Wi-fi routers found in Australian homes could be banned in US over China cyber threat

US authorities are considering a ban on China’s TP-Link Technology over national security concerns after its internet routers were linked to cyber attacks, US media reports.

TP-Link claims to be the world’s largest provider of consumer wi-fi networking devices, which are widely used across the United States, Australia and elsewhere.

The Wall Street Journal (WSJ), which first reported the potential ban on TP-Link routers, reported it held roughly 65 per cent of the US market for homes and small businesses.

The US Cybersecurity and Infrastructure Agency last year said TP-Link routers had a vulnerability that could be exploited to execute remote code.

Now the US Commerce, Defence and Justice departments have opened probes into the company, the Wall Street Journal reported, with authorities targeting a ban on the sale of TP-Link routers in the US as early as next year.

The Chinese embassy in Washington told the WSJ that the US was using national security as a guise to “suppress Chinese companies”.

What makes wi-fi routers vulnerable?

The move comes amid mounting concerns in Washington that Beijing could exploit Chinese-origin routers and other equipment in cyber attacks on American governments and businesses.

All devices came with both hardware and software, and software was vulnerable to cyber attacks — especially as technology aged and updates ceased, explained Queensland University of Technology computer scientist Leonie Simpson.

“They could be things that were deliberately put in, but they could just be accidentally not quite right. And you can’t assume that no one will ever find those errors.”

Ausma Bernot, a surveillance researcher at Griffith University, told the ABC that TP-Link’s products “do have a large number of vulnerabilities found across a range of the company’s products”.

“The National Vulnerability Database reports 396 vulnerabilities,” she said.

“Out of these 396 vulnerabilities, two of them have been reported as previously exploited by bad actors.”

But she added that NetGear, a US-based home networking company and a TP-Link rival, had 1,254 vulnerabilities, eight of which had been exploited.

She said the reason TP-Link was being scrutinised was because of previous attacks by Chinese state-sponsored actors using vulnerabilities found in routers — and a lack of commitment from the TP-Link company to patch those vulnerabilities.

A US-based spokesperson for TP-Link told the WSJ it welcomed “any opportunities to engage with the US government to demonstrate that our security practices are fully in line with industry security standards”.

The US, its allies and Microsoft last year disclosed a Chinese government-linked hacking campaign dubbed Volt Typhoon.

By taking control of privately owned routers, the attackers sought to hide subsequent attacks on American critical infrastructure.

Will the US move work?

CyberCX chief strategy officer Alastair MacGibbon said banning TP-Link devices was “a necessary step to consider” for the US and Australia.

There were alternative routers made in South Korea, Taiwan, the US and Vietnam that could be used in place of those from China, he said.

Shares of TP-Link’s US competitor NetGear jumped more than 12 per cent on Wednesday (US time) following the Wall Street Journal’s report.

But Mr MacGibbon said banning one company’s routers was pointless without a society-wide strategy to protect against “existential” cyber threats — especially those posed by connected devices owned by private citizens.

“If software comes from China, it has to be updated by China — by the manufacturer — it essentially puts the manufacturer in control of that device, even if it’s physically located in some far-flung country like Australia,” he said.

Dr Simpson from QUT said the TP-Link routers were “just one of many insecure products”.

What are the implications for Australia?

Experts said reports of a ban on TP-Link products in the US would have triggered discussions among intelligence officials in Canberra.

“Australia has largely followed bans on Chinese technologies, in particular those that had bans against them recommended by the US,” Griffith’s Dr Bernot said.

In 2018, Australia along with the US banned Huawei equipment from being a part of the nation’s 5G mobile infrastructure over national security concerns.

Last year it was revealed that hundreds of surveillance devices manufactured by Chinese companies Hikvision and Dahua were installed in the offices of Commonwealth government agencies, including the ABC.

They were subsequently removed following similar moves by the US and UK governments.

The Australian Cyber Security Centre told the ABC that: “Vendor choice, including whether to use foreign-produced software, ICT [Information and Communication Technology] equipment, social media and messaging apps is a risk-based decision for individuals and organisations, unless there are specific regulations preventing the use of a specific product.”

TP-Link’s public relations team did not respond to the ABC’s questions regarding its operations in Australia.

Additional reporting by Erin Handley.

ABC/Reuters