Drilling down on Uncle Sam's proposed TP-Link ban
krebsonsecurity.com219 points by todsacerdoti 19 hours ago
219 points by todsacerdoti 19 hours ago
I don't understand why people say there are no firmware updates.
Between my house, my parents' house and my girlfriend's parents' house, I have set up 4 different types of TP-Link routers. To my surprise, all of them continue to receive firmware updates years after launch. Most recently last month on some models.
I don't get the hate. They're cheap, they work and they have SOME security features which make them more than adequate for home use.
They're not perfect, but then again, for the price point, what do people expect?
Agreed. Are TP-Link the bastion of advanced security/tech/features and futureproofing? No. But they do what they say they do on the box, and do it reliably which unfortunately is more than you can say for a lot of things these days, no matter the price/payment model.
If you just need a basic ass device for simple non-critical shit without a bunch of proprietary bullshit and dark patterns, it's hard to beat TPLink for the money.
The fact that they still get support/updates long passed the typical lifespan of competing devices several times their price point is just icing on the cake.
I didn't realise there was so much TP-Link hate - as consumer networking gear goes I think they're pretty good and trustworthy. Vs. say Tenda or XGFHIU.
(I use mainly Mikrotik at home, but my only AP currently is a TP-link 'extender' (it's 'extending' via ethernet, and the only AP doing so), it's ok.)
Kind of like Anker in batteries and earphones: maybe at some point it was the 'dodgy Chinese brand', but now a solid contender/front-running third-party.
I don't if there's any connection (no pun intended) but in my head TP-Link kind of took over from D-Link at some point as a sort of low-end-Netgear/Asus competitor.
Yeh, I was going to say. My m4R is at least 15 years old and got a firmware update last month
Same here. Running a small fleet of TP-Link gear across three homes. They all get firmware updates regularly.
Really? I bought an Archer AC1200 at Costco. It was a recent model at the time but received no updates after 1 year.
This may be true, but until when? PRC can demand anytime and have you part of a botnet. Are you comfortable leaving it in their hands?
As someone from Europe, I certainly am at least equally uncomfortable with products from the US. Made in USA to me equals zero concept of privacy protection but plenty state surveillance (CLOUD Act, Cisco having hard coded back doors every two weeks etc.) and recently even lack of rule of law and even threats of annexation of European land and interference in domestic elections.
Sure, China will probably also spy and conduct industrial espionage, just as the US, but they appear to be a rational actor and have never threatened the sovereignty of European countries.
Who can guarantee that the Cisco/UniFi or whatever Made in USA gear won't be a host to a state sanctioned "lawful interception software" politely pushed to many devices with the help of a National Security Letter?
Is this supposed to be some kind of gotcha? Of course this can happen. and not only I support it but I think they should do it more and use it to get a shot on any criminal or foreign power.
We can do it, but we shouldn’t expose ourselves for the possibility of our opponents doing it. That simple
Who is "we" in this context?
I'm neither from US nor from China, so I don't belong to either "we". So in my case no hardware is safer unless I design the board and develop the firmware on top of it.
Even then, I'm not sure whether there are hardware vulnerabilities baked in.
I think it’s safe to say that by “We” we can assume it would be your country and its allies.
War and spying has been a thing for a long time now. I think it’s unreasonable to expect countries to not make use of their respective industries and enterprises to get an edge on each other.
The fact is that this kind of hardware is just very good for that so as I a costumer, I feel you and I think the best we can do is buy a custom hardware and install a custom OS. Like open-wrt.
But I will not complain of my country doing that because when I see adversaries doing it, it’s completely reasonable that it also do. In fact, game theory, mandates it.
> I think it’s safe to say that by “We” we can assume it would be your country and its allies.
I live in a country which has been spied on for years by its closest "ally". See Crypto AG scandal for more details. So in my case there's no "we".
Yeah, the most realistic trade-off might be installing OpenWRT and some tripwires to see whether anyone is trying to do something nefarious remotely.
In spying, there's no "we".
> In spying, there's no "we".
