Two U.S. lawmakers are asking the Department of Commerce to investigate giant Wi-Fi router vendor TP-Link and its various affiliates, worried that the Chinese company’s products may threaten the United States’ national security.

“Given the PRC’s [People’s Republic of China] data and national security laws, the proliferation of PRC-made SOHO routers in the United States, and the demonstrated willingness of the PRC government to sponsor hacking campaigns using PRC-affiliated SOHO routers like those made by TP-Link, we request that Commerce verify the threat posed by PRC-affiliated SOHO routers – particularly those offered by the world’s largest manufacturer, TP-Link,” U.S. Representatives John Moolenaar (R-MI) and Raja Krishnamoorthi (D-IL) wrote in a four-page letter this week to Commerce Secretary Gina Raimundo.

Moolenaar is the chair of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party. Krishnamoorthi is the select committee’s ranking member.

TP-Link was founded in 1996 in China, though its current headquarters are in Singapore and California, and has grown to become the world’s largest provider Wi-Fi products, selling more than 160 million products annually to more than 170 countries, the two wrote in a statement announcing the letter.

The company and its affiliates – TP-Link on its website says it has 42 subsidiaries – also are the top Wi-Fi router vendors in the United States, creating what Moolenaar and Krishnamoorthi call in their letter a “glaring national security issue.”

Casting a Wary Eye Toward China

U.S. lawmakers and officials have long been suspicious of technology products from Chinese companies, going so far as banning the use of devices and systems from the likes of Huawei and ZTE. The worry has been that such products built by Chinese companies could come with secret backdoors that could let the Chinese government steal U.S. information or spy on Americans.

With TP-Link, the concern is further heightened by the use of China-backed threat groups using wireless routers and similar devices to infiltrate networks in the United States and elsewhere. They noted security vulnerabilities in some TP-Link devices and the use of the company’s routers in attacks on European government officials.

The FBI in December 2023 disrupted a botnet compromising hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a Volt Typhoon, a state-sponsored Chinese threat group, by using the KV Botnet malware. Most of the compromised routers were made by Cisco and Netgear, but illustrated the use by Volt Typhoon and other China-linked hackers of routers to slip into organizations’ networks.

U.S. Justice Department officials said in statements that Volt Typhoon’s goal in using the KV Botnet campaign was to infiltrate critical infrastructures within the United States.

In February, CISA, the FBI, and other agencies warned that the Volt Typhoon group had already compromised the IT environments of multiple critical infrastructure companies in sectors like communications, water, energy, and transportation and was essentially lying in wait to disrupt operations if a conflict arose between China and the United States.

‘Disconcerting’ Factors

“TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law are in and of themselves disconcerting,” Moolenaar and Krishnamoorthi wrote. “When combined with the PRC government’s common use of SOHO routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming.”

They added that because TP-Link’s routers are made in China with technology from the country, there are growing concerns that state-sponsored hackers like Volt Typhoon may have an easier time infiltrating systems in the United States via the routers.

“Moreover, TP-Link is subject to draconian ‘national security’ laws in the PRC and can be forced to hand over sensitive U.S. information by Chinese intelligence officials,” the representatives wrote.

TP-Link told Reuters in a statement that the company does not sell router products in the United States and that its routers do not have security flaws.

Moolenaar and Krishnamoorthi are asking Raimundo to report back by August 30 with her assessment of the national security risks posed by TP-Link SOHO routers and whether the Commerce Department’s information and communication technology services (ICTS) authorities can be used to mitigate any risks.