{"id":147,"date":"2024-09-05T06:00:00","date_gmt":"2024-09-05T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=147"},"modified":"2024-09-05T06:00:00","modified_gmt":"2024-09-05T06:00:00","slug":"no-evidence-that-tp-link-routers-are-a-chinese-security-threat","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=147","title":{"rendered":"No evidence that TP-Link routers are a Chinese security threat"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A US House committee on China\u2019s request for a probe into an alleged security threat posed by routers made by Chinese Wi-Fi giant TP-Link Technologies is based on scant evidence and misleadingly singles out just one company among a host of Chinese manufacturers, experts say.<\/p>\n

On August 13, John Moolenaar, Chairman of the US House of Representatives Select Committee on the Chinese Communist Party and Raja Krishnamoorthi, Ranking Member of the Committee, sent a letter<\/a> to Commerce Secretary Gina Raimondo asking her department to investigate TP-Link. The letter alleges that \u201copen-source information\u201d indicates that TP-Link\u2019s products are a security threat.<\/p>\n

The lawmakers ask Raimondo to \u201cinvestigate TP-Link under its ICTS authorities to determine whether the company poses a national security risk. If it finds that is the case, we request that Commerce use its ICTS authorities to properly mitigate the risk.\u201d The letter lists several open-source resources the lawmakers relied upon to make their allegations.<\/p>\n

The lawmakers also assert that vulnerabilities found in TP-Link routers combined with Chinese laws that require technology providers to coordinate closely with the government can give China an alarming ability to perpetuate cyberattacks using the devices.<\/p>\n

Although the lawmakers do not specify which Chinese laws help boost router threats, they most likely have in mind a 2021 law<\/a> that requires companies to report vulnerabilities to the Ministry of Industry and Information Technology (MIIT) and bars them from disclosing the flaws to the public.<\/p>\n

However, none of the open-source intelligence<\/a> resources cited in the letter support the lawmakers\u2019 contention that TP-Link routers threaten US security. Moreover, experts say that any valid security qualms over vulnerabilities in TP-Link routers apply equally to all Wi-Fi routers regardless of which company or country manufactures the devices.<\/p>\n

Experts further argue that picking one technology product from one Chinese manufacturer distracts from the broader need to tackle the more comprehensive security threats posed by the United States\u2019 heavy reliance on a range of critical technologies developed and manufactured in China.<\/p>\n

The open-source evidence is proof of nothing<\/h2>\n

The main piece of open-source evidence cited by the lawmakers is a report<\/a> from the Hudson Institute written by former Federal Communications Commissioner Michael O\u2019Rielly, entitled \u201cChinese Wireless Routers: The Next Entry Point for State-Sponsored Hackers?\u201d<\/p>\n

However, the report cites three instances in which security researchers have found vulnerabilities in TP-Link routers that were subsequently patched. O\u2019Rielly himself notes that his \u201creport makes no accusation that TP-Link has done anything wrong. Likewise, there is no evidence to suggest negligence or maliciousness with regard to past vulnerabilities or weaknesses in TP-Link\u2019s security.\u201d<\/p>\n

One research report<\/a> cited by O\u2019Rielly came from Check Point, which discovered that a Chinese state-sponsored APT<\/a> group it tracks as Camaro Dragon implanted a malicious backdoor called Horse Shell that was tailored for TP-Link routers. Check Point notes that Horse Shell \u201cis a binary compiled for MIPS32 MSB operating system and written in C++. Many embedded devices and routers run MIPS-based operating systems, and TP-Link routers are no different.\u201d<\/p>\n

Malware could have just as easily been planted on other brands\u2019 equipment<\/h2>\n

The author of that report, Itay Cohen, research lead at Check Point, tells CSO that the Chinese threat group could have just as easily implanted the malware on routers from US-based Cisco, which are manufactured in Korea, China, Taiwan, Malaysia, and Singapore, or US-based Netgear, which outsources its router manufacturing to electronics companies in other countries, including China or Taiwan.<\/p>\n

\u201cIn many cases, the same attackers are using different router vendors,\u201d Cohen says. \u201cThere is a chance that in the attack we analyzed, more router vendors were infected in the chain. Even though we found it for TP-Link-specific versions, the code was not written specifically for TP-Link. It was generic enough that it theoretically could have been written as a framework that the attackers deploy on other routers or other vendors.\u201d<\/p>\n

In their letter to the Commerce Department, the lawmakers cite additional open-source evidence that \u201cVolt Typhoon and other PRC APT groups can threaten US critical infrastructure in large part because of their ability to compromise SOHO routers like those manufactured by TP-Link.\u201d<\/p>\n

