Krishnamoorthi, Moolenaar Call for Investigation into Chinese Wi-Fi Routers in U.S. Vulnerable to CCP Hacking & Data Harvesting

August 15, 2024
Press Release

WASHINGTON, D.C. — Ranking Member Raja Krishnamoorthi (D-IL) and Chairman John Moolenaar (R-MI) of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party identified the growing risk posed by Chinese Wi-Fi routers in the United States manufactured by TP-Link Technologies and called on the Department of Commerce to verify this threat and investigate the company.

TP-Link is a company established in the People’s Republic of China (PRC) and is the world’s largest provider of Wi-Fi products, selling over 160 million products annually to more than 170 countries. TP-Link and its affiliates are also a leading Wi-Fi router provider in the United States. Because TP-Link routers are made in the PRC with Chinese technology, there are concerns that state-sponsored hackers may be able to more easily compromise the routers and infiltrate U.S. systems. Moreover, TP-Link is subject to draconian ‘national security’ laws in the PRC and can be forced to hand over sensitive U.S. information by Chinese intelligence officials. Alarmingly, just last year, security researchers found that PRC cyber military forces used TP-Link routers as part of a hacking campaign that targeted government officials in European countries.

In the letter to Secretary of Commerce Gina Raimondo, the lawmakers write, “TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law are in and of themselves disconcerting. When combined with the PRC government’s common use of SOHO [small office/home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming.”

Krishnamoorthi and Moolenaar continue, “Given the PRC’s data and national security laws, the proliferation of PRC-made SOHO routers in the United States, and the demonstrated willingness of the PRC government to sponsor hacking attempts against the United States using PRC-affiliated SOHO routers like those made by TP-Link, we request that Commerce verify the threat posed by PRC-affiliated SOHO routers—particularly those offered by the world’s largest manufacturer, TP-Link—and consider using its ICTS [information and communication technology services] authorities to properly mitigate this glaring national security issue.”

Ranking Member Krishnamoorthi and Chairman Moolenaar asked for Secretary Raimondo’s threat assessment and mitigation plan by August 30th.

View the lawmakers’ letter HERE or continue reading below:

------

Dear Secretary Raimondo:

We write to respectfully request that you investigate TP-Link Technologies Co., Ltd. (TP-Link) and its affiliates under the Department of Commerce’s (Commerce) information and communication technology services (ICTS) authorities, pursuant to Executive Order 13873. TP-Link is a technology company based in the People’s Republic of China (PRC) that manufactures Wi-Fi routers, Wi-Fi devices, and mesh WiFi network devices, along with hardware and software components and other products. TP-Link’s products account for a substantial part of the U.S. market for Wi-Fi routers and related devices. Open-source information indicates that the company may represent a serious threat to U.S. ICTS security. We therefore request that Commerce investigate TP-Link under its ICTS authorities to determine whether the company poses a national security risk. If it finds that is the case, we request that Commerce use its ICTS authorities to properly mitigate the risk. 

Ninety-five percent of U.S. adults reported that they used the internet in 2023, with small office/home office (SOHO) routers serving as a principal means for U.S. residents to access the internet. According to industry reports and press releases, as of 2022, TP-Link is the world’s largest provider of Wi-Fi products, selling over 160 million products annually to more than 170 countries, and is a leading SOHO router provider in the United States. TP-Link products are also found on U.S. military bases, with the Army & Air Force Exchange and the Navy Exchange selling these devices to members of the military and their families.

An increasing number of outside researchers and analysts have identified specific concerns about the risks posed by TP-Link. A former Commissioner of the Federal Communications Commission (FCC) recently noted that while “U.S. cybersecurity authorities and analysts have documented vulnerabilities from home equipment vendors across the board [] TP-Link products have had more than their fair share of citations.” In addition, pursuant to the PRC’s increasingly draconian data protectionist and national security-focused legal regime, companies like TP-Link are required to provide data to the PRC government and otherwise comply with the demands of its national security apparatus.

TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law are in and of themselves disconcerting. When combined with the PRC government’s common use of SOHO routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming. As Federal Bureau of Investigation (FBI) Director Christopher Wray stated, PRC-sponsored hacking has “reached something closer to a fever pitch” with the PRC “…poised to attack whenever Beijing decides the time is right.” In a hearing before the Select Committee, Director Wray called Volt Typhoon and other PRC Advanced Persistent Threat (APT) groups “the defining threat of our generation,” with the Cybersecurity Infrastructure and Security Agency (CISA) and FBI recently urging manufacturers to implement security designs to guard against breaches in light of the threats posed by groups like Volt Typhoon.

Volt Typhoon and other PRC APT groups are able to threaten U.S. critical infrastructure in large part because of their ability to compromise SOHO routers like those manufactured by TP-Link. Expert analysis last year has shown that these PRC APT groups consistently exploit known vulnerabilities in TP-Link routers in malicious campaigns, including those that had the PRC “target[] government officials in European countries.” In that cyber campaign, the malicious “modified firmware images have been found only on TP-Link routers thus far.” Just months ago, the Department of Justice (DOJ) conducted a court-authorized operation to remove Volt Typhoon malware from hundreds of routers nationwide. As Director Wray put it, Volt Typhoon’s “prepositioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate.”

Given the PRC’s data and national security laws, the proliferation of PRC-made SOHO routers in the United States, and the demonstrated willingness of the PRC government to sponsor hacking campaigns using PRC-affiliated SOHO routers like those made by TP-Link, we request that Commerce verify the threat posed by PRC-affiliated SOHO routers—particularly those offered by the world’s largest manufacturer, TPLink—and consider using its ICTS authorities to properly mitigate this glaring national security issue. Specifically, we request that you respond no later than August 30, 2024, describing (1) your assessment of the national security risks posed by TP-Link SOHO routers, and (2) your assessment of whether ICTS authorities are appropriate to allay any risks.

We thank you for your prompt response and attention to this important matter. Thank you for your work on behalf of the American people.