Give TP-Link a break – No spyware for you (safety, opinion)

TP-Link has been a victim of its success. It is a top player in the Australian and the US home router/mesh market, with an estimated 65-70% market share. A well-orchestrated campaign of Chinese whispers both here and in the US paints it as a Chinese villain intent on breaching Australian and US security.

To distance itself from its Chinese heritage, it established TP-Link Systems Inc. as its western headquarters in the US. It is a 100% standalone entity in shareholdings. Operational aspects, such as workforce, critical research and development, production, marketing, customer service and support, are shared with the US and other regional countries for capacity planning and quality control.

Unlike Netgear, Cisco, Linksys, and other US brands (which outsource to Chinese ODMs), TP-Link develops and manufactures all its products in-house. It claims that is why it can offer good value and support. It also has excellent supply chain control to prevent ‘poisoning upstream’.

TP-Link brands include

Archer (SOHO routers)
Deco (Whole of Home Wi-Fi mesh systems)
Omada (business networking)
VIGI (Intelligent Surveillance Solutions)
Aginet (ISP and managed Wi-Fi)
Tapo (Smart IoT devices)
Kasa Smart (US Smart IoT devices)

It claims no affiliation with China-based TP-Link Technologies. Determined critics call this USA-washing, which Chinese companies have successfully used in the past.

“As a company headquartered in the United States, no foreign or domestic government has access to and control over the design and production of our routers and other devices,” TP-Link Systems spokesperson.

Who owns what?

TP-Link Technologies (China 1996) was equally owed (48.75% each) by two founding brothers, Cliff Chao and Jeffrey Chao. Last year, Jeffrey sold his share to Cliff.

TP-Link Systems Inc (USA 2024) is wholly owned by Jeffrey Chao, its CEO and his wife. They are currently applying to become American Citizens.

Analysts have delved deep into the corporate structure and whether it has secret proxy ownership or received funding from the Chinese government. They found it a truly private company.

Whether or not this is USA-washing, the companies are different, and recent products sold in Australia and the US are different. While some are still made in China, its Vietnam factory is ramping up.

Are TP-Link routers riddled with spyware?

There is a global CVE program that records all known router vulnerabilities. In 2024, TP-Link had six vulnerabilities in the same TL-WDR7660 V1.0 Wi-Fi 5 AC1900 router (sold in 2020 in China). The others were for the Kasa KP125M V.1.0.3 smart Wi-Fi energy monitor plug. A firmware update fixed them.

According to CVE (a recent but not disclosed statistical year), TP-Link has far fewer vulnerabilities than other router brands. Please note that most of these are for Chinese-market products, most of which are not sold here.

TP-Link USA has shown genuine concern about issuing prompt patches. It cannot do much about older Chinese-made routers, especially Wi-Fi 5 AC and earlier. Read Chinese hackers lurking in doorbells – a beat-up.

Why single out TP-Link?

In fact, it has not been singled out or named in the ‘Removing Our Unsecure Technologies to Ensure Reliability and Security Act or the ROUTERS Act H.R.7589’. It has been the victim of ‘throw enough mud and some sticks’.

This bill requires the National Telecommunications and Information Administration (NTIA) to study the national security risks posed by consumer routers and modems and provide the results to Congress. The study must address devices developed or manufactured by persons (i.e., individuals and entities) owned by, controlled by, or subject to the influence of China, Iran, North Korea, or Russia.

How did the Chinese Whispers start?

TP-Link, with its huge market share, will be one of many NTIA investigations. But the net will extend to any brand that assembles in China or uses Chinese-sourced components—and that is most.

According to CSO (Chief Security Officer), a Foundry global publication with the highest integrity, there is no evidence that TP-Link routers are a Chinese Security Threat.

