The US is trying to do to TP-Link what they did to Huawei. Even though, as the article mentions, TP-Link devices have a US-based supply chain and are manufactured in Vietnam. This is literally just the US not allowing China to own any value-added consuming facing products in the US.
I’m not ready to buy into all of the hype, however, the scary thing about such a supply-chain hack is that it could potentially be deep in the firmware or even the hardware itself. I have a couple of TP-Link devices flashed with OpenWRT, but even that wouldn’t necessarily be enough to stop a really dedicated bad actor. If TP-Link or some state actor working with them wanted to, they could certainly still have hidden hardware tweaks that would let them brick the device with a well-crafted packet or the like. Taking it over for some botnet or spying purpose would be harder but not out of the question. Bottom line, if you can’t trust the hardware itself, you can’t trust anything happening on the hardware either.
I think the problem here is that an entirely US based supply chain doesn’t solve this problem, which is the justification being made for potentially banning these devices. We would require a massive overhaul of the electronics manufacturing process to eliminate all chance for these sorts of hypothetical backdoors.
Well, an entirely US supply-chain means that the US gets to potentially backdoor the devices, not China, and that sort of argument does well these days :)
And honestly the “telemetry” that most vendors already send back with our full knowledge is barely a step away from this anyway.
I’m not convinced either way. But do you know how much notoriety would come out of proving a massive malware campaign in a major, worldwide brand!? I have a hard time believing the talented, security-minded people checking these devices out have all missed something, every single time. It would take one proven example to tank the entire brand and then it’s not even a viable malware distributor, much less profitable…
True, but where are you going to find trustworthy hardware? The US is at least as likely to backdoor hardware as China.
I’ve got a TP-Link router, and my main gripe is that it doesn’t do NAT hairpinning, which limits the value of a VPN to my home network.