US Government Urges Total Ban of Our Most Popular Wi-Fi Router

A possible ban on TP-Link routers -- one of the most popular router brands in the country -- is gaining momentum, as more than half a dozen federal departments and agencies back the proposal, according to a Washington Post report.

The news first broke in December of last year, when The Wall Street Journal reported that investigators at the Commerce, Defense and Justice departments had all opened probes into the company due to national security risks stemming from its ties to China. Since then, news on the TP-Link front has been relatively quiet.

Now, the proposal has gained interagency approval.

“Commerce officials concluded TP-Link Systems products pose a risk because the US-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government,” says the Washington Post report.

TP-Link’s ties to the Chinese government are only allegations. The company -- technically called TP-Link Systems -- has strenuously denied to me in the past that it’s a Chinese company.

“As an independent US company, no foreign country or government, including China, has access to or control over the design and production of our products,” a TP-Link spokesperson told CNET.

TP-Link was founded in Shenzhen, China, in 1996 by two brothers, Jeffrey (Jianjun) Chao and Jiaxing Zhao. In Oct. 2024, two months after members of the House Select Committee called for an investigation into TP-Link routers, the company split into two: TP-Link Technologies and TP-Link Systems.

The latter is headquartered in Irvine, CA, and has approximately 500 employees in the US and 11,000 in China, according to the Washington Post report. TP-Link Systems is owned by Jeffrey (Jianjun) Chao and his wife.

“TP-Link’s unusual degree of vulnerabilities and required compliance with [Chinese] law are in and of themselves disconcerting,” the lawmakers wrote in October 2024. “When combined with the [Chinese] government’s common use of [home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming.”

The company has become a dominant force in the US router market since the pandemic. According to the Journal report, it grew from 20% of total router sales in 2019 to around 65% this year. TP-Link disputed these numbers to CNET, and a separate analysis from the IT platform Lansweeper found that 12% of home routers currently used in the US are made by TP-Link. More than 300 internet providers issue TP-Link routers to their customers, according to the Wall Street Journal report.

Separately, the Justice Department’s antitrust division is investigating whether TP-Link engaged in predatory pricing tactics by artificially lowering its prices to muscle out competitors.

​​CNET has several TP-Link models on our lists of the best Wi-Fi routers and will monitor this story closely to see if we need to reevaluate those choices.

"We do not sell products below cost. Our pricing is not only above cost but contributes a healthy profit to the business," a TP-Link spokesperson told CNET.

The potential ban has gone through an interagency review and is currently in the hands of the Commerce Department. According to the Washington Post report, sources familiar with the details of the ban said the Trump Administration’s ongoing negotiations with China have made the chances of a ban less likely in the near future.

“Any concerns the government may have about TP-Link are fully resolvable by a common-sense mix of measures like onshoring development functions, investing in cybersecurity, and being transparent,” the spokesperson said. “TP-Link will continue to work with the US Department of Commerce to ensure we understand and can respond to any concerns the government has.”

I wrote a few months ago that I wasn’t in any rush to replace my own TP-Link router, and that’s essentially how I still feel today.

When the news first broke last December, I asked four cybersecurity experts whether they would still use a TP-Link router. One gave a strong “no.” Another said there is “risk for a consumer.” And two declined to answer the question directly.

Itay Cohen was one of the authors of a 2023 report that identified a firmware implant in TP-Link routers linked to a Chinese state-sponsored hacking group. He told me in a previous interview that similar implants have been found on other router brands manufactured all over the world.

“I don’t think there’s enough public evidence to support avoiding routers from China outright,” Cohen said. “The vulnerabilities and risks associated with routers are largely systemic and apply to a wide range of brands, including those manufactured in the US.”

I heard a version of that from every cybersecurity expert I spoke with. TP-Link has security flaws, but so do all routers, and I couldn’t point to any that showed collaboration with the Chinese government specifically.

"We've analyzed an astonishing amount of TP-Link firmware. We find stuff, but we find stuff in everything," said Thomas Pace, CEO of cybersecurity firm NetRise and former security contractor for the Department of Energy.

That said, it’s entirely possible that the government is aware of vulnerabilities that the public is not.

For now, I’m still comfortable using a TP-Link router knowing I follow some basic best practices for network security, but my risk tolerance may be higher than it is for others.

If you’re one of the millions of Americans who uses a TP-Link router, the news of a potential ban might be unnerving.

A Microsoft report from last year found that TP-Link routers have been used in “password spray attacks” since August 2023, which typically occur when the router is using a default password.

Here’s what you can do to protect yourself right now:

Update your login credentials. A shocking amount of router attacks occur because the user never changed the default login credentials set by the router manufacturer. Most routers have an app that lets you update your login credentials, but you can also type your router’s IP address into a URL. These credentials are different from your Wi-Fi name and password, which should also be changed every six months or so. As always with passwords, avoid common words and character combinations, longer passwords are better and don’t reuse passwords from other accounts.

Use a VPN. If you’re worried about prying eyes from the Chinese government or anyone else, the single best thing you can do to ensure your connection remains private is to use a quality VPN. Privacy-minded folks should look for advanced features like obfuscation, Tor over VPN and a double VPN, which uses a second VPN server for an added layer of encryption.

Turn on the firewall and Wi-Fi encryption. These are typically on by default, but now is a good time to make sure they’re activated. This will make it harder for hackers to access the data sent between your router and the devices that connect to it. You can also find these settings by logging into your router from its app or website.

Consider buying a new router. I always recommend buying your own router instead of renting one from your internet service provider. This is mostly a cost-saving measure, but if your ISP uses TP-Link equipment, now might be a good time to switch to another brand. The main thing to look for is WPA3 certification -- the most up-to-date security protocol for routers.

Update your firmware. TP-Link's spokesperson told me last year that customers should regularly check for firmware updates to keep their router secure. "To do this, customers with TP-Link Cloud accounts may simply click the 'Check for Updates' button in their product's firmware menu," the spokesperson said. "All other customers can find the latest firmware on their product's Downloads page on TP-Link.com."