Since the Wall Street Journal’s exclusive report that the US government is considering banning TP-Link routers for security reasons, I’ve received numerous questions from concerned users about the matter.
While I have zero involvement in national security or any insight into the matter, I’ll offer my opinion and observations from a technical point of view. After all, I’ve reviewed many TP-Link routers and networking hardware.
US considers banning TP-Link routers: What’s going on?
Per the WSJ’s report, US authorities have been investigating whether “a Chinese company” was linked to allegedly China-originated cyber attacks and poses ongoing national security risks. They are considering banning its hardware altogether. Specifically, the company is accused of:
- Shipping hardware with security flaws or backdoor access to help Chinese hackers create botnet attacks.
- Selling hardware at a lower price than the manufacturing cost to deliberately flood the US market and grow market share.
And TP-Link is the Chinese company in question, though it’s not as simple as that. When asked about this matter, TP-Link Systems Inc. spokesperson sent me this statement:
“As a US-headquartered company, TP-Link Systems Inc.’s security practices are entirely in line with industry security standards in the US. We implement rigorous secure product development and testing processes, and take timely and appropriate action to mitigate known vulnerabilities. Many brands of consumer electronics are targeted by hackers, and we support government efforts to hold all producers to the same standard. We welcome opportunities to engage with the federal government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the American market, American consumers, and addressing US national security risks.
TP-Link Systems estimates its total share of the router market has been significantly overestimated in recent coverage. When sales of Amazon devices sold by Amazon and routers sold by internet service providers are taken into account, TP-Link Systems’ market share is far below a majority of household and small business router sales.“
So, the first question is: Is TP-Link a Chinese company?
Is TP-Link a Chinese company?
TP-Link was first started in 1996 in Shenzhen (China) by two brothers, Zhao Jianjun and Zhao Jiaxing. So, it was definitely a Chinese company at the beginning, for all intents and purposes.
In 2008, TP-Link first entered the US market, and by 2019, it held some 20% of the market share in home and SMB networking devices. During this period, it had no issue identifying itself as a Chinese company.
In the past few years, the US portion of TP-Link has aggressively offered low-cost networking hardware, and by late 2024, its market share has reportedly reached around 65%, with its hardware powering Internet communications in many US federal government agencies, including the Defense Department.
During this time, TP-Link USA has been trying to distance itself from its Chinese roots. In May 2022, TP-Link Corporation was formed and headquartered in California, supposedly separate from TP-LINK Technologies Co., Ltd. in China.
Full disclosure: For a couple of years, TP-Link has repeatedly asked me to stop referring to it as a “Chinese company” in my reviews, where I often put a PSA note regarding online privacy risks in certain models, such as the one below.
TP-Link and your privacy
Signing in with a vendor-linked online account generally means your hardware connects to the vendor at all times, which translates into inherent privacy risks.
On this matter, the China-origin networking company, among other things, insists that it’s a “global multinational group” and offers this assurance:
“TP-Link takes privacy seriously and complies with U.S. policies to protect consumers.”
TP-Link’s Privacy Policy page.
Managing your home network via a third party is never a good idea. Privacy is a matter of degree. Data collection and handling vary vendor by vendor and region by region.
It’s worth noting that the California-based TP-Link Corporation is still run by Zhao Jianjun, one of the TP-Link’s founders, and in response to WSJ’s report, the Chinese Embassy in Washington was happy to refer to TP-Link as one of “Chinese companies.”
That said, whether or not TP-Link is a Chinese company is just a matter of semantics. It’s definitely a Chinese entity at heart. It’s comical, if not sad (or suspicious?) when a Chinese company doesn’t want to be known as a Chinese company.
Why is the US concerned?
There are many reasons, but the clearest is that, for years, Zhao Jianjun has been a donor and board member of a university in Shanghai, where he graduated and which, in recent years, has been known to help the Chinese military with its cyber operations and research.
Generally speaking, China is run by a government that’s been at odds with the US in more ways than one. In the cyberworld, whoever controls the flow of information—your router or networking hardware—can control a lot more than what you see on the screen. More below.
To put it bluntly, the biggest concern is TP-Link would allow the Chinese government access to its hardware for intelligence gathering or cyberattacks.
Does TP-Link intend to flood the US market?