On 13 August 2024, John Moolenaar, Chairman of the US House of Representatives Select Committee on the Chinese Communist Party, sent a letter to Commerce Secretary Gina Raimondo asking her department to investigate TP-Link. The letter alleges that “open-source information” indicates that TP-Link’s products are a security threat. He was concerned that the US military base stores were selling TP-Link to its soldiers for personal use.

Moolenaar relied on a report from the Hudson Institute written by former Federal Communications Commissioner Michael O’Rielly, entitled “Chinese Wireless Routers: The Next Entry Point for State-Sponsored Hackers?”

It cites three instances where Checkpoint security researchers found vulnerabilities in 2014 TP-Link routers (and quickly patched).

Checkpoint’s research showed TP-Link was benign

Checkpoint’s lead researcher, Itay Cohen, told CSO that malware could have just as easily been surreptitiously implanted in any MIPS32 OS router from US-based Cisco (manufactured in Korea, China, Taiwan, Malaysia, and Singapore), Netgear (China or Taiwan), or Linksys (Foxconn).

O’Rielly notes that the “report makes no accusation that TP-Link has done anything wrong. There is no evidence to suggest negligence or maliciousness about past vulnerabilities or weaknesses in TP-Link’s security.”

Any suggestion that Washington should mandate US-made routers or ban Chinese-made ones is beyond premature.

CSO says that data sovereignty (where user data is stored) is more important. For Australia and the US, it’s Singapore and the USA. Why? Because data stored in China is subject to Articles 37 and 51 of the Chinese Cybersecurity Law

Article 37: Critical information infrastructure operators that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China shall store it within mainland China. Where, due to business requirements, it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatisation departments and the relevant departments of the State Council to conduct a security assessment; where laws and administrative regulations provide otherwise, follow those provisions.

Article 61: This ensures data is handed over on demand or confiscation.

CyberShack’s view: Does TP-Link deserve this treatment?

Whatever happened to innocent until proven guilty? TP-Link has addressed articles 37 and 61 by establishing its Western HQ in the USA. Australia falls under that umbrella. It is not a subsidiary with Chinese control.

TP-Link now manufactures in China, Vietnam, and Brazil. Australian data is stored in Singapore, and US data is stored in the USA. Both are subject to their respective countries’ laws.

The issue is mainly driven by fear of what China could do if it came to war. Geopolitical scare issues are easy to promote.

If you are paranoid, the only ‘safe’ brands are Taiwanese D-Link and ASUS, but even these have some products made in China.

So, after having endured 1000 words of background, you must ask, “Can we trust TP-Link?”

In our opinion, the answer is a definite yes for its Wi-Fi 6, 6E, 7, and other routers moving forward. It services a very valuable home/SOHO niche, providing high-performance networking at prices below Netgear. Kind of like comparing a Hyundai to a BMW.

How to ensure your safety with TP-Link (or any other brand)

If you have any of the Archer or Deco Wi-Fi 6 AX, 6E AXE, or 7 BE range, all you need to do is access it via the TP-Tether app (Archer) or Deco App (Deco mesh) and do three things.

Check for updated firmware and set it to auto-update.
Change the Admin password if it is still the default (and it likely won’t be)
Optionally set up a 2.4GHz IoT VLAN to keep these off the main network.

If you have a TP-Link ISP-provided modem/router/gateway, the ISP likely sets its Admin password so it can provide remote management and support. They also subject all routers to 3rd party independent security testing.

For Wi-Fi 5 or earlier, which may not cover the whole of your home, consider a new Mesh system from TP-Link, D-Link, Netgear/Orbi, ASUS, or Google.

While these guides are yet to get the 2025 update, they offer good advice

Disclaimer

CyberShack received no money, goods or favours from TP-Link to influence this post. It comes from several years of observing the brand’s Australian progress and 100% independent product reviews. We would have researched and written a similar post if it were any other respected brand.

Brought to you by CyberShack.com.au

Previous Post Eufy S1 Pro – the robot vacuum/mop that rewrites the book (cleaning review)

Next Post Which Samsung Galaxy S25-series is for you?