The chairman of the ‘Select Committee on the Chinese Communist Party’ John Moolenar, and the ranking member Raja Krishnamoorthi have formally requested the Commerce Department and other agencies to investigate Chinese-made networking devices, particularly those made by TP-Link, regarding the potential cybersecurity risk they pose due to their unusual degree of vulnerabilities and other reasons mentioned in the letter.
The letter mentions that TP-link manufactures multiple Wi-Fi products, including routers, and hence, it is concerning, given the documented vulnerabilities found in its Wi-Fi routers. Furthermore, TP-Link has the largest supply of Wi-Fi products worldwide, and 95% of Americans use SOHO routers as of 2023. It’s also being used in its military bases and by the military members and their families. The letter mentions companies like the ‘Army and Air Force Exchange Service’ and ‘My Navy Exchange,’ which sell products to authorized customers who are active duty military personnel, retirees, reservists, veterans, Department of Defense civilians, and family members.
The other reason, as mentioned in the letter, is the company’s compliance requirement with the Chinese government as per their law. The congressmen said,” Companies like TP-Link are required to provide data to the PRC (People’s Republic of China) government and otherwise comply with the demands of its national security apparatus.”
The letter further emphasizes threats from the Volt Typhoon and other PRC Advanced Persistent Threat (APT) groups. The Commerce Department has the power to restrict or ban certain products that pose a threat, as it did with networking technologies made by companies like ZTC and Huawei.
Security vulnerabilities are not exclusive to a particular company and include products other than networking devices. Multiple companies (including router manufacturers) faced situations where their vulnerabilities were exploited and patched eventually. However, the use of SOHO routers is particularly concerning in this case, given the position military personnel would have and the sensitive information passed on with any of these routers being used as a medium.
The members jointly requested that the investigation be completed by the end of August. Hence, once the investigation is complete, we should receive information from the Department of Commerce and its actions against any potential threat if warranted.