I simply have no answer to this question, but this much is true: TP-Link tends to make lots of hardware variants for different retail outlets with different price points, which, at times, makes little financial sense.
Let’s take its latest Wi-Fi 7 hardware, for example.
In May 2024, TP-Link released the Archer BE550. At the $250 launch price, it was the least expensive Wi-Fi 7 router at the time. It then also released the Walmart-exclusive Archer BE9300 variant that costs $50 less, which supposedly has only two 2.5Gbps ports (as opposed to five in the BE550). In reality, this variant has the same hardware but a different model name and a lower price tag.
Similarly, in August, TP-Link shipped the Archer BE3600 for just $99 at Walmart. It’s been the least expensive among all Wi-Fi 7 routers by far. It’s an identical variant of the standard Archer BE230, which costs slightly more on Amazon.
And there are many other examples. It seems that TP-Link has been going out of its way to consistently make its hardware available the first on the market while trying to figure out “excuses” to offer the same already comparatively low-cost hardware at even lower costs. A standard model, often carrying a discount by default, generally comes with many cheaper variants made exclusively for Walmart, Best Buy, Costco, etc.
To put things in perspective, the currently least expensive Wi-Fi 7 routers from Netgear and Asus cost more than double the price of their TP-Link counterparts.
To be clear, on this front, nothing is inherently wrong with what TP-Link has done. It’s good for the consumers when companies are competitive. However, if it has done so with the help of the Chinese government, then that’s an unfair competition and could raise a lot of questions.
Does TP-Link networking hardware contain security flaws or backdoors?
Security flaws (or vulnerabilities) are an issue with routers from all vendors. During my years of testing, TP-Link hardware hasn’t been particularly bad on this front. The company also regularly releases patches via firmware updates.
However, “flaws” can be many things, one of which is the built-in backdoors that allow remote parties to manipulate the hardware. These backdoors can be some code in firmware or an entire piece of hardware added to the circuit board. In the latter case, they are in effect even if you use the router with a third-party firmware, such as DDWRT.
I simply don’t know if TP-Link hardware purposely has backdoors. However, in most cases, the company doesn’t need backdoors since it can control the hardware via the front door.
Indeed, a large portion of TP-Link routers, including the entire Deco lineup, require users to log in via an account with TP-Link before they can use the products. Other lineups, such as the Archer router or Omada ecosystem, have vendor-connected remote access and management as an optional bonus.
When you opt to let your hardware be connected to TP-Link via an online account, you effectively give TP-Link unrestricted access. It’s not about what the company can do with the device but what it intends to do. And intention is a matter of faith.
To be clear, many other networking vendors have similar practices, such as Amazon’s eero or Netgear’s Orbi. The difference is that, in this case, their intention is clear: they want to collect the users’ usage data so that they can make more money. It’s about profit.
TP-Link, on the other hand, hasn’t shown much interest in making money, considering it tends to sell hardware at very low costs, as mentioned above.
Should you be worried?
If you’re not using a TP-Link router (or any Internet-connected device), none of these concerns you. But even if you have one among many TP-Link products, chances are nothing will affect you personally.
Suppose the US government’s concern is valid. In that case, the issue here is that your router, together with many other TP-Link devices, can be used by a third party to orchestrate botnet cyberattacks at a moment’s notice on a third party, such as a government agency. This is far beyond the simple worry of having somebody prying on your internet activities or your general privacy.
As of now, it’s impossible to know if the ban will take place. But if so, chances are your current router will still work. It might just no longer be able to ping home, which is a good thing.
Full disclosure: I use many TP-Link products for personal and business reasons and will keep using them. I’ll also keep reviewing TP-Link routers and, for now, will not take this development into the rating.
But if you’re concerned, keep in mind that TP-Link is simply one of many options. The Deco, for example, is only one of the five most popular canned mesh systems on the market. And it’s not the best, all things considered.
The takeaway
There you go. That’s all there is on the surface as to why the US is considering banning TP-Link routers. I’ll update this post if I find out more.
It’s worth noting that if this router ban does take place, it only means that the US is catching up with China on this front. For years, the Chinese government has banned or restricted many US businesses in China, including Google and all well-known social media networks. Earlier this year, it banned the use of Intel and AMD chips on government computers.
This TP-Link saga may simply be an example of how you get what you pay for. Often, things are cheap for a reason, whatever that might be.
