US Congress representative John Moolenaar (R-MI) and Raja Krishnamoorthi (D-IL) have submitted a letter to Commerce secretary Gina Raimondo calling on the Commerce Department to investigate the potential cybersecurity threat posed by Wi-Fi routers from Chinese company TP-Link Technologies.
The letter claims an “unusual degree of vulnerabilities” had been found within the router designs.
“Open-source information indicates that the company may represent a serious threat to US ICTS [Information and Communication Technologies] security,” the letter reads.
“We therefore request that Commerce investigate TPLink under its ICTS authorities to determine whether the company poses a national security risk.
“If it finds that is the case, we request that Commerce use its ICTS authorities to properly mitigate the risk.”
The Commerce Department said it would respond through the appropriate channels.
Wi-Fi routers as a cybersecurity risk
Internet routers have long been a known security weak point for IT systems, designed to allow devices to connect and communicate through their networks.
If the device lacks robust data-transmission encryption protocols, it can create entry points not only to the internal Wi-Fi system between the computers but – depending on internet and router settings – to the hard drives and files of the computers connected to it.
"A lot of devices are rushed out to the marketplace without having proper security vetting," said Craig Young, a Tripwire security researcher.
"Companies that are making them don’t always have people with security expertise – they don’t always think, 'What if somebody tries to use this by giving it input that we’re not expecting'."
TP-Link in the spotlight
Back in May 2023 researchers at the internet security vendor Check Point identified malicious firmware (that is, software embedded onto a device directly, generally by the manufacturer) designed to infect TP-Link routers among many other models.
It was used by the ‘Camaro Dragon’ group to target European foreign affairs entities, although the firm is unsure who exactly the intended victims were.
“We are unsure how the attackers managed to infect the router devices with their malicious implant,” a blog post detailing the findings by the Check Point team reads.
“It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication.”
According to Reuters, TP-Link released a statement in which the company claimed it does not sell any router products in the US, and that its routers have no cybersecurity vulnerabilities.
Given the current political climate between the US and China – especially on topics of technology and cybersecurity – it’s likely the Commerce Department will at least investigate the claims, although it's unclear how the situation will develop as yet.