US Agencies Back Banning Top-Selling Home Routers on Security Grounds (msn.com)
- Reference: 0179914282
- News link: https://news.slashdot.org/story/25/10/30/1250216/us-agencies-back-banning-top-selling-home-routers-on-security-grounds
- Source link: https://www.msn.com/en-us/news/politics/u-s-agencies-back-banning-top-selling-home-routers-on-security-grounds/ar-AA1Pubbt
> The proposal, which arose from a months-long risk assessment, [1]calls for blocking sales of networking devices from TP-Link Systems of Irvine, California, which was spun off from a China-based company, TP-Link Technologies, but owns some of that company's former assets in China.
>
> The ban was proposed by the Commerce Department and supported this summer by an interagency process that includes the Departments of Homeland Security, Justice and Defense, the people said. "TP-Link vigorously disputes any allegation that its products present national security risks to the United States," Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. "TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond."
>
> If imposed, the ban would be among the largest in consumer history and a possible sign that the East-West divide over tech independence is still deepening amid reports of accelerated Chinese government-supported hacking. Only the legislated ban of Chinese-owned TikTok, which President Donald Trump has averted with executive orders and a pending sale, would impact more U.S. consumers.
[1] https://www.msn.com/en-us/news/politics/u-s-agencies-back-banning-top-selling-home-routers-on-security-grounds/ar-AA1Pubbt
Tough call... (Score:5, Insightful)
The problem is that having 6 federal agencies back a proposal used to mean something valuable. Now it just seems like they think it's the politically acceptable thing to do. And so it's useless if you're just trying to evaluate risk. The destruction of the trustworthiness of these agencies is catastrophic, and will live far beyond the four year horizon.
The thing is, those agencies might be giving an honest assessment, and are collectively just trying to do their jobs as well as they can. There's just no way to know.
Re: (Score:2, Offtopic)
A message from our rulers:
BE AFRAID!!! BE VERY AFRAID!!!
Frightened people are easier to control.
Re: (Score:2)
It's been that way since at least Bush. WMDs.
Re: (Score:2)
Bush at least had to good sense to limit his destruction of agencies to the intelligence areas and even then the established ones were not the ones lying so boldly, the admin created a wholly new department to disseminate their bad facts. [1]Office of Special Plans [wikipedia.org] specifically because the actual CIA data was not pointing to WMD's.
This is bad and had very bad outcomes but it's distinct in an important way I think.
[1] https://en.wikipedia.org/wiki/Office_of_Special_Plans
Re: (Score:2)
> Bush at least had to good sense to limit his destruction of agencies to the intelligence areas
Lies: [1]https://www.theguardian.com/en... [theguardian.com]
You have recency bias.
[1] https://www.theguardian.com/environment/2007/jan/31/usnews.frontpagenews
Re: (Score:2)
Obviously we were talking about Iraq buildup and not every single aspect of the admin [1]but I respect the hustle. [knowyourmeme.com]
[1] https://knowyourmeme.com/memes/ackchyually-actually-guy
Re: Tough call... (Score:2)
This is a faith-based administration. Evidence and science are for eggheads, see? Cuffy Meigs and his gang are in change now
Shame (Score:3)
TP-Link hardware is generally quite decent, and a lot of their gear can be flashed with OpenWRT if you don't like their firmware.
Their firmware isn't bad though. They update it when needed, and they don't disable features just to upsell you the next model, generally if the hardware can do it they will have that feature enabled.
Re: (Score:2)
> Their firmware isn't bad though.
Loads of severe vulnerabilities
> They update it when needed
No they don't. They regularly abandon devices with unfixed flaws, like everyone else.
Re: (Score:2)
TP-Link don't seem to be worse than the competition for security issues. Certainly better than Cisco/Linksys and... Actually that's it for US manufacturers, isn't it? You can get a bit better if you pay a lot more, like some of the Unify stuff, but not in that price bracket.
Otherwise it's Taiwanese vendors like D-Link and Asus, neither of which I rate very highly. Neither offer very good security or support.
I wonder who is next. GL.iNet have a lot of very good products (their Flint routers are very well rec
Re: (Score:2)
Ubiquity isn't even out of the bracket. They fall on the high end, ~$200, but that gets you a 10gigabit router with wifi 7. Comparably spec'd Linksys and Netgear routers cost about the same. Plus, I'm pretty sure they're still OpenWRT based.
Asus has been tied to slave labor, so I won't buy from them anymore. I just wish I had found that out before I rebuilt my computer instead of shortly after.
Ban closed routers (Score:3)
Here's a plan, ban any routers where the system isn't FOSS with anti-tivoization.
I know, not gonna happen.
But it's the only rational solution.
Re: (Score:2)
Open Source is not the magic wand to fix every security issue, how many issues have sat in Linux for years or even decades before being found and addressed?
Re: (Score:1)
> Open Source is not the magic wand to fix every security issue
Straw man
> how many issues have sat in Linux for years or even decades before being found and addressed?