The lawmakers back up their statement by saying \u201cthat the Department of Justice (DOJ) conducted a court-authorized operation to remove Volt Typhoon malware from hundreds of routers nationwide. It does not mention, however, that the DOJ\u2019s operation<\/a> was performed on Cisco and NetGear routers, not TP-Link routers.<\/p>\n

All routers are vulnerable to threat actors<\/h2>\n

Experts say the most significant security problem with Wi-Fi routers, particularly those in small offices and homes, is that very few users ever bother to patch them. Over time, this allows the devices to become riddled with easy-to-exploit vulnerabilities.<\/p>\n

\u201cAlmost all of them, nobody ever patches them,\u201d Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, tells CSO. \u201cYou don\u2019t need an implant to get into them. That would be like using a hammer when all you need is a feather to get in. In most cases, you don\u2019t need a secret Chinese backdoor to get in. They\u2019re all readily accessible by anyone who cares to touch it.\u201d<\/p>\n

\u201cWe see these threat actors infecting vendors that are not specifically Chinese, usually on routers and these edge devices because we rarely update them,\u201d Cohen says. \u201cWe don\u2019t even think about updating them. As the years go by, more vulnerabilities are introduced to this product. And since not many people bother to update the version of the routers or IT camera or Alexa or something like that, this is a very easy target for any attacker, Chinese or not.\u201d<\/p>\n

Is classified material driving the lawmakers\u2019 concerns?<\/h2>\n

Despite the absence of evidence that TP-Link routers pose security concerns, some experts maintain that China could nonetheless be covertly leveraging them for espionage or offensive operations. \u201cWith TP-Link, there is a legitimate fear because it is a manufacturing company in China,\u201d Jim Coyle, US public sector CTO at Lookout, tells CSO.<\/p>\n

\u201cThe Ministry of State Security may tell them, \u2018Hey, you can\u2019t publish anything on these vulnerabilities because we\u2019re using them.\u2019 And they may not say outright that they\u2019re using them, but in the background, they\u2019re storing these vulnerabilities for use.\u201d<\/p>\n

This fear dovetails with the often frequently touted theory that emerges whenever US government officials or agencies start targeting specific Chinese or Russian companies or products. This theory holds that evidence of malicious activity is so highly classified that it cannot be made public because valuable intel assets would be exposed.<\/p>\n

\u201cTypically, what I\u2019ve seen in the past and how these things roll is that there is a credible source that is identified, whether that is signals intelligence that a particular agency is receiving or seeing in real time of this happening,\u201d Coyle says. \u201cOr they have identified an exploit by attacking a particular TP-Link router for research purposes. It\u2019s safe to assume that when you get hyper-focused on a vendor like this, there is typically a reason behind the scenes for it.\u201d<\/p>\n

KnowBe4\u2019s Grimes isn\u2019t buying the idea that evidence against TP-Link is too hot to be made public. \u201cI\u2019ve been hearing it for two decades,\u201d he says. \u201cSame thing. There is never any proof. Ever.\u201d<\/p>\n

Would banning TP-Link routers increase security?<\/h2>\n

Even if there were a covert Chinese initiative to turn TP-Link routers into tools of cyber malfeasance, experts say this specific problem is only a drop in the vast pool of potentially problematic Chinese technology upon which the US and the rest of the world rely.<\/p>\n

Grimes says, \u201cI\u2019m not sure why these half-hearted attempts exist. China makes so many of our chips and is involved in many things. If you truly believe China will do this, you would look at every product that China provides, right? And it\u2019d be servers, hard drives, and iPhones. So why pick on this one thing?\u201d<\/p>\n

\u201cMost of the stuff you buy on Amazon comes from China,\u201d Coyle says. \u201cMost things that are getting developed, whether electronics, manufacturing, or mechanical processes, come from China. So [will going after TP-Link] solve the problem? No.\u201d<\/p>\n

He adds, \u201cWe must look hard at data sovereignty and manufacture sovereignty. Do we have a level of trust in products that are being imported? And are we okay with that level of risk?\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A US House committee on China\u2019s request for a probe into an alleged security threat posed by routers made by Chinese Wi-Fi giant TP-Link Technologies is based on scant evidence and misleadingly singles out just one company among a host of Chinese manufacturers, experts say. On August 13, John Moolenaar, Chairman of the US House […]<\/p>\n","protected":false},"author":0,"featured_media":140,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-147","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/147"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=147"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/147\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/140"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=147"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=147"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}