Sometimes your own government is the most likely to spy on you.
> Yeah, the most realistic trade-off might be installing OpenWRT and some tripwires to see whether anyone is trying to do something nefarious remotely.
I agree with that, but its beyond the reach of most people.
I think zero trust or low trust within your LAN is also a good idea. So is firewalling ISP supplied routers.
Compared to it being in the hands of the US, who couped my country and bombed my neighbours?
Definitely.
Yeah this US centric view that deemed china as the "bad guys" also problematic
because in some parts of the world like middle east,south american,africa etc
the US is deemed more evil than china etc
I do not know those countries, but in South, South East and East Asia the US is not the threat, its a potential ally against China. In most of Europe it is an important ally.
Allies to spy on each other, but they are not a threat in the way actual or potential enemies are. The fact the the US spied on Germany, and Britain spied on Belgium does not really make them threats.
You didnt read the comment that I replied????
lol, US didnt just doing only "Spy", read the comment tree first
> much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box.
So let me get this straight: The US government directly buying stakes in Intel is A-OK, but any involvement from the CCP in any form in any company is Not Good ?
If the only issue at hand was indeed security vulnerabilities, then I can see many ways that can constructively address that (e.g. Since a large number of SKUs deployed in the US are managed by the Telcos, then force them to finance the support for continued firmware updates).
The US will probably be collecting the reciprocity of their actions, and they won't like it ... It's a very childish game they're playing and it will hurt them in 15 years time ...
There's a difference between buying shares, something Western governments have done forever, and owning controlling interest.
There's also a difference between owning some shares, which is hands off, and having no legal blocks to killing the CEO's family if he doesn't do as wished.
You're comparing false equivalences.
Chinese ownership of corporations is entirely different in this context. Even with the current US leadership, no comparison. None.
I don't know if you've been paying attention lately, but the US Government is very hands on when it comes to directing businesses these days, and Congress lets the President do whatever he wants, whether strictly legal or not.
Do you really not think the current President wouldn't lean as hard on a US corporation as he needed to in order to get whatever he wanted?
"Chinese ownership of corporations is entirely different in this context"
There is no difference. The US does not effectively have any law or checks on the power of the presidency at this point. Various tech companies had executives literally enlisted in the armed forces. The government has shown, repeatedly, that it will financially penalize any company that doesn't serve their agenda. It has controlled broadcasters and social media and financial organizations.
As an outsider looking in, any difference between the US and China is mostly illusory. It has all been revealed to be make believe.
Do you think it's childish in the other direction too? They have been limiting many US products for similar reasons for many years now.
To be entirely honest, yes, American leadership is currently very childish while Chinese one is everything but childish. And the simple observable consequence is that China is winning whatever pissing contest is going on while America is busy shooting itself into own foot, applying bandage and then claiming it won cause it is not bleeding anymore.
The US only ever plans as far as the next election. China plays the long game.
I think it's naive to assuming competing states would be fair. Most of what both say is just propaganda. Their main purpose is to serve their respective overclasses, nothing else.
> The US government directly buying stakes in Intel is A-OK, but any involvement from the CCP in any form in any company is Not Good ?
Yes, it’s the US government. Of course it thinks advancing US gov controlled technology is good and CCP influence in the US is bad. That’s a completely rational stance and it’s not even hypocritical until the CCP bans some US product and the US gov complains.
Now imagine your not American. Now you have the choice between 2 nations you don't trust. Which one are you going to take? The one you don't trust that hasn't done you anything personally, or the one that recently went rogue and is making a point of it to make everyone's life a little more miserable, actively?
> it’s not even hypocritical until the CCP bans some US product and the US gov complains.
It's not even hypocritical then. Both sides are protecting their own interests. These interests are partly at odds to each other. They're going to do what they believe is necessary, even if it "seems" hypocritical. That's not a bad thing, that's just ... how things work. China isn't innocent of this either. It's so weird how people are always painting this as "US bad".
Then look at it from countries that want to protect their sovereignty and culture. The smart move is playing the big guys against eachother not joining either side.
