Since the Wall Street Journal’s exclusive report that the US government is considering banning TP-Link routers for security reasons, I’ve received numerous questions from concerned users about the matter.
While I have zero involvement in national security or any insight into the matter, I’ll offer my opinion and observations from a technical point of view. After all, I’ve reviewed many TP-Link routers and networking hardware.
US considers banning TP-Link routers: What’s going on?
Per the WSJ’s report, US authorities have been investigating whether “a Chinese company” was linked to allegedly China-originated cyber attacks and poses ongoing national security risks. They are considering banning its hardware altogether. Specifically, the company is accused of:
- Shipping hardware with security flaws or backdoor access to help Chinese hackers create botnet attacks.
- Selling hardware at a lower price than the manufacturing cost to deliberately flood the US market and grow market share.
Tip
In a nutshell, a botnet attack occurs when a third party manages to control many individual devices around the web and instructs them to send malicious requests/commands to another specific party without the knowledge of each device’s owner. This type of cyber-maleficence doesn’t necessarily affect the device itself.
And TP-Link is the Chinese company in question, though it’s not as simple as that. When asked about this matter, TP-Link Systems Inc. spokesperson sent me this statement:
“As a US-headquartered company, TP-Link Systems Inc.’s security practices are entirely in line with industry security standards in the US. We implement rigorous secure product development and testing processes, and take timely and appropriate action to mitigate known vulnerabilities. Many brands of consumer electronics are targeted by hackers, and we support government efforts to hold all producers to the same standard. We welcome opportunities to engage with the federal government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the American market, American consumers, and addressing US national security risks.
TP-Link Systems estimates its total share of the router market has been significantly overestimated in recent coverage. When sales of Amazon devices sold by Amazon and routers sold by internet service providers are taken into account, TP-Link Systems’ market share is far below a majority of household and small business router sales.“
So, the first question is: Is TP-Link a Chinese company?
Is TP-Link a Chinese company?
TP-Link was founded in 1996 in Shenzhen (China) by two brothers, Zhao Jianjun and Zhao Jiaxing. For all intents and purposes, it was definitely a Chinese company at the beginning.
TP-Link first entered the US market in 2008, and by 2019, it held some 20% of the market share in home and SMB networking devices. During this period, it had no issue identifying itself as a Chinese company.
In the past few years, the US portion of TP-Link has aggressively offered low-cost networking hardware. By late 2024, its market share reportedly reached around 65%, with its hardware powering Internet communications in many US federal government agencies, including the Defense Department.
During this time, TP-Link USA has been trying to distance itself from its Chinese roots. In May 2022, TP-Link Corporation was formed and headquartered in California, supposedly separate from TP-LINK Technologies Co., Ltd. in China.
Full disclosure: For a couple of years, TP-Link has repeatedly asked me to stop referring to it as a “Chinese company” in my reviews, where I often put a PSA note regarding online privacy risks in applicable models (of all vendors), such as the one below.
TP-Link and your privacy
Signing in with a vendor-linked online account generally means your hardware connects to the vendor at all times, which translates into inherent privacy risks.
On this matter, the China-origin networking company, among other things, insists that it’s a “global multinational group” and offers this assurance:
“TP-Link takes privacy seriously and complies with U.S. policies to protect consumers.”
TP-Link’s Privacy Policy page.
Managing your home network via a third party is never a good idea. Privacy is a matter of degree. Data collection and handling vary vendor by vendor and region by region.
It’s worth noting that the California-based TP-Link Corporation is still run by Zhao Jianjun, one of the original TP-Link founders. In response to WSJ’s request for comments, the Chinese Embassy in Washington referred to TP-Link as one of the “Chinese companies.”
That said, whether or not TP-Link is a Chinese company is just a matter of semantics. It’s definitely a Chinese entity at heart. It’s comical, if not sad (or suspicious?) when a Chinese company doesn’t want to be known as a Chinese company.
Why is the US concerned?
There are many reasons, but the clearest is that, for years, Zhao Jianjun has been a donor and board member of a university in Shanghai, where he graduated and which, in recent years, has been known to help the Chinese military with its cyber operations and research.
Generally speaking, China is run by a government that’s been at odds with the US in more ways than one. In the cyberworld, whoever controls the flow of informationโyour router or networking hardwareโcan control a lot more than what you see on the screen. More below.
To put it bluntly, the biggest concern is that TP-Link would allow the Chinese government access to its hardware for intelligence gathering or cyberattacks.
Does TP-Link intend to flood the US market?
