The US could be set to ban TP-Link routers

The US government is reportedly considering a ban on TP-Link routers after continued breaches and security flaws associated with the devices.

A report from the Wall Street Journal has revealed the US authorities including the Commerce, Defense, and Justice departments are independently investigating whether the firm poses a national security risk.

The sale of TP-Link routers in the US could be prohibited within the next year, sources familiar with the matter told the WSJ, adding that the Commerce Department had already subpoenaed the firm.

The firm, founded in China, controls approximately 65% of the US market for routers used in households and small businesses, according to the report, with many TP-Link devices also used in federal agencies including the Department of Defense.

The action comes after compromised TP-Link devices were found to have been involved in a series of password spray attacks targeting think tanks, government organizations, NGOs, law firms,and the defense sector’s industrial base.

US agencies have raised their frustration over the company’s purportedly lax attitude towards the security of their devices, telling the WSJ that “TP-Link routers are routinely shipped to customers with security flaws, which the company often fails to address”.

The sources added that although routers are often found with bugs, and this extends beyond solely TP-Link devices, the company has routinely failed to cooperate with security researchers who flag issues linked to their products.

A spokesperson for the TP-Link told the WSJ the firm would continue to engage with the US authorities to show it is committed to the integrity of its devices.

“We welcome any opportunities to engage with the U.S. government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the U.S. market, U.S. consumers, and addressing U.S. national security risks,” the spokesperson said.

TP-Link devices linked to password spraying campaign

In October, Microsoft published a report on a Chinese threat actor, tracked as Storm-0940, using a covert network of compromised TP-Link routers to eventually launch password spray attacks.

The network, dubbed CovertNetwork-1658, was used to conduct brute-force attacks on Microsoft 365 accounts, VPNs, and SSH accounts in a bid to steal credentials.

The network was then used to launch widescale password spraying attacks using the stolen credentials. Microsoft said it had observed an average of 8,000 compromised devices “actively engaged in the CovertNetwork-1658 network at any given time”.

Microsoft added that the network was mostly made up of cracked TP-Linke devices, noting about 20% of the huge network could be used to perform password spraying at any moment.

“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time.”

The incoming Trump administration will likely be faced with the option to pursue action against the company. If banned, it would constitute the most significant action against a Chinese telecom equipment manufacturer since the Trump administration banned the use of Huawei hardware in US infrastructure.