How many issues have sat in Windows for years or even decades before being found and addressed? You will NEVER KNOW because that information is a SECRET. You're acting like Linux isn't superior from a security standpoint when we all know it is, and it's sad. Bill Gates will never appreciate you.
Re: (Score:2)
To be fair, his was not a straw man. There are legitimate examples that demonstrate his point. Log4j is a good one.
But your Windows point is a non sequitur. He didn't say anything about Windows. He just said open source wasn't a magic wand, and that's true.
Re: Ban closed routers (Score:2)
It was a straw man because no one claimed what he said wasn't the case. You could just look up logical fallacies if you are confused about them.
Re: (Score:2)
Wait. Since when is the straw man fallacy dependent upon someone challenging it? Do they cease being fallacious when someone says they aren't true, or were they already fallacious regardless of whether or not anyone noticed?
Re: (Score:2)
In Win NT 3.51 the printer driver ran in kernel mode, substituting a corrupted kernel could introduce all sorts of security issues. They attempted to deal with it in Service Pack 3, and it broke all sorts of apparently-unrelated things. Can't remember if they withdrew the SP or if they just recommended not installing it unless you had to. Anyway, that issue was finally addressed just a couple of years ago, I think with the introduction of Win11 protected printing mode. Apple and Adobe used to be famous
Re: (Score:2)
Oh, carp. Substituting a corrupted driver, not a corrupted kernel. Need coffee . . .
Re: (Score:2)
So, what you're saying is that long-standing vulnerabilities exist and have been overlooked on both platforms. You're just saying it angrily as if that makes another point?
Re: (Score:2)
One word. Heartbleed.
Re: (Score:2)
It means a router has a lot longer lifespan, because -someone- may spend a lot of time maintaining the firmware for it. Having it closed off means the device is e-waste.
Re: (Score:2)
And open source has to go beyond just the operating system. All the chip firmwares need to be open as well. This is currently a huge problem for any embedded Linux. Even the OpenWRT One flagship router has a proprietary blob firmware. Whether this is because of RF regulations I don't know, but it's not acceptable.
In some ways we live in a golden age of open source, but in other ways, things are much, much more closed than they were decades ago.
Open Source everything, and prove it's safe! (Score:2)
There's no real hardship here, just open source the hardware, software, designs, and then spin this around and force the US government to prove there's anything to be concerned about. Secure chains of trust are available, so everything can be validated, signed and audited, so really there is no good argument against doing this, unless you have something to hide! Keep in mind going open source does not mean giving away everything for free, it just means you're being accountable.
Re: (Score:2)
Unless the government's goal is to promote the idea "Chinese! Scary!" In which case every last drop of that effort is a complete waste.
Re: (Score:2)
Yes, but that's a different issue, and if you can show that using the government's baseless methodology, you can probably cause a good amount of change. From TP Links side, there isn't a downside to this, they can prove reliability, safety, security and privacy, and shut the government up.
Re: (Score:2)
The Federal government can certainly require open source equipment for Federal Agencies and Federally Funded projects. Probably lean on banks, hospitals, utilities, and other regulated industries to switch over. Consumer goods can be listed as "Not Recommended".
Re: (Score:2)
They should demand open source, as should most companies. If a company is willing to provide the evidence they're above board, and can show verification that what they're showing you is what you're going to get, then there is no downside.
Money would fix the issues (Score:4, Insightful)
I'll bet a "campaign contribution" to Trump would mollify these agencies, and induce them to drop their warnings. And I get it: this is how it works, now. But it also means the agencies have zero effectiveness; they're useless until we get a better executive.
Re: (Score:3)
I'm not convinced federal agencies will ever be effective in any way ever again. Even if by some miracle after all the anti-election machinations by the GOP a democrat does get into office, the damage to these agencies is permanent. A new president would essentially have to do his own complete purge, which of course the GOP would loudly claim, with absolutely no sense of irony or hypocrisy, was unconstitutional and worthy of impeachment, and fight tooth and nail in the courts. And even if a democrat pur
Re: (Score:2)
This is what started happening in Peru, now their government is one of the least effective and most corrupt on the planet.
Re: (Score:2)
The agencies are useless now because of something you suspect may happen in the future?
If China is the threat apply the same rules to all (Score:1)
Only allow manufacturers to ship "China-contaminated" network routers or similar equipment if detailed specifications of the "China-contaminated" parts are published that show nothing hostile is in the device AND there is a feasible method to prove that the "China-contaminated" parts of the hardware match the specifications.
If China is not a threat then leave TP-Link alone.
Re: (Score:2)
Okay, I'll jump on that horn. Hell, go one step further and ban all network hardware manufactured in China. You have my full support.
Re: (Score:2)
Force them to use or support specific third party software? No. Besides, the OpenWRT team doesn't need that kind of help, they've managed just fine without government mandates.
Malicious or not, TP-Link devices have issues (Score:5, Interesting)
Whether it's because of the CCP or just bad software development practices, TP-Link devices of all sorts have been riddled with tons of issues.
