The router-manufacturer TP-Link, established in China, has roughly 65% of the U.S. market for routers for homes and small businesses. It is also the top choice on Amazon, and powers internet communications for the Defense Department and other federal government agencies.
Investigators at the Commerce, Defense and Justice departments have opened their own probes into the company, and authorities could ban the sale of TP-Link routers in the U.S. next year, according to people familiar with the matter. An office of the Commerce Department has subpoenaed TP-Link, some of the people said.
Action against the company would likely fall to the incoming Trump administration, which has signaled an aggressive approach to China.
An analysis from Microsoft published in October found that a Chinese hacking entity maintains a large network of compromised network devices mostly comprising thousands of TP-Link routers. The network has been used by numerous Chinese actors to launch cyberattacks. These actors have gone after Western targets including think tanks, government organizations, nongovernment organizations and Defense Department suppliers.
TP-Link routers are routinely shipped to customers with security flaws, which the company often fails to address, according to people familiar with the matter. While routers often have bugs, regardless of their manufacturer, TP-Link doesn’t engage with security researchers concerned about them, the people said.
TP-Link sells in the U.S. through a business unit based in California. A spokeswoman for that unit said TP-Link assesses potential security risks and takes action to address known vulnerabilities.
“We welcome any opportunities to engage with the U.S. government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the U.S. market, U.S. consumers, and addressing U.S. national security risks,” the spokeswoman said.
Asked to comment about potential actions against TP-Link, Liu Pengyu, a spokesman for the Chinese embassy in Washington, said the U.S. was using the guise of national security to “suppress Chinese companies.” He added that Beijing would “resolutely defend” the lawful rights and interests of Chinese firms.
TP-Link routers don’t appear to be related to China’s alleged breaches of at least eight U.S. telecom firms by a group dubbed Salt Typhoon, some of the people said, but the administration’s probes into the company appear to have picked up momentum in light of those recently discovered intrusions. Anne Neuberger, a top White House official, said in a briefing this month the government was “looking to take action to mitigate risks to the supply chain within the telecommunications sector.”
If its routers are banned from the U.S., it would mark the biggest extraction of Chinese telecom equipment from the country since the Trump administration in 2019 ordered Huawei Technologies ripped out of American infrastructure.
TP-Link’s U.S. growth took off during the pandemic, when people were sent home to work and needed reliable internet. The company climbed from around 20% of the U.S. market for home and small-business routers in 2019 to around 65% this year. It took an additional 5% of the market in just the third quarter of this year, according to industry data. The TP-Link spokeswoman disputed the industry data but said the company’s market share has grown in the U.S.
TP-Link has also joined with more than 300 internet providers in the U.S. to be the router that is mailed to new homes that sign up for their services. Federal contracting documents show TP-Link routers supply everything from NASA to the Defense Department and Drug Enforcement Administration, and the routers are sold at online military exchanges.
The company’s market dominance has been achieved in part through lower prices. Its routers are cheaper than competitors, often by more than half, according to market data.
The Justice Department is investigating whether the price discrepancies violate a federal law that prohibits attempts at monopolies by selling products for less than they cost to make, according to a person familiar with the matter. The TP-Link spokeswoman said the company doesn’t sell products below cost and is committed to compliance with U.S. laws, including antimonopoly laws.
The Biden administration is exploring potential action against TP-Link as part of a response to the spate of recent cyberattacks linked to China. As part of that response, it is also moving to fully purge China Telecom’s U.S. subsidiary from U.S. telecom infrastructure. The Chinese-government-controlled telecom firm is already minimally used in the U.S.
Taiwan, which has broad restrictions on the use of technology from China, has banned TP-Link routers from government and educational facilities. The Indian government, which has also clashed with China, issued a warning this year about TP-Link, saying the routers present a security risk.
U.S. officials haven’t disclosed any evidence that TP-Link is a witting conduit for Chinese state-sponsored cyberattacks.
American router companies have also been linked to major hacks. U.S. investigators have linked some recent intrusions into critical infrastructure, attributed to a Chinese hacking group dubbed Volt Typhoon, to aging routers built by Silicon Valley-based Cisco Systems and Netgear.
Nevertheless, those attacks have underscored the vulnerabilities posed by unpatched routers, which give hackers an easy vector for an attack, and possible additional risks posed by foreign-made routers.
The Defense Department earlier this year opened an investigation into national security vulnerabilities in Chinese routers, according to people familiar with the matter. The House Select Committee on the Chinese Communist Party in August urged the Commerce Secretary to investigate TP-Link because it presents an “unusual degree of vulnerabilities.” The House of Representatives in September passed legislation that called for a study of the national security risks posed by routers with ties to foreign adversaries, which the Senate has yet to act on.
The Commerce Department review is being led by an office created in the first Trump administration, the Office of Information and Communications Technology and Services, which has the power to prohibit companies from designated countries from selling technology to the U.S., based on national security concerns.
In its first action, the office in June barred Russian software company Kaspersky from selling products in the U.S. It would use the same authority to ban TP-Link, if it decides to do so, some of the people said.
Supply-chain security is a systemic problem, experts said. “The U.S. is still playing whack-a-mole against specific companies and threats,” said Alexis Early, a national security lawyer at Jenner & Block.
A TP-Link ban would create upheaval in the router market, which has several U.S. players that have been mostly sidelined by TP-Link’s ascension in recent years.
The company was started in 1996 by brothers Zhao Jianjun and Zhao Jiaxing in Shenzhen. Zhao Jianjun is a graduate of Shanghai Jiao Tong University, where he is also a donor and a board member. The university helps conduct cyber operations and cyber research for the Chinese military, according to research from the Center for Security and Emerging Technology.
As tensions between the U.S. and China have intensified, TP-Link has tried to distance itself from China. In October, it announced its new headquarters would be in California to “solidify its presence in the U.S. market,” according to a statement.
Recently, TP-Link has changed the name of its China entities, one of which is working on more than a half-dozen Chinese-government-run research and development projects, records show.
According to business records, TP-Link co-founder Zhao Jianjun is the chief executive of the California operation and he and his brother still ultimately control all global TP-Link entities.
In a patent dispute that resulted in a verdict against TP-Link in Texas, a U.S. federal judge last year rejected the company’s argument that there was no relationship between the U.S. and China businesses, calling the claim “implausible.” The company is appealing the verdict.
Write to Heather Somerville at heather.somerville@wsj.com, Dustin Volz at dustin.volz@wsj.com and Aruna Viswanatha at aruna.viswanatha@wsj.com
View Full Image
