US Lawmakers Call for Probe into TP-Link Routers Over Cybersecurity Risks
Click here to post a comment for US Lawmakers Call for Probe into TP-Link Routers Over Cybersecurity Risks on our message forum
DirtyDee
I just bought a tp-link router not long ago.
AuerX
"A significant concern raised in the letter is TP-Link's compliance with Chinese government regulations. The congressmen noted that companies like TP-Link are required by Chinese law to provide data to the People's Republic of China (PRC) government and comply with its national security demands. This compliance requirement potentially exposes users, including military personnel, to security risks."
Well then.
TheDeeGee
I guess DECO is affected as well?
I have two XE75's.
fantaskarsef
I'm never sure what's more dangerous: hardware of a company known to report to another state actor, or the myriad of hardware models that NOBODY takes care of, e.g. the ones your ISP forces you to use but ultimately 95% of people just use as is until they break.
AuerX
Sure, but that doesnt make the problems with TP-Link go away.
At least in this case you as the consumer can shop around, and hopefully arrive to a better solution.
fantaskarsef
Absolutely right about #1.
In my ISP's case, I can't even buy and choose my own model since they usually don't "activate" it server side.
On the other hand, the supplied models usually don't correspond with the versions a customer can buy, and that makes upgrading firmware tricky as well.
But yes, of course that doesn't tackle TP-Link issues. Although I personally think they got reasonable products (had a router and a WLAN-PCIe card in use), with reasonable software for the router as well.
Kaarme
My ISP gave me a Huawei router for no extra charge, and although I took one, I put it away immediately without ever turning it on. I bought an Asus router instead. A router is precisely the kind of hardware where China's national laws come into full effect. Since I don't live in China, I don't see why I should accept having a backdoor built in for the sake of some distant country's law enforcement or intelligence services. I have no idea how much Asus cares about the safety of their routers, but at least no law forces Asus to install security weaknesses on purpose. There might be weaknesses present for other reasons, naturally. The router has got firmware updates a few times, if nothing else.
All that being said, since I did put a little bit of money into the Asus router, I reckon it's better in use anyway, even ignoring security concerns.
alanm
Well I dont work for the US govt or military or manufacturing companies that would interest China, so not ditching my TPL router any time soon.
fantaskarsef
I generally share your opinion and understand your reasoning. But the question is, do you think Asus has a different firmware for US sales (or the part of the world you reside and where you bought your router), compared to those they sell in China?
Just food for thought. When in doubt, install Merlin firmware.
Kaarme
I bet they do. It would be bad for marketing otherwise, for a company that sells so many routers all over the world. A backdoor required by the law in China is nothing but a vulnerability bug outside of China.
geogan
Says all of us for years who don't live in a "five-eyes" country, and has to use software/firmware/hardware from who knows where, with who knows what back-doors built in to report back to who knows who.
fantaskarsef
What I tried to imply, don't you think the US gov has backdoors in router software? I certainly would not consider it unthinkable.
Also, I am not a software engineer to be able to tell if they do or not have different firmwares to start with. But I bet none of us could tell if the versions differ just by language, or also by backdoors implemented in certain fields.
To summarize, I do live with the impression that "Five Eyes" has backdoors in software as well, as far as they can force it onto hardware manufacturers, and I do believe that living in the EU, we have US backdoors in software of stuff we buy anyhow. Doesn't make it worse than CN backdoors, but to believe there are non in the firmwares is a bit too optimistic for my taste.
Kaarme
Wouldn't it be public knowledge if there were? Though that being said, I haven't actually tried to google it. In the end, even if there were, purposefully, I'd still prefer less of them than more of them. Those required by the government can be shoddy, to boot, especially in totalitarian countries, where it's the default setting that no citizen should be allowed to hide anything from the government. At least in the West if such a security hole leads into trouble, any citizen/business can sue the government and win. In totalitarian countries it's unthinkable to even dream of suing the government for any reason, so there's no holding back the requests for backdoors.
Asus is from Taiwan,anyway, so the US laws would be meaningless for their products sold in Europe.
fantaskarsef
Well, what is public knowledge worth? Also, do we have definitive proof of any backdoor? If so I might have missed it.
Anyway, I can totally get behind your saying, less backdoors is better. And if I'd had to choose, I'd more likely go with 5eyes backdoors than CN's.
Even more so, I'd enjoy the EU having some, but even if gov backdoors are a thing, I'm pretty positive the EU is too stupid for that 😀
tsunami231
pretty sure my BGW320-500 is HUMAX and BGW320-550 I had prior was Nokia, supposedly there the same specs just diffrent manufacturer, Would like get my own Router, but most router do not have fibercable connected striaght to it, it almost always a ethernet cable.
Everything is sercurity risk the days, seeing it almost always connected to internet
southamptonfc
The US (and Israelis) are world leaders in finding vulnerabilities/exploits, keeping them quiet and using them for their purposes.I wouldn't be surprised if they also have active people in hardware/software companies as well.
Wannacry was a vulnerability known and used by the CIA for a good while until it was also found publically, allowing regular hakers to exploit it.
The law in China is that anybody working in China, (regardless of which company they work for) who discoveres a vulnerability must report it to the Chinese government before they report it to the company they work for.
There's a lot of world mega-companies with employees in China. They are now stuck between the Chinese law and an increasingly proactive US government. If these companies pull out of China, they can expect to have their products banned there and lose the cheaper manufacturing costs etc.
Later this year, the Biden IT supplier security act comes in which among other things requires the CEO and other senior execs of companies to sign documents which say they are personally responsible for vulnerabilities in their products. This opens them up to personal fines and jail time instead of the current situation where only the company is found guilty and fined.
Things are hotting up...
pegasus1
Me neither, most of the things i was involved in during my time working for the UK Mil and US Gov has been published or made into films, so China having access to the gym and dog pics i post on Facebook isn't a great concern to me.
fantaskarsef
You should go Oliver North. I'd buy your books 😀
southamptonfc
The risk to home users is that once a vulnerability is found and disclosed publicly, as per wannacry, any hacker can exploit it if companies don't fix their stuff. The vulnerability in your router might allow access to your network. If there's a vulnerability on one of the devices on the network as well, the hacker could steal confidential data, run DDoS, bitcoin mining etc.
pegasus1
If only to remember stuff ive done, ive forgotten so much.