> That's not a bad thing
Except US was all about Capitalism and they have now turned back and embraced Socialism except its socialism for losses and should be paid by the tax payer.
The real lesson here: If you're successful, don't skimp on security/software! Also, don't abandon software/firmware security support for your products so quickly.
If I was in charge over at TP-Link, getting news that tens of thousands of MY company's routers were compromised would have me furious! I'd be freaking out, making sure that we take immediate steps to improve software/firmware quality and to make sure we're in a constant state of trying to compromise our own hardware... To ensure no one else finds vulnerabilities before we do.
Instead, TP-Link seems to have just laughed and focused strictly on profit margins.
The real lesson here: don't forget to bribe the president of the US.
This was my first thought. Why TP-Link, why now? Looks like another extortion scheme from POTUS.
It occurred to me recently while driving in a high traffic area that (a) this area is congested every single day at this time and (b) if I shipped a piece of software that literally crawled to a stop for a two hour period every morning and a two hour period every evening that I would be deeply ashamed of myself and my work and that if I ran a department that did that I would have no priorities other than fixing this bug until it was fixed.
Yet we all know so many industries and products that just do not work like that and in fact the longer something is broken and it doesn’t seem to stop people from using it, the more it is accepted that it is ok for it to remain broken. I think that is somehow just a part of human psychology.
> It occurred to me recently while driving in a high traffic area that (a) this area is congested every single day at this time and (b) if I shipped a piece of software that literally crawled to a stop for a two hour period every morning and a two hour period every evening that I would be deeply ashamed of myself and my work and that if I ran a department that did that I would have no priorities other than fixing this bug until it was fixed.
The hubris of the spotless software engineer mind.
We have a solution for the traffic problem but you won't like it.
There is no "traffic".
YOU ARE THE TRAFFIC.
Cars and roads for cars don't scale well past very rural or very small suburban areas.
The solution to traffic is extremely hard and it involves:
* you and lots of other drivers voting to allow densification of highly serviced areas (close to central business districts, public transportation, hospitals, schools, ...) - at least mid rise apartment buildings, 4-6 stories high
* you and lots of other drivers voting to allow funding of public transit
* you and lots of other drivers voting to allow funding of reduction of car infrastructure (fewer car lanes, fewer parking spots, fewer highways, fewer car only bridges, tunnels, etc)
* you and lots of other drivers voting to allow funding of safe bike infrastructure
* you and lots of other drivers voting to allow congestion pricing in ... congested places
* you and lots of other drivers voting to allow funding for anti bike theft measures (police training, bike theft prioritization, bike serial number databases, ...)
* you and lots of other drivers taking public transit
* you and lots of other drivers riding bikes for medium length trips
* you and lots of other drivers walking for short trips
I used to live near and work in Boston (near Fenway). My solution was a bit more radical than yours: passenger cars should basically never be allowed inside Boston proper. The city was not meant for cars and it shows. Instead, build moving walkways and fix the issues with for example the Green Line averaging 6mph (walking speed).
Truck deliveries can happen 3am to 6am every Tuesday and Thursday, or by paying $1,000/day toll fee.
Yes it is radical and yes people would get used to it and think it is superior after a time.
It is sometimes better to not ship a product at all instead of shipping a completely and fundamentally broken product.
I think this is you seeing the faults of other industries but being blind to yours.
No single person created the traffic jam "bug", the "users" are the biggest part. In many industries "the fix" isn't a few lines of code that you can one-click push to all users. You can't fix that traffic jam in code or even in infrastructure, you need to change society itself on top of everything else. It may not even be a defect as much as a supply and demand issue where supply is very scarce and impossible to ramp up, while demand is super high and growing. Cloud providers run out of capacity in some regions, their developers should be ashamed?
Software can be fixed quickly if broken. Capacity not so much. Software is also routinely launched broken, and subsequently stays in various degrees of broken or not usable enough throughout its lifecycle, with new and unpredictable issues replacing old ones.
