A US House committee on China’s request for a probe into an alleged security threat posed by routers made by Chinese Wi-Fi giant TP-Link Technologies is based on scant evidence and misleadingly singles out just one company among a host of Chinese manufacturers, experts say.
On August 13, John Moolenaar, Chairman of the US House of Representatives Select Committee on the Chinese Communist Party and Raja Krishnamoorthi, Ranking Member of the Committee, sent a letter to Commerce Secretary Gina Raimondo asking her department to investigate TP-Link. The letter alleges that “open-source information” indicates that TP-Link’s products are a security threat.
The lawmakers ask Raimondo to “investigate TP-Link under its ICTS authorities to determine whether the company poses a national security risk. If it finds that is the case, we request that Commerce use its ICTS authorities to properly mitigate the risk.” The letter lists several open-source resources the lawmakers relied upon to make their allegations.
The lawmakers also assert that vulnerabilities found in TP-Link routers combined with Chinese laws that require technology providers to coordinate closely with the government can give China an alarming ability to perpetuate cyberattacks using the devices.
Although the lawmakers do not specify which Chinese laws help boost router threats, they most likely have in mind a 2021 law that requires companies to report vulnerabilities to the Ministry of Industry and Information Technology (MIIT) and bars them from disclosing the flaws to the public.
However, none of the open-source intelligence resources cited in the letter support the lawmakers’ contention that TP-Link routers threaten US security. Moreover, experts say that any valid security qualms over vulnerabilities in TP-Link routers apply equally to all Wi-Fi routers regardless of which company or country manufactures the devices.
Experts further argue that picking one technology product from one Chinese manufacturer distracts from the broader need to tackle the more comprehensive security threats posed by the United States’ heavy reliance on a range of critical technologies developed and manufactured in China.
The open-source evidence is proof of nothing
The main piece of open-source evidence cited by the lawmakers is a report from the Hudson Institute written by former Federal Communications Commissioner Michael O’Rielly, entitled “Chinese Wireless Routers: The Next Entry Point for State-Sponsored Hackers?”
However, the report cites three instances in which security researchers have found vulnerabilities in TP-Link routers that were subsequently patched. O’Rielly himself notes that his “report makes no accusation that TP-Link has done anything wrong. Likewise, there is no evidence to suggest negligence or maliciousness with regard to past vulnerabilities or weaknesses in TP-Link’s security.”
One research report cited by O’Rielly came from Check Point, which discovered that a Chinese state-sponsored APT group it tracks as Camaro Dragon implanted a malicious backdoor called Horse Shell that was tailored for TP-Link routers. Check Point notes that Horse Shell “is a binary compiled for MIPS32 MSB operating system and written in C++. Many embedded devices and routers run MIPS-based operating systems, and TP-Link routers are no different.”
Malware could have just as easily been planted on other brands’ equipment
The author of that report, Itay Cohen, research lead at Check Point, tells CSO that the Chinese threat group could have just as easily implanted the malware on routers from US-based Cisco, which are manufactured in Korea, China, Taiwan, Malaysia, and Singapore, or US-based Netgear, which outsources its router manufacturing to electronics companies in other countries, including China or Taiwan.
“In many cases, the same attackers are using different router vendors,” Cohen says. “There is a chance that in the attack we analyzed, more router vendors were infected in the chain. Even though we found it for TP-Link-specific versions, the code was not written specifically for TP-Link. It was generic enough that it theoretically could have been written as a framework that the attackers deploy on other routers or other vendors.”
In their letter to the Commerce Department, the lawmakers cite additional open-source evidence that “Volt Typhoon and other PRC APT groups can threaten US critical infrastructure in large part because of their ability to compromise SOHO routers like those manufactured by TP-Link.”
The lawmakers back up their statement by saying “that the Department of Justice (DOJ) conducted a court-authorized operation to remove Volt Typhoon malware from hundreds of routers nationwide. It does not mention, however, that the DOJ’s operation was performed on Cisco and NetGear routers, not TP-Link routers.
All routers are vulnerable to threat actors
Experts say the most significant security problem with Wi-Fi routers, particularly those in small offices and homes, is that very few users ever bother to patch them. Over time, this allows the devices to become riddled with easy-to-exploit vulnerabilities.
“Almost all of them, nobody ever patches them,” Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, tells CSO. “You don’t need an implant to get into them. That would be like using a hammer when all you need is a feather to get in. In most cases, you don’t need a secret Chinese backdoor to get in. They’re all readily accessible by anyone who cares to touch it.”
“We see these threat actors infecting vendors that are not specifically Chinese, usually on routers and these edge devices because we rarely update them,” Cohen says. “We don’t even think about updating them. As the years go by, more vulnerabilities are introduced to this product. And since not many people bother to update the version of the routers or IT camera or Alexa or something like that, this is a very easy target for any attacker, Chinese or not.”
Is classified material driving the lawmakers’ concerns?
Despite the absence of evidence that TP-Link routers pose security concerns, some experts maintain that China could nonetheless be covertly leveraging them for espionage or offensive operations. “With TP-Link, there is a legitimate fear because it is a manufacturing company in China,” Jim Coyle, US public sector CTO at Lookout, tells CSO.
“The Ministry of State Security may tell them, ‘Hey, you can’t publish anything on these vulnerabilities because we’re using them.’ And they may not say outright that they’re using them, but in the background, they’re storing these vulnerabilities for use.”
This fear dovetails with the often frequently touted theory that emerges whenever US government officials or agencies start targeting specific Chinese or Russian companies or products. This theory holds that evidence of malicious activity is so highly classified that it cannot be made public because valuable intel assets would be exposed.
“Typically, what I’ve seen in the past and how these things roll is that there is a credible source that is identified, whether that is signals intelligence that a particular agency is receiving or seeing in real time of this happening,” Coyle says. “Or they have identified an exploit by attacking a particular TP-Link router for research purposes. It’s safe to assume that when you get hyper-focused on a vendor like this, there is typically a reason behind the scenes for it.”
KnowBe4’s Grimes isn’t buying the idea that evidence against TP-Link is too hot to be made public. “I’ve been hearing it for two decades,” he says. “Same thing. There is never any proof. Ever.”
Would banning TP-Link routers increase security?
Even if there were a covert Chinese initiative to turn TP-Link routers into tools of cyber malfeasance, experts say this specific problem is only a drop in the vast pool of potentially problematic Chinese technology upon which the US and the rest of the world rely.
Grimes says, “I’m not sure why these half-hearted attempts exist. China makes so many of our chips and is involved in many things. If you truly believe China will do this, you would look at every product that China provides, right? And it’d be servers, hard drives, and iPhones. So why pick on this one thing?”
“Most of the stuff you buy on Amazon comes from China,” Coyle says. “Most things that are getting developed, whether electronics, manufacturing, or mechanical processes, come from China. So [will going after TP-Link] solve the problem? No.”
He adds, “We must look hard at data sovereignty and manufacture sovereignty. Do we have a level of trust in products that are being imported? And are we okay with that level of risk?”