Calls for an investigation into routers from TP-Link highlight the security risk of using compromised hardware as part of a corporate network.
What is the TP-Link controversy?
Concerns that the People’s Republic of China could exploit Chinese-built networking and communications equipment to attack North American businesses and infrastructure are making news again. Two members of the U.S. House of Representatives have asked the Department of Commerce to launch a cybersecurity investigation into networking equipment vendor TP-Link.
The letter from the House subcommittee on the Chinese Communist Party outlines a fear that the Chinese state could embed TP-Link’s home and office routers with backdoors or other malware.
It's a valid concern; this isn’t the first time TP-Link has been called out for security risks and malicious state actors have used similar tactics before. At the end of 2023, Microsoft and the U.S. government disclosed a hacking campaign called Volt Typhoon that took control of various brands of routers to attack American infrastructure.
We’ll be watching the outcome of these congressional proceedings with interest. In the meantime, we recommend against using TP-Link routers for your Wi-Fi network.
Good quality network hardware costs
TP-Link routers aside, we would recommend against using any low-cost, low-quality components in your network. Good network security is a holistic system. As with any system, low-quality components jeopardize the whole structure.
Would you spend $10M upgrading your equipment, only to protect it with a $5 lock from a "big box" store on the front door? That makes no sense.
Your network contains information worth millions, if not billions, that people are desperate to steal or hold for ransom. It needs a quality lock, which means quality networking equipment, and ongoing investment into maintenance and security.
As networking professionals, we must teach others to regard security as more than just the cost of protecting corporate data. It’s a cost centre, sure, but it does deliver value.
3 things your network security should provide
Properly designed network security also acts like:
- Insurance: hedging your bets against future costs,
- Preventative maintenance: catching issues before they cause problems,
- Janitorial services: keeping the network clean.
The daily cost of network security functions like insurance premiums. Pay now for protection later.
Preventative maintenance has a similar value proposition. If you think in terms of vehicle maintenance, owners opt to change the oil regularly because the alternative (breakdown) is more expensive.
We pay janitorial companies to clean the office, because the alternative is working in filth. Digital garbage is not nearly as visible as overflowing trash bins but it's there. It's hidden inside network configurations and packets in the network. Network security can also be thought of as cleaning up the digital garbage.
If your network foundation is stable and secure, you can ignore it and focus on your business.
Compromised hardware can't protect sensitive data
Whether you’re protecting IP or securing sensitive personal data, the overall safety of your network is only as good as your weakest link. Your team may have all kinds of security precautions in place, but if you are using compromised hardware, you are still vulnerable.
The fear that Chinese-made routers may be compromised is a valid concern. The FBI considers China-backed hacking “the defining threat of our generation.”
There are many examples in the IT world of hardware with unnoticed security flaws. Android TV streaming boxes and smart TVs had a few memorable instances. In the late 90s, Lotus Notes was backdoored by the U.S. government. The Swedish government, which was using Notes to communicate sensitive data, was not amused.
Speaking at a U.S. House of Representatives committee hearing in January 2024, FBI director Christopher Wray described the activity of a China-backed hacking group as “the defining threat of our generation.” He said China is positioning itself to strike American infrastructure.
Related reading: Big Tech Concentration Made CrowdStrike Update a Catastrophe
How to Build Security into Your Network
Based on the activities of Volt Typhoon infiltrating home and small office routers, the FBI and CISA in January updated their guidance to manufacturers of routers. Producers are urged to build security into the design, development, and maintenance phases to eliminate the path these threat actors have been known to use. Specifically, manufacturers are requested to automate update capabilities and require a manual override to remove security settings.
China is a security threat along two vectors. Given the country’s rules on data and national security, it is possible that any domestic manufacturer could be compelled to disclose information gathered – inadvertently or maliciously – by its equipment. Secondly, the Chinese government is widely believed to be supporting “Advanced Persistent Threat groups.” The concern expressed by FBI Director Wray is shared by other high-level law enforcement agencies.
No matter the outcome of the current request for an investigation into TP-Link, it would be a good business practice to stick to reputable equipment manufacturers and current model devices.
Need expert guidance on network security?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
RADIUS protocols and password format compatibility
In order for RADIUS authentication to work, user passwords need to be stored in a format that is understood by the authentication protocol used by the client. Unfortunately, not all protocols work with all password storage formats. This can be especially problematic with platforms that use proprietary formats or protocols.
How Authentication protocols work
There are a variety of authentication protocols to choose from, each with their own set of advantages, disadvantages, and constraints. In general, we recommend using PAP whenever possible. It is compatible with all known back-end databases, and it has no known security issues.