Rep. John Moulenaar (R-Mich.) questions a witness during a hearing on Capitol Hill in Washington, Feb. 28, 2023.Alex Brandon/The Associated Press
Two U.S. lawmakers are calling on the Biden administration to investigate China’s TP-Link Technology Co. and its affiliates, arguing that widely used Wi-Fi routers could be used to launch cyber attacks against the United States.
Republican Rep. John Moolenaar and Democrat Rep. Raja Krishnamoorthi, who chair the House Select Committee on China, urged the Commerce Department to investigate in a letter on Tuesday seen by Reuters.
Consumer-focused TP-Link is the world’s largest seller of WiFi routers by unit sales, according to research firm IDC.
In calling for an investigation, US lawmakers cited known vulnerabilities in TP-Link’s firmware and instances in which the company’s routers have been exploited to target government officials in European countries.
“We urge the Department of Commerce to examine the threat posed by China-linked small office/home office routers, particularly those provided by TP-Link, the world’s largest manufacturer,” the letter to Commerce Secretary Gina Raimondo said.
They called it a “clear national security issue.”
The Commerce Department said it would respond to the letter through appropriate channels. The Chinese embassy said it expected authorities to “obtain sufficient evidence when identifying cyber-related incidents, rather than making unfounded speculations and allegations.”
TP-Link, which was founded in China in 1996 by two brothers and is based in Shenzhen, said in a statement that it does not sell router products in the United States and that its routers do not have any cybersecurity vulnerabilities.
The letter reflects growing concerns that the Chinese government could use Chinese-made routers and other equipment to launch cyber attacks against the US government and companies.
The United States and its ally Microsoft last year uncovered a hacking campaign linked to the Chinese government, dubbed Bolt Typhoon, in which attackers hijacked civilian routers to hide subsequent attacks on U.S. critical infrastructure.
However, the majority of the affected routers appear to be from Cisco and Netgear, the Justice Department said in January.
Last year, the US Cybersecurity and Infrastructure Agency said TP-Link routers had vulnerabilities that could be exploited for remote code execution.
Around the same time, US security firm Check Point reported that hackers linked to Chinese state-backed groups had used a malicious TP-Link firmware implant to target European foreign ministry officials.
The Commerce Department has broad authority to ban or restrict transactions between U.S. companies and internet, communications and technology companies of “foreign adversaries” such as China, Russia, Cuba, Iran, North Korea and Venezuela if the products pose a national security risk.