If too many people wanting to drive a car in the same place, at the same time despite the predictable outcome due to the limited capacity is purely a failure of the city, country, road builder, then isn't a user not being able or not knowing how to properly use the software the fault of the developer? Is demanding more from the software than it can deliver the fault of the developer? How much cumulated time does this cost, sometimes for absolutely no reason whatsoever than an arbitrary decision of the developer?
You aren't "deeply ashamed" because you downplay the issues you (or your company) create as a developer and pretend they aren't problems for the users. A "part of human psychology" tells you 1000 smaller cuts are fine.
There is a big difference between 1000 smaller cuts and the one and only function of a piece of infrastructure clearly not working every single day.
If this was actually the lesson then they'd be banning Fortinet, but it seems these concerns about security don't apply to US listed companies.
Bold of you to assume those Fortinet vulns arent just exposed government backdoors.
This is like seeing a food poisoning outbreak at a fast food restaurant and concluding that it must be CIA/FSB/Mossad bogeymen trying a bioweapon. These breaches are things like not validating authentication tokens (at all, not just correctly) and that would be a big drop in professionalism from what we’ve seen from nation-state level attacks:
https://labs.watchtowr.com/get-fortirekt-i-am-the-super_admi...
Hanlon's razor, paradoxically, is the perfect cover for surreptitious malice. We've already got a perfectly reasonable razor telling people not to assume malice, after all.
And to be clear, let's not forget that the US government did intentionally and secretly conduct surreptitious biological warfare tests against entire US cities that deliberately inflicted disease upon and killed American citizens. There was an entire formal program that spanned decades - https://en.wikipedia.org/wiki/United_States_biological_weapo...
Of course, the US government doesn't have any secret programs anymore and never lies to us, so everyone can rest easy knowing nothing like this could ever happen again.
> The real lesson here: If you're successful, don't skimp on security/software! Also, don't abandon software/firmware security support for your products so quickly.
Why? Microsoft and Cisco also skimp on security.
Just make them liable for the damages and then they will start caring.
This might be one of the only cases where subscription model would work well to cover the maintenance cost.
> This might be one of the only cases where subscription model would work well to cover the maintenance cost.
1) Company takes your subscription money.
2) Company finds a vulnerability that's difficult to fix.
3) Company announces your device is EOL and ends your subscription, taking your money for doing nothing, and not helping when you need it.
> This might be one of the only cases where subscription model would work well to cover the maintenance cost.
Or -hear me out on this one, it is wild take- if you come out with a device, system or software that has fundamental flaws, you fix them at your own cost or get fined to oblivion if you don't.
If a company is not able to come up with reliable, quality products, then perhaps it shouldn't be in the business of creating said products to start with.
The fact that you suggest subscriptions to fix fundamental issues is a good reflection of how companies have managed to skew the general perception on what is "acceptable" as a product. In fact, they have pushed it so far, that they are feeding it to us backwards.
Pushing out minimal viable products and have subscribers pay to (perhaps, one day) get something that works shouldn't be the norm.
A car info/entertainment system that is too slow and buggy because the manufacturer couldn't be bothered to take the steps necessary to make sure it worked reliably? -> fix it
A phone manufacturer that throttles your system after a year because they couldn't be arsed to properly size their batteries originally? -> fix it
A router manufacturer shipping software so buggy their hardware needs to be rebooted periodically? -> fix it
Etc.
"Software is hard" or "product design is hard" are no excuses. Building airplanes that don't fall out of the sky is also hard, and yet we manage to do so. (Or, rather ironically, the ones that follow the "minimal viable product" software mentality do fall out of the sky. Looking at you, Boeing).
Those are the companies that abuse the customer trust and sell them something cheap under the guise of high quality, but in fact really cheap and not well thought.
Yea, in the real world, the CEO gets news that tens of thousands of his company's routers were compromised, and calls up his General Counsel and asks "are we liable for damages?" And if the answer is NO, he goes back to enjoying the house party in his luxurious third home.
Yeah, I know, at some point you cannot make them care for their customers wholeheartedly.
