Texas Sues TP-Link Over China Links and Security Vulnerabilities

TP-Link is facing legal action from the state of Texas for allegedly misleading consumers with "Made in Vietnam" claims despite China-dominated manufacturing and supply chains, and for marketing its devices as secure despite reported firmware vulnerabilities exploited by Chinese state-sponsored actors. The Register: The Lone Star State's Attorney General, Ken Paxton, is filing the lawsuit against California-based TP-Link Systems Inc., which was originally founded in China, accusing it of deceptively marketing its networking devices and alleging that its security practices and China-based affiliations allowed Chinese state-sponsored actors to access devices in the homes of American consumers.

It is understood that this is just the first of several lawsuits that the Office of the Attorney General intends to file this week against "China-aligned companies," as part of a coordinated effort to hold China accountable under Texas law. The lawsuit claims that TP-Link is the dominant player in the US networking and smart home market, controlling 65 percent of the American market for network devices.

It also alleges that TP-Link represents to American consumers that the devices it markets and sells within the US are manufactured in Vietnam, and that consistent with this, the devices it sells in the American market carry a "Made in Vietnam" sticker.

Ooh.

[Moryath]

TP-Link: When you want your home internet to steal your identity and join botnets.

Re:

[fluffernutter]

I have a big house and I need my router to reach to a separate building way on the other side from where the service comes into the house. There was basically two choices for a mesh that would reach far enough. TP-LINK for $500 and Netgear for $900. Are people supposed to suddenly volunteer out of the capitalist system and throw money out, buying the more expensive system for vague accusations that haven't even been proven?

Re:

[F.Ultra]

not to mention that the CVE database is full of lists for Netgear so the facts are that the state of consumer routers are just bad and you have to keep on updating that firmware.

Re:

[sabbede]

What? You could have done that with any pair of APs for well under $500. Hell, a pair of Ubiquiti Nanobeams is $200. You could have done it with Ciscos for $250.

How the hell far from your house is this building?

Re:

[ThumpBzztZoom]

You are assuming he only needed 2. That was never mentioned in the post you responded to.

TP Link has many different mesh routers, at least one model (AX3000) you can get 12 mesh APs for $500.

Re:

[sabbede]

To mesh from one building to another? Yes, I am assuming that requires two. Because he said it cost $500 to mesh, not $500 to buy enough APs to cover his house and the other building.

Re: Ooh.

[fluffernutter]

The set came with 3 access points, which just reach far enough between them for my whole house and double garage and building if they are arranged in a line. Keep in mind that this may not be a long distance, but it's a lot of walls and cement siding and two floors and a basement in the house.

Re:

[sabbede]

Are you meshing two off of one wired, or one off of two wired? I'd hope the latter, or you're throwing away a ton of bandwidth to save on the cost of a cable. I have one AP that covers my house pretty well, but it's mounted about a hundred feet from the gateway, getting PoE from an old HP switch I replaced at an office way back when. Gateway is in the basement, I ran a cable across the ceiling then up a hole to the top of the basement stairwell. But, if your house is laid out so that you'd have to drop

Re:

[fluffernutter]

I don't care about bandwidth. I care about having Internet without spending possibly more than a weekend running cables.

Re:

[sabbede]

Okay. I still think you overpaid though. Why didn't you call me first? And I don't want to hear any excuses like, "I don't have your number", or, "who the hell are you anyway? Just some random a-hole?"
Of course I am, don't waste my time with the obvious!

Re:

[fluffernutter]

This is all Canadian dollars btw

Re:

[ThumpBzztZoom]

You are assuming that was the only thing he needed a mesh router for, which is not the only or most likely possibility. Your assumptions are getting in the way of reality. Both were not warranted, and I would never have assumed either point.

Re:

[sabbede]

Yes, I am assuming that the reason stated was the reason that existed. I don't think that is unreasonable. If you tell me that you bought something for some purpose, I'll feel safe in assuming that's why you bought it. Perhaps I shouldn't, but without reason to do so I will not assume you are lying to me.

Re:

[ThumpBzztZoom]

That would be a good excuse only if you completely ignored the first 5 words of his post:

I have a big house and I need my router to reach to a separate building way on the other side from where the service comes into the house.

What you assumed was unreasonable because you either didn't read the entire sentence or it was above your reading level. Either way, you still made unwarranted and incorrect assumptions.

Re:

[sabbede]

You should take a look at the full thread. He replied and clarified.

Re:

[ThumpBzztZoom]

Yes he replied and clarified you were wrong in your assumption that he only needed 2 point to point.