I simply have no answer to this question, but this much is true: TP-Link tends to make lots of hardware variants for different retail outlets with different price points, which, at times, makes little financial sense.
Let’s take its latest Wi-Fi 7 hardware, for example.
In May 2024, TP-Link released the Archer BE550. At the $250 apiece launch price, it was the least expensive Wi-Fi 7 router at the time. It then also released the Walmart-exclusive Archer BE9300 variant, which costs $50 less and supposedly has only two 2.5Gbps ports (as opposed to five in the BE550). In reality, this variant has the same hardware, just a different model name, and a lower price tag.
Similarly, in August, TP-Link shipped the Archer BE3600 for merely $99 at Walmart. It’s been the least expensive among all Wi-Fi 7 routers by far. It’s an identical variant of the standard Archer BE230, which costs slightly more on Amazon.
There are many other examples dating back to the beginning of Wi-Fi 6, and it’s safe to say this practice will continue with future hardware.
It seems that TP-Link has consistently made its hardware available first on the market while trying to figure out “excuses” to offer the same already comparatively low-cost hardware at even lower costs wherever possible to fit in all the nooks and crannies of the market. A standard TP-Link model, often carrying a discount by default, generally comes with many cheaper variants made exclusively for Walmart, Best Buy, Costco, etc.
To put things in perspective, the currently least expensive Wi-Fi 7 routers from Netgear and Asus cost more than double the price of their TP-Link counterparts.
To be clear, on this front, nothing is inherently wrong with what TP-Link has done. It’s good for the consumers when companies are competitive. However, if it has done so with the help of the Chinese government, then that’s an unfair competition, which could raise a lot of questions.
Does TP-Link networking hardware contain security flaws or backdoors?
Security flaws (or vulnerabilities) are an issue with routers from all vendors. During my years of testing, TP-Link hardware hasn’t been particularly bad on this front. The company also regularly releases patches via firmware updates.
However, “flaws” can be many things, one of which is the built-in backdoors that allow remote parties to manipulate the hardware. These backdoors can be some code in firmware or an entire piece of hardware added to the circuit board. In the latter case, they are in effect even if you use the router with a third-party firmware, such as DDWRT.
I simply don’t know if TP-Link hardware purposely has backdoors. However, in most cases, the company doesn’t need backdoors since it can control the hardware via the front door.
Indeed, a large portion of TP-Link routers, including the entire Deco lineup, require users to log in via an account with TP-Link before they can use the products. Other lineups, such as the Archer routers or Omada ecosystem, have vendor-connected remote access and management as an optional bonus.
When you opt to let your hardware be connected to TP-Link via an online account, you effectively give TP-Link unrestricted access. It’s not about what the company can do with the device but what it intends to do. And intention is a matter of faith.
To be fair, many other networking vendors have similar practices, such as Amazon’s eero or Netgear’s Orbi. The difference is that, in this case, their intention is clear: they want to collect the users’ usage data so that they can make more money. It’s about profit.
TP-Link, on the other hand, hasn’t shown much interest in making money, considering it tends to sell hardware at very low costs, as mentioned above.
Should you be worried?
If you’re not using a TP-Link router (or any Internet-connected device), none of these concerns you. But even if you have one among many TP-Link products, chances are nothing will affect you personally.
Suppose the US government’s concern is valid. In that case, the issue here is that your router, together with many other TP-Link devices, can be used by a third party to orchestrate botnet cyberattacks at a moment’s notice on a third party, such as a government agency. This is far beyond the simple worry of having somebody prying on your internet activities or your general privacy.
As of now, it’s impossible to know if the ban will take place. But if so, chances are your current router will still work. It might just no longer be able to ping home, which is a good thing.
Full disclosure: I use many TP-Link products for personal and business reasons and will keep using them. I’ll also keep reviewing TP-Link routers and, for now, will not take this development into the rating.
But if you’re concerned, keep in mind that TP-Link is simply one of many options. The Deco, for example, is only one of the five most popular canned mesh systems on the market. And it’s not the best, all things considered.
Top 5 most popular canned mesh approaches
Name | Asus AiMesh’s Rating | Linksys Velop Smart Wi-Fi’s Rating | TP-Link Deco’s Rating | Netgear Orbi’s Rating | Amazon eero’s Rating |
---|---|---|---|---|---|
Price | – | – | – | – | – |
Rating | |||||
Description | |||||
Statistics | |||||
Buy this product |
The takeaway
There you go. That’s all there is on the surface as to why the US is considering banning TP-Link routers. I’ll update this post if I find out more.
