Premium

Why TP-Link Routers Are a REAL National Security Issue

AP Photo/Andy Wong

A few days ago, the federal government announced that they were considering blocking the sale of TP-Link routers in the United States. This would be a big deal, because TP-Link has the majority of the market for home and small business routers — as much as 65% — and it’s unclear who could take up the slack, at least immediately. 

Why block these routers? They turn out to have been at the heart of a number of fairly major security problems, and they are manufactured in mainland China.

So what is a router?

The Internet is an amazing hodge-lodge of technologies based on a series of standards called the Internet Protocols. I’m resisting writing 10,000 words on these protocols, but there are two essential things to understand: what we see as the internet grew out of a Department of Defense effort to build a network that would survive major damage — like parts of the network suddenly turning into green glass. 

Key to this is that data on the internet is broken up into packets — small blocks of data that are pretty much independent while they are being transmitted, finding their own way from source to destination through a series of “switches,” which is why it’s called a package-switched network.

The packets find their way based on an Internet address, which is a 32-bit number that’s usually shown as four numbers between 0 and 255, like 127.0.0.1. (That, by the way, is a special address that always refers to the current location. The address is often read as “home," which leads to geek t-shirts like “There’s no place like 127.0.0.1.”)

The thing is, there are only 2^32=4,294,967,296 32-bit numbers. At the time the internet was being designed, 4.3 billion addresses seemed like far more than enough. Of course, in those halcyon days, they never imagined that everyone would have a computer — or two, or five — along with iPads, phones, and refrigerators on the internet. 

I’m actually describing a specific standard for addresses, commonly referred to as “IPv4”. There is a later standard, called “IPv6” that uses a 128-bit address. That allows for 2^128=3.403×10³⁸ addresses, enough to provide for billions of separate addresses for every star in the universe, but isn’t widely used.

So a bunch of technological solutions were devised to make up for the limits of IPv4, largely based on schemes that translate a local address to an address for the internet as a whole. One of the keys to this is known as a router, and we’re finally past the expository lump.

When you set up, say, a Wi-Fi network in your home or the coffee shop in which I’m writing this, it has two parts: one is the radio part that transmits the data to and from, eg, my iPad, and the other is a router that massages the data packets to let them be routed in the internet as a whole.

The thing is, the router is itself a substantial computer, as big as a common laptop or small desktop computer. It has an operating system and everything — in fact, the operating system is often a version of Linux. If you’re motivated and technical you can even install your own version of Linux on many routers.

A router needs that much computing power because it has to manage its connection to the Internet; it’s Wi-Fi that might be managing 10 or 100 connected devices, and translating the packets back and forth fast enough to provide adequate bandwidth to all those devices. 

Here’s where the trouble starts. A router necessarily needs to look at all the data passing back and forth in order to route it to the right place. If that data is encrypted, all it looks at is the addressing information, but it often isn’t encrypted. So a router is a perfect place to spy on whatever is being transmitted. 

It gets worse because the router really is a pretty capable computer on its own, and often its only real security features are based on the assumption most people won’t be trying to mess with it.

This is not usually a very good assumption.

The problems with TP-Link routers in particular have been identified in the past. There’s a good article on CNet about the history of it. TP-Link routers have been the source of a number of attacks. (I had Grok list some of the major attacks with explanations here.)  

A number of these attacks have a core vulnerability or group of vulnerabilities: the ability to circumvent what security the router provides to install malicious software and gain unrestricted access to the computer that is at the heart of the router.

The fifth and sixth on that list have something particularly interesting: they are specifically linked to Chinese “threat actors”. One in particular, called “Horse Shell," was specifically targeting European “foreign affairs entities” — which is a delicate way of saying foreign ministries, diplomats, and think tanks.

The hacking group that perpetrated the Horse Shell attack, called “Camaro Dragon," is well-known to be connected to the Chinese government.

The thing is, these vulnerabilities in TP-Link routers have been known for a long time. The U.S. government has been reporting these issues since, and the Microsoft report on the vulnerabilities was released in March. Microsoft is, nonetheless, still selling TP-Link routers.

Honestly, computer security is a massive problem all over the U.S. Back in 2015, I wrote about the OPM data compromise, in which very extensive personal data was disclosed for 14 million Americans who applied for security clearances. We don’t know who did it, but we have every reason to believe it was the Chinese government. Apparently, it hasn’t slacked off in its attacks.

Look, this has been a known problem for decades. I was involved in computer security research in graduate school 40 years ago. There are things that can be done to reduce the problem significantly. 

But we don’t do them. They’re expensive, they make developing software more difficult, and they make computers a pain in the a** to use. (Think about what we go through with passwords, login codes in text messages or emails, and authenticator apps.) Microsoft in particular resisted making changes to Windows, which has been peculiarly vulnerable for architectural reasons. But it's by no means just Microsoft, and it’s become a real threat.

Fixing this won’t be a lot of fun.

Recommended

Trending on PJ Media Videos

Advertisement
Advertisement