It's amazing how far you go to defend being wrong.

Re:

[F.Ultra]

I have several TP-Link routers and have had for years, not a single exploit in site. The exploited vulnerabilities that Texas is suing over was fixed long ago and perhaps they should go after Asus instead considering how many exploits their firmware have had quite recently.

Re:

[sabbede]

Maybe they will target Asus next.

What have you been using to scan your home network for exploitable vulnerabilities?

Re:

[F.Ultra]

I have full control of every single byte leaving and entering my network, I also run tons of honey pots to examine devices and so forth.

Re:

[sabbede]

Well, okay, but that doesn't really tell me what you use to do so. How do you have your honeypots setup? I've toyed with the idea myself and would like to hear about your experience. What do you use to control your flow? I run Pfsense with Snort and Pfblocker. Are you using a vulnerability scanner? If so, which? Does Rapid7 have a free version (I'm not paying for a VMS at my house).

Re:

[F.Ultra]

if you can get hold of some enterprise switches (used ones can be found for quite cheap) then you can configure ports on them as sniffer ports, aka all traffic on the entire switch is sent to that port, then you connect that port to an extra port on a machine that runs something like tcpdump or wireshark on a 24x7 basis and store everything to disk in pcap.

Then you can just add some devices and old computers with intentionally bad security to that switch and expose it to the Internet and you have a very bas

Re:

[sabbede]

Oh, so you're basically running a honeypot to catch people searching the internet for low hanging fruit? That's cool and all, but I thought you were using them internally in some way I couldn't entirely fathom (for a home network).

Your setup sounds way more manual than I have time for. I'll just stick with blocking outbound traffic to most nations plus a ton of lists, and running snort on the rest.

Plus, you must burn through drive space like crazy! I'm just thinking about how this conversation we're

Re:

[F.Ultra]

I also use it to test new devices for phone-home or hidden attack scenarios since putting them on a network with juicy targets should make them "reach out".

Re:

[sabbede]

I like it! More trouble than I'll go through without being paid for it, but I like it.

I'm working on building a network traffic monitoring system so I can have nice traffic graphs like I get from Unifi, along with notifications of blocked outbound traffic. That's about the level of detail I'm looking for.

I'm going to wander a bit from the topic now. I recently ran a pentest on my home network (testing a new service), and the open ports on my Vizio TV were baffling. There was a port marked for some

Re:

[F.Ultra]

yeah "smart" devices often have some strange ports open, they should almost always be placed on a highly closed down network.

Looks like grandstanding

[russotto]

Aren't those "Made in " labels Federally regulated by the Federal Trade Commission? If so this lawsuit is going to get dismissed on Federal supremacy grounds.

Re:

[sabbede]

No, but it's likely that TP-Link will also be facing Federal charges. States can have their own laws about this sort of thing without violating supremacy. What they can't do is enforce contradictory laws - Texas can't tell companies that they must label everything "Made in Texas", as that would violate Federal law; but they can say, "your labels have to be truthful".

Oh, if you were thinking about double-jeopardy, that applies to each level of government separately. A State can't try you twice for the

Inspection

[hadleyburg]

There must surely be some solution to this type of problem.

Problem: We purchase a device and we want to be confident that it doesn't function in an unscrupulous manner.

Perhaps the solution would necessitate the internals to be open for inspection, if not for everyone, then at least for a trusted third party. This service would need to be not only at a point of certification, but at any time during the use of the product.

e.g. I have a router made in China (or wherever). I can at any time request an inspectio

Re:

[Anonymous Coward]

There must surely be some solution to this type of problem.

Problem: We purchase a device and we want to be confident that it doesn't function in an unscrupulous manner.

Wikileaks exposed in 2017 that the US spy agencies hijacked Samsung TVs to monitor people, making them appear to be on standby. Yeah, I wouldn't trust US authorities as far as I could spit.

Re:

[sabbede]

What US spy agencies can do to foreign adversaries and what foreign adversaries are doing to us, are very different things.

One would be foolhardy to disregard the difference.

Re:

[whoever57]

The problem is that it's not the current firmware that matters. What matters is the firmware that could be installed in a future update.

TP-Link Gear Is Fine

[SlashbotAgent]

All the accusations toward TP-Link and the best and only evidence that anyone has ever been able to produce is that the firmware is bug ridden crap. Not a single shred of evidence of actual backdoors or surreptitious spying. Lowest budget incompetence, not maliciousness.