Contracts will (and do) include boilerplate whereby the customer absolves the manufacturer of liability.
It’s fairly trivial to write a law that makes those illegal.
"No liability" already mostly only applies to defective products, not harmful ones.
The only industry with a broad "no liability for torts" is gun manufacturing.
The question is whether you want to interfere in the freedom of contract for this.
Almost all software everywhere comes with a 'no liability' clause. And arguable, open source couldn't exist without it.
The exceptions where liability is wanted negotiate that specifically.
> And arguable, open source couldn't exist without it.
Couldn't you just include selling a product or a licence for it as a requirement?
The GPL is a license.
selling a product or license
Generally most GPL'd software isn't sold (terms and conditions may apply).
There is precedent, for example, lemon laws related to automobiles. Unfortunately, governments have ceased to care for consumers like they once did.
Or maybe, don't capture 50% market share in a country that's decided your country of origin is the threat of the decade.
TP-Link's Headquarters are in California, they have a branch in Singapore and they manufacture in Vietnam, which of those were the threat exactly?
This whole thing is reminiscent of the TikTok CEO Chew Shou Zi - "But, I'm Singaporean, Senator".
It was a completely Chinese company until last year. Then it split in 2. The US headquartered half has 11,000 employees in mainland China and 500 in the US based on what I could find when I googled it. It’s solely owned by the founder of the original company and his wife who are Chinese citizens.
I don’t know whether it’s worth banning them or not, but putting your hands up and saying “what Chinese company?” is just absurd.
1. The company was founded Zhao Jianjun and Zhao Jiaxing who are brothers, I don't know where you got the husband/wife sole ownership from.
2. As you admitted, they have completely separated into 2 separate companies, claiming that it is still Chinese is akin to saying "tea is Chinese", that's completely absurd, yes, it was at some point in history, that point is not now.
1. I got the idea from the Tp-Link website. Zhao Jianjun is known in the US as Jeffery Chao. Him and his wife are the sole owners of the US company.
“in October 2024, established TP-Link Systems Inc., based in Irvine, CA, as its global headquarters and parent company with Jeffrey (Jianjun) Chao and his wife Hillary as sole owners. Jeffrey is CEO of the company.”
https://www.tp-link.com/us/landing/fact-sheet/
2. The sole owners are Chinese citizens, 95% of their employees are Chinese citizens living in China, most of the R&D happens in china, and the majority of the components of their products are manufactured in China.
They have an HQ building in the US, but 90% of it is leased to other companies.
This is a US based company in name only. It’s essentially a shell company designed to bypass a potential US ban.
Since 2018 TP-Link has manufactured products for the U.S. market in its own factory in Vietnam.
From your linked fact sheet.
They assemble final products in Vietnam. The majority of the components, including all of the chipsets, are manufactured in China.
It's hard to believe you're saying 2 in good faith. Companies don't change that fast, and you skipped the part where so many of the employees are still in China.
It took them 3 years to achieve this, so yes, they can change that fast...
Did you not read the article? It's hard to take your comment in good faith if you didn't.
Three years would be an impressive timescale to move a company from one country to another.
Except they didn't do that. They moved the HQ.
I'll accept for the purpose of this argument that they fully split the company into two separate companies. But both of those companies are still mostly Chinese, going by the numbers in this thread.
> Did you not read the article? It's hard to take your comment in good faith if you didn't.
This is a weak attempt at turnabout. The article doesn't present any evidence of separation or non-Chinese-ness, it just quotes the company (and even that quote admits a bunch of Chinese assets). But even if it did, it wouldn't be bad faith to skip reading it.
> This is a weak attempt at turnabout. The article doesn't present any evidence of separation or non-Chinese-ness, it just quotes the company (and even that quote admits a bunch of Chinese assets). But even if it did, it wouldn't be bad faith to skip reading it.
1. Who else would document a company's restructure if not the company itself?
2. Yes, not reading an article and commenting on it is bad faith.
> going by the numbers in this thread.
3. So you have no evidence of it not being as the company says, just the vibes of others on this thread, okay Senator.