[1]https://www.tomsguide.com/comp... [tomsguide.com]
[2]https://thehackernews.com/2025... [thehackernews.com]
(This summary is from ChatGPT)
CVE202333538 – A command-injection vulnerability in models such as TL-WR940N V2/V4, TL-WR841N V8/V10, TL-WR740N V1/V2.
CVE20231389 – A command injection flaw in the Archer AX-21 model that has seen exploit attempts.
CVE202453375 – Authenticated remote-code-execution (RCE) vulnerability in the “HomeShield” feature of some Archer router series.
CVE20259377 – An OS command-injection vulnerability in models “Archer C7(EU) V2” and “TL-WR841N/ND(MS) V9” via the Parental Control page.
CVE202525427 – A stored XSS (cross-site scripting) vulnerability in UPnP page of WR841N v14/v14.6/v14.8.
CVE20259961 – Authenticated RCE via CWMP binary, affecting AX10 & AX1500 series, exploitable only via MITM (Man-in-the-Middle).
At some point, it makes sense to ban these on the grounds that they pose a security risk regardless of whether that risk is from malicious intent or just terrible software engineering practices.
[1] https://www.tomsguide.com/computing/online-security/these-three-tp-link-routers-are-being-targeted-by-hackers-heres-what-to-know
[2] https://thehackernews.com/2025/06/tp-link-router-flaw-cve-2023-33538.html
OpenWRT (Score:5, Interesting)
Assuming those exploits target the software and not the hardware, then installing OpenWRT would fix them.
Re: OpenWRT (Score:3)
Yep! If they really want to increase security, a relatively tiny yearly fund for OpenWRT security red/blue teaming would help homes businesses and I bet lots of military too
Re: (Score:2)
Except OpenWRT is not supported on a lot of modern (AX) TP-Link devices.
Re: (Score:2)
Very big assumption. I'm even skeptical with companies like Ubiquiti on their routers given how much responsibility they have contracted out.
Re:Malicious or not, TP-Link devices have issues (Score:5, Insightful)
Try that same investigative path on ANY router manufacturer.
[1]https://www.asus.com/security-... [asus.com]
[2]https://www.cisa.gov/known-exp... [cisa.gov]
The question is whether TP-Link stuff is an outlier in terms of vulnerabilities, and a cursory search says it depends who you ask, but it seems like they're at least average.
[1] https://www.asus.com/security-advisory/
[2] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=d-link&field_date_added_wrapper=all&sort_by=field_date_added&items_per_page=20
Re:Malicious or not, TP-Link devices have issues (Score:5, Informative)
Yeah, about that... Here's a list of Linksys CVEs that are scored 9.0 or above:
CVE-2002-2159, CVE-2008-0228, CVE-2008-1247, CVE-2008-1268, CVE-2008-4594, CVE-2009-3341, CVE-2009-5157, CVE-2010-1573, CVE-2010-2261, CVE-2013-4658, CVE-2017-17411, CVE-2018-17208, CVE-2018-3953, CVE-2018-3954, CVE-2018-3955, CVE-2019-11535, CVE-2019-16340, CVE-2020-35713, CVE-2020-35715, CVE-2022-38555, CVE-2023-46012, CVE-2024-33789, CVE-2024-57223, CVE-2024-57224, CVE-2024-57225, CVE-2024-8408, CVE-2025-34037, CVE-2025-45487, CVE-2025-45488, CVE-2025-45489, CVE-2025-45490, CVE-2025-45491, CVE-2025-4999, CVE-2025-5000, CVE-2025-5441, CVE-2025-5442, CVE-2025-5443, CVE-2025-5444, CVE-2025-5445, CVE-2025-5446, CVE-2025-5447, CVE-2025-6751, CVE-2025-6752, CVE-2025-8816, CVE-2025-8817, CVE-2025-8819, CVE-2025-8820, CVE-2025-8822, CVE-2025-8824, CVE-2025-8826, CVE-2025-8831, CVE-2025-8832, CVE-2025-8833, CVE-2025-9245, CVE-2025-9246, CVE-2025-9247, CVE-2025-9248, CVE-2025-9249, CVE-2025-9250, CVE-2025-9251, CVE-2025-9252, CVE-2025-9253, CVE-2025-9355, CVE-2025-9356, CVE-2025-9357, CVE-2025-9358, CVE-2025-9359, CVE-2025-9360, CVE-2025-9361, CVE-2025-9363, CVE-2025-9392, CVE-2025-9393, CVE-2025-9481, CVE-2025-9482, CVE-2025-9483, CVE-2025-9525, CVE-2025-9526, CVE-2025-9527
Is there anyone else in the consumer/SOHO space you would recommend?
Re: (Score:2)
Ubiquity firewalls are pretty cheap and run custom OpenWRT. Or a mini PC with Pfsense.
Re: (Score:1)
Yeah, I've never trusted TP-link. There's always been something shady about them.