In a letter seen by the news agency Reuters, Republican Representative John Moolenaar and Democratic Representative Raja Krishnamoorthi, who co-chair the House Select Committee on China, have requested the Commerce Department to probe TP-Link and its affiliates.
The lawmakers also reportedly highlighted known vulnerabilities in the firmware used by TP-Link routers and instances of the company’s devices being exploited to target government officials in Europe.
TP-Link was founded in China in 1996 by two brothers and is based in Shenzhen. According to market research firm IDC, the company which offers mostly consumer products is the world’s largest seller of Wi-Fi routers by unit volume.
What the lawmakers said
“…we request that Commerce verify the threat posed by (China-affiliated small office/home office) routers -particularly those offered by the world’s largest manufacturer, TP-Link,” the lawmakers wrote in the letter addressed to Commerce Secretary Gina Raimondo. The lawmakers also called it a “glaring national security issue.”
Replying to the letter, the Commerce Department said it would respond through appropriate channels, the report noted.
Meanwhile, the Chinese Embassy said to Reuters that it hopes US authorities will “have enough evidence when identifying cyber-related incidents, rather than make groundless speculations and allegations.”
US concerns over Chinese routers
The letter highlights growing concerns about Beijing’s potential to use Chinese-made routers and other equipment for cyberattacks against US governments and businesses.
In 2023, the US along with its allies and Microsoft exposed a Chinese government-linked hacking operation called “Volt Typhoon,” where attackers commandeered privately owned routers to mask further attacks on critical US infrastructure. However, in January, the Justice Department noted that most of the affected routers were from Cisco and NetGear.
Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) identified a vulnerability in TP-Link routers that would’ve allowed remote code execution. The US-based security firm Check Point also revealed that a Chinese state-sponsored group used a malicious firmware implant in TP-Link routers to target European foreign affairs officials.
It’s important to note that the Commerce Department has extensive authority to ban or restrict transactions between US companies and internet, telecom, and tech firms from “foreign adversaries” nations like China, Russia, Cuba, Iran, North Korea, and Venezuela if their products pose a national security threat.