It’s worth noting that if this router ban does take place, it only means that the US is catching up with China on this front. For years, the Chinese government has banned or restricted many US businesses in China, including Google and all well-known social media networks. Earlier this year, it banned the use of Intel and AMD chips on government computers.
This TP-Link saga may simply be an example of how you get what you pay for. Often, things are cheap for a reason, whatever that might be.
Thanks for this great article. I was looking at maybe getting a TP link as all the Asus Routers I’ve been looking at are a bit pricey for me currently.
“Indeed, a large portion of TP-Link routers, including the entire Deco lineup, require users to log in via an account with TP-Link before they can use the products”
I don’t have that big of an issue with TP-Link and why the US maybe wants to ban them, but I don’t like the sounds of this as I’ve never used a router that required me to login via an account.
๐
I have a tp-Link AX3000 Archer 55. The WSJ report on tp-Link makes me nervous about security. Some commenters suggest staying away from tp-Link. Your article is really helpful.
Can you elaborate on why you are comfortable continuing to use your tp-Link wifi router?
If your rationale doesn’t convince me, how can I find a safe replacement?
Thanks.
Generally, Henry, there are ways to block certain traffic if you know what’s going on. But that doesn’t apply to everyone. Also, as somebody who covers the topic, I think I need to be in the thick of it, to a degree. Finally, just to be clear, I didn’t say I used TP-Link routers… If you want alternatives, I’d recommend Ubiquiti, Asus, Synology, Linksys and Netgear, in that order. Good luck!
Thanks Dong, and Happy New Year!
Sure, Henry. Happy New Year!
Interesting list as I’ve always used Asus (whenever I’ve bought a router for myself).
I wanted to ask a question in regard to all the other brands. I have read a couple of articles where you say updates aren’t necessarily a good thing (I did actually think it was), but is there any particular brands that have longer support than others? For example, I’ve gotten really like with my previous two routers having super long support (Asus RT-AC68U and AC86U), and I was just wondering, how do those other brands you listed stack up as far as supporting their models with security/firmware updates for a long while after they’re released?
Also, do either Ubiquiti, Synology, Linksys or Netgear have home routers that support WireGuard VPN client support and/or a feature similar to Asus’ VPN Fusion? From the quick look I had, doesn’t seem like Synology does has Wireguard support. Not sure if Asus is the only one that offers these specific VPN features?
Ubiquiti has more robust feature than Asus, but the interface is quite different and might require some getting used to. You should stick with Asus. As for support and cost, that’s generally case by case and subjective. Nothing lasts forever. Good luck, John!
Best explainer on the issue! My hat is off to you, Mr. Ngo. Looks like TP-Link is after market share at all cost and a combo of backdoor and ubiquity can be detrimental to security… On the other hand, a total band is also a headache to many users.
๐๐คท๐ผโโ๏ธ
It’s always shady as hell when somebody wants to be known as somebody else! And what’s up with the Archer AX50 and Archer AX3000? They are the same thing!
These two are a little different but yes, they are variants of one another, as mentioned.
I have a tp-link wifi extender. It does not work unless it has internet access. I consider this an always-open back door, as the device obviously has the password for the main wi-fi network. This type of device does not need internet access. I hope in future testing of devices you will also make note of which devices ‘call home’. It seems that every device made nowadays must have internet access to function. Even camera systems which are to remain on the local network only cannot be placed on the guest network, if they are administered locally.
Not sure which extender it is, Bob, but that’s generally not how extenders work and I would have pointed that out if I ran into such behaviors during testing. I generally don’t recommend using extenders, by the way.
Thanks for the information. As a current user of a TP-Link Archer AX11000 v1.0, there are definitely some concerns with the security of this router, it may be time to start searching for a non TP-Link router.
That one is quite old, Hopp. I remember its being one of the first Wi-Fi 6 router on the market. ๐
good luckโฆI will try not to let it influence my own selection ๐
heyโฆhave you hit the new clubs yet ?
did you say you went with steel again, donโt recall ?
stock grips for now ?
…sent from iPad
๐ค
Critical thinking > 1. Chinese Govt has there hand in all Chinese businesses. 2. It’s known they have been collecting data and you pointed it out also. 3. You showed the link, while and this happens often they setup an American Base with Corporation. 4. They are not concern with profit.
= Everyone needs to Open their Eyes – IOT devices, etc. Get them on their own subnets and how much is everyones safety worth?
Point taken but putting IoT devices on a subnet doesn’t help in the case they are used for botnet attacks. You need to disconnect them from the Internet.