I've used a smattering of TP-Link gear -- small switches mostly -- though not the home "routers". The equipment is middling and adequate and the price is unbeatable. I've seen zero attempts at unexpected phoning home or anything suspicious.

If you can find firmware that functions for your application needs, TP-Link is just fine.

Re:

[Bert64]

If you're going to put a backdoor in something, you'd always want deniability so of course you'd make it look like a bug.

In terms of lowest budget, they don't actually have to develop any firmware at all for a lot of devices. There is already open source firmware like OpenWRT which they could ship. This would both save them money and provide a better experience for users.

Re:

[AmiMoJo]

The firmware isn't even that bad, in the scheme of things. About on par with most other vendors.

The only ones that really seem to have above average quality firmware are the ones that use OpenWRT like GL.iNet, and maybe FRITZ!box.

I like GL.iNet myself. Solid hardware, runs their build of OpenWRT which is a bit more friendly but allows you to access to OpenWRT interface if you need to, and they support flashing raw OpenWRT as well. There are some things they don't make though, like powerline adapters and plu

Re:

[sabbede]

Did you know that Ubiquiti APs are OpenWRT based? It blew me away the first time I SSH'd into one.

For years I used whatever home router I could afford and load OpenWRT onto until I was able to deploy a separate firewall and AP.

So, my unsolicited advice is to take an old computer, slap a second NIC in there, and throw PFsense (or something) on it. That way you can save some cash and buy pure APs instead of wifi routers.

Re:

[AmiMoJo]

The problem with Ubiquity is that I'm European and they are American.

They seem like an okay company, but with the way things are going, it seems unwise to rely on anything American.

Re:

[sabbede]

That's just silly. Especially if you're comparing to China. If you're making hardware decisions based on your opinion of another nation's elected leader, you have your priorities well out of order. I'd also suspect you had been misled by someone with an agenda that is not intended to benefit you.

Whatever terrible thing you imagine the US might do, China is already doing it, and the US probably isn't even thinking about it.

Re:

[AmiMoJo]

The issue is the US may take steps to interfere with exported equipment, or the NSA might get involved. Okay, China could do that too in theory, but even if they did, the Chinese government is much less of an issue for us. Historically, in the last 10 years in particular, it's tended to be US companies that lock stuff down, that remove features after you paid for them, that decide to stop supporting open source, that force updates.

Re:

[sabbede]

Wait, is your issue with US companies or the US government? Unlike with China, those are completely different things.

And if you think an unfriendly government is less of an issue than a friendly one, I don't know what to say.

Re:

[thegarbz]

That's just silly. Especially if you're comparing to China.

It's not. China may do some spying, the USA on the other hand have had their tech companies actively interfere with European affairs. China is trying to work with the EU, the USA is actively attacking them economically. Right now the bigger threat is China.

If you're making hardware decisions based on your opinion of another nation's elected leader, you have your priorities well out of order.

The other nation's leader defines the threat profile.

pandering to voters

[ZipNada]

Paxton is running in the upcoming Senate primary against the incumbent, John Cornyn. This is just an attempt to grab attention prior to the vote. The TP gear probably is made in Vietnam even if all the design and tech comes from China. Not much he can do about that but it might get him a sound bite on Fox.

I hope he does win the primary though. He is thoroughly repulsive, and was under investigation for corruption by the DOJ until trump quashed it for him. His wife divorced him for adultery. A much easier candidate to beat in the general election than Cornyn.

Re:

[hdyoung]

I’d be surprised if Texas is ready to dump Paxton. He’s basically a party-line Republican, corruption doesn’t matter to the voters nearly as much as it used to, and adultry is practically a badge of honor nowadays. There was a time when infidelity would quickly destroy a political career. It’s a different era now.

Paxton will get voted out when his shenanigans start costing the local taxpayer too much. Remember Joe “I torture immigrants live on telivision” Arpaio? His

that's cute...

[Jayhawk0123]

The amount of things "Made in the USA" that are "assembled" in the US, and not even from individual pieces, just the last step of assembly, or sometimes simply repackaged... and that's fine... consumers don't need to know about deception from/by US companies... :/

Or the new one replacing "Made In the USA" with "Designed In the USA"

Re: that's cute...

[madbrain]

Works for Apple. "Designed by Apple in California". Not for Texas, though.

haha

[drinkypoo]

TP-Link is facing legal action from the state of Texas for allegedly misleading consumers with "Made in Vietnam" claims despite China-dominated manufacturing and supply chains

Next do Harley-Davidson. Virtually all of the parts are made in China including the engine blocks.