⚡ TL;DR | Go Straight to the TP-Link Audit Report
The U.S. government is considering banning the sale of TP-Link routers starting next year because of the risk they pose to national security. The U.S. Departments of Justice, Commerce, and Defense are investigating the issue. This is due to the routers having been involved in a network of hacked SOHO routers being used in malware attacks. TP-Link currently has a significant market share in the U.S. for home use and small businesses. For many U.S. internet providers TP-Link is the default router for home users.
TP-Link’s Involvement in ConvertNetwork-1658
In October 2024 Microsoft released a report about intrusion activity they had been tracking since August 2023 that was targetting and successfully stealing credentials from Microsoft customers through password spray attacks. The source of these spray attacks was tracked to a network of compromised devices tracked as CovertNetwork-1658. Credentials acquired in these attacks were then used by multiple Chinese threat actors targeting organizations in North America and Europe.
In Microsoft’s own words CovertNetwork-1658 is «a network of compromised small office and home office (SOHO) routers». Most of these compromised routers turn out to be manufactured by TP-Link, a Chinese technology company. Microsoft assesses that a threat actor located in China established and maintains this network and exploits a vulnerability in the routers to gain remote code execution capability.
Microsoft further recommends that organizations protect themselves from possible spray attacks by building credential hygiene and hardening cloud identities. Their report ends with a list of recommendations to reduce the impact of this threat.
The Future of TP-Link Routers in the U.S.
Currently the investigation by the Departments of Defense, Justice, and Commerce is ongoing. Depending on the outcome, these departments could issue a ban on the sale of TP-Link routers in the coming months.
TP-Link SOHO routers are especially popular for home use and small business where they have a significant market share. Lansweeper data drawn from over 730,000 devices scanned by Fing shows that 12% of home wifi routers found are TP-Link SOHO routers, as well as 2.15% of routers used in businesses.
While it is not uncommon for routers to have vulnerabilities, there are concerns about TP-Link’s unwillingness to work with security researchers in the past. However, a spokesperson of TP-Link’s U.S. subsidiary insists that they are taking action to address known vulnerabilities and address potential security risks.
“We welcome any opportunities to engage with the U.S. government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the U.S. market, U.S. consumers, and addressing U.S. national security risks,” a TP-Link spokesperson said.
Find TP-Link Devices in Your Network
We have added a new report to Lansweeper to help you find any TP-Link devices in your network. While reports do not mention any specific vulnerabilities affecting TP-Link routers that you can address, we would advise you to follow Microsoft’s advice to protect yourself against spray attacks.