News U.S. Weighs Ban on Chinese-Made Router in Millions of American Homes (TP-Link)

[BeachGuy]

https://www.wsj.com/politics/national-security/us-ban-china-router-tp-link-systems-7d7507e6?mod=hp_lead_pos1

 

[maxbraketorque]

I saw that in the news today as well. The fact that TP-Link equipment is less expensive and appears to be well supported is compelling, but I worry about products where the features are too good to be true for the price.

 

[Objects in Space]

Here is a shorter article that summarizes the core security issues and the Chinese company not fixing known security flaws of the TP-Link routers.

Most popular home internet routers in US may be banned over security risks

The most popular home internet router brand in the US may be banned from sale in the country over fears...

9to5mac.com

 

[sfx2000]

Here is a shorter article that summarizes the core security issues and the Chinese company not fixing known security flaws of the TP-Link routers.

More moral panic in the US over things "China" related at the moment... whether it's Huawei, ZTE, others - just earlier today, more sanctions against China Telecom doing business in the US - it's just a thing, and I get it.

Mixed feelings here, as there is legit concern for any consumer networking gear having security issues - the code is complex because of creeping features - e.g. let's do network VPN, filesharing, let's open up the code for third party scripts, etc...

TP_link isn't the only one there - and we've seen more that a fair share of issues with other vendors such as Netgear, Cisco, etc...

Some of the issues are upstream in the Chipset Vendor SDK's, others are inside the Vendor code, and of course, for more "open" devices, the third party scripts that are resistant to audits.

Again, as I say, Moral Panic - are they legit bugs, or are they intentional backdoors? If we go down that path of backdoor issues, then gear from every company is suspect...

 

[Tech9]

If really so concerned - replace the devices for free with something Made in USA. About 65% of the market... may cost around $20B give or take, no biggie. At least cyber care will be there in place of health care. Everyone will be happy. I'm personally more concerned about the cats...

 

[Objects in Space]

More moral panic in the US over things "China" related at the moment... whether it's Huawei, ZTE, others - just earlier today, more sanctions against China Telecom doing business in the US - it's just a thing, and I get it.

Mixed feelings here, as there is legit concern for any consumer networking gear having security issues - the code is complex because of creeping features - e.g. let's do network VPN, filesharing, let's open up the code for third party scripts, etc...

TP_link isn't the only one there - and we've seen more that a fair share of issues with other vendors such as Netgear, Cisco, etc...

Some of the issues are upstream in the Chipset Vendor SDK's, others are inside the Vendor code, and of course, for more "open" devices, the third party scripts that are resistant to audits.

Again, as I say, Moral Panic - are they legit bugs, or are they intentional backdoors? If we go down that path of backdoor issues, then gear from every company is suspect...

The legitimate concern is any vendor that is knowingly selling their products with known security issues and purposely not going to patch their products.

If the problem is baked into the chips, then the vendor should have already released a security bulletin. Examples are old Intel chips or Apple's Secure Enclave chips.

Leaving security holes is bad for retail customers, businesses and governments that use their products that opens various threat vectors for hackers and governments.

If the shoe were on the other foot, what do you think China would being recommending right now?

EDIT: Fixed my grammar errors and provide better clarity.

 

[OzarkEdge]

I setup a TP-Link AXE75 (first gen WiFi6e, 2022) two days ago for a neighbor, their purchase... it looked ok... has enough features standalone and the webUI is more hard-wired than with ASUS equipment... did not try its mesh. But its webUI is cloud account/ID-oriented/sticky... it wants to lead you down that rabbit hole.

The Home Shield part adds Trend Micro-like security, parental controls, and QoS; but can't be used without that TP-Link cloud account that binds your network to theirs... there is even a factory reset option to not reset/lose the TP-Link account settings... how convenient!... and the security bits you would want to use require a subscription and recurring cost... so no-go there. No DoT support. Left 6.0 WLANs disabled.

I had one setup issue with it... it would not save settings until I relaxed my recently locked down browser site permissions... not sure which ones since I was on the clock and had to get it done before their dinner.

Also noticed less frequent firmware releases.

I sent them a Google Search link to the ban news... I trust that was a bummer.

OE

 

[sfx2000]

If the shoe were on the other foot, what do you think China would being recommending right now?

Who knows, probably one of their domestic brands - they have a vibrant set of OEM's that are typically not available in the NA and EMEA markets... and their own silicon that is rarely seen outside of market.

If one really wants something secure - best option at the moment is Google Nest WiFi - they have a discrete TPM chip that signs all the code, including the bootloader, and very few services exposed on the device itself - I suppose the risk there is that they are managed by Google Home app, so there is the risk of one's Google account being compromised...

(Google's Nest routers are essentially headless Chromebook's for all intent and purposes as their BSP is Chromium OS with the SoC vendor SW limited to drivers only)