with the matter, and has only added to investigators’ skepticism of TP-Link.

What are the potential dangers?

Ownership issues aside, people familiar with the investigation say investigators are concerned that TP-Link may be employing what many US national security experts call a “Huawei playbook.”

This is a reference to claims by the US government and lawmakers that Huawei Technologies is a spy tool for the Chinese government and has become a dominant force in the global networking equipment industry thanks to opaque state subsidies. However, both the company and Beijing have denied these allegations.

US regulators have imposed strict restrictions, making it difficult for Huawei to sell devices in the US market as well as buy components from US suppliers.

Hackers can intercept or alter communications through routers, and remotely disable them, cutting off users' internet access. Furthermore, they can use compromised routers to build a botnet, which helps to hide the origin of attacks against the end target.

Hackers can intercept or alter communications running through routers, as well as remotely disable them, cutting off users' internet access. They can also use compromised routers to assemble a botnet to mask the origin of attacks on their ultimate targets.

According to sources familiar with the matter, US officials have identified TP-Link routers as one of many brands, including American ones, that have been exploited by Chinese state-sponsored hackers to carry out cyberattack campaigns such as Volt, Flax, and Salt Typhoon.

These attacks targeted critical US infrastructure, including water and transportation networks, as well as telecommunications and internet companies. Investigators also expressed concern about a series of Chinese state-sponsored attacks known as Camaro Dragon, in which compromised TP-Link routers were used to attack diplomatic entities in Europe.

There is currently no evidence that TP-Link was involved or complicit in any of the attacks. Security researchers from Lumen Technologies' Black Lotus Labs, which discovered the Flax Typhoon attack, and Check Point Software Technologies, which identified the Camaro Dragon, also confirmed that they had found no evidence of TP-Link's involvement.

What is TP-Link's market share in the US?

According to data reviewed by investigators, TP-Link now accounts for about 60% of the US retail market for SOHO Wi-Fi systems and routers, compared with only about 10% in early 2019. In particular, in the Wi-Fi 7 segment, the most advanced Wi-Fi technology today, TP-Link accounts for nearly 80% of the US retail market.

TP-Link has recently signed contracts with internet service providers, who then distribute the routers to their customers. The company has signed a total of 300 such contracts in the past two years, mainly with wireless internet service providers.

According to sources familiar with the matter, in the TP-Link investigation, US officials were surprised by data showing how TP-Link outmaneuvered its rivals to quickly capture a large portion of the SOHO (home and small business) router market in the US in less than six years,

TP-Link's rise in market share coincides with a rise in Chinese state-sponsored cyberattacks targeting SOHO routers, sources say, further raising concerns among investigators.