Agreed. Are TP-Link the bastion of advanced security/tech/features and futureproofing? No. But they do what they say they do on the box, and do it reliably which unfortunately is more than you can say for a lot of things these days, no matter the price/payment model.

If you just need a basic ass device for simple non-critical shit without a bunch of proprietary bullshit and dark patterns, it's hard to beat TPLink for the money.

The fact that they still get support/updates long passed the typical lifespan of competing devices several times their price point is just icing on the cake.

> But they do what they say they do on the box

fuk no

their spec is overbloated SHT.

I've never seen a router crawl like 300kbps on a 1.2gbps line (simply changing that to a no-named cheap generic one got me 880mbps)

fck I don't even care about backdoors -- even if you put them, just fking at least make them up-to-spec

The "hate" is the same as the backlash to Huawei, which is the suspicion that there's Chinese government-accessible backdoors that can cripple infrastructure.

However, as far as I'm aware none of that has been found yet. And since multiple countries have state-level and state-funded hackers / IT security experts who have the time, budget, and capability to completely dismantle and disassemble these devices (plus enthousiastic hobbyists), you'd think they would have found concrete evidence already. If there was any.

I have faith in "our" capacity to uncover backdoors.

I suspect its likely because TP-Link tells/is forced to tell the Chinese government about 0days that are still unpatched which would give them the advantage to conduct large scale espionage and recon before its fixed.

Very similar to how Microsoft gives the same info about 0days to the NSA to use for the same exact reason.

> I suspect its likely because TP-Link tells/is forced to tell the Chinese government...

I think if we are there, then we should assume all 0days are known by various states before patches are available regardless of whether companies are setup to share that information or not. You don't need to get the company to share that information, just one person in a company, and I don't really see that as being a challenging task for a state to do.

Assuming otherwise seems more risky.

Hence zero-trust, buzzwords aside.

You should absolutely assume breach as part of your company's security policy/trust model.

Then why target TP-Link for actions?

Are they the next biggest vendor after Huawei?

I dunno if they're the next biggest, but they are one of the largest in the consumer space. They've been the best selling networking devices on Amazon for nearly a decade and ISPs use their products when bundling WiFi setups with ISP service (although those are usually centrally managed by the ISPs themselves)

Why take that chance, for some slightly cheaper routers?

I have respect for human creativity, and the limits of public servants. Its not easy to keep constant vigilance against all possible backdoors. Easier to restrict core infra devices from openly hostile areas.

Why take the chance that the food you buy from the grocer may be contaminated? I have respect for human creativity, and the limits of farmers. It's not easy to keep constant vigilance against all sources of contamination. Easier to restrict food to only what you produce yourself.

Glibness aside, there's clearly a continuum to the concept of 'we live in a society', and to how far the monkey brain's tribe extends. But the argument against routers is clearly arising from a biased set of priors, whether fairly or unfairly.

Because it's a strategic issue. The internet is critical infrastructure. While TP-Link might not have contracts with ISPs and datacenters, it doesn't take a lot of imagination to think what damage you could have with 30% of the home / small business routers under your control.

This could range from plausible deniability stuff (like the examples in the article), to targeted investigations / attacks (Bob who works at the Gov Accounting office for Miliary Spending), all the way to a 100-million unit botnet turning to provide a few days of distraction ("Bad hackers compromised our OTA system. Sorry!") on while a certain island is being eminant-domained.

Your food example is not the same. You can't trojan-horse an apple pie, or target an individual customer from the supplier-side (yet). If you decided to poison them, that's pulling the pin from the grenade right now.

we know domestic suppliers are complicit with domestic spying. what do we buy? what are the options?

People are living paycheck to paycheck and need to make every eurodollar count.

The Chinese, regardless of how you feel about them, are great at making cheap shit that mostly works.

Because I don't think the chance of getting a compromised router is any greater than any other router. Chance probably higher there's a US government backdoor in other routers.

> which is the suspicion that there's Chinese government-accessible backdoors that can cripple infrastructure.

Which is real rich coming from the US after the Snowden leaks showed Cisco was willingly cooperating with the NSA and planting NSA backdoors in their hardware destined for overseas.

Them wanting to ban TP-Link (and Huawei) have nothing to do with cybersecurity and more to do with "We don't want to allow anyone else to play the same game we are playing."

I didn't realise there was so much TP-Link hate - as consumer networking gear goes I think they're pretty good and trustworthy. Vs. say Tenda or XGFHIU.

(I use mainly Mikrotik at home, but my only AP currently is a TP-link 'extender' (it's 'extending' via ethernet, and the only AP doing so), it's ok.)

Kind of like Anker in batteries and earphones: maybe at some point it was the 'dodgy Chinese brand', but now a solid contender/front-running third-party.

I don't if there's any connection (no pun intended) but in my head TP-Link kind of took over from D-Link at some point as a sort of low-end-Netgear/Asus competitor.

Absolutely. I have an older unmanaged switch that is still getting updates MANY years later. I've been consistently impressed with TP-Link. I even picked up a WiFi 7 router with all this talk of banning them. Just feels like politicians removing players from the market so the companies they can invest in do better since they are the only choice available.

It would be great if someone had compiled some data (with sources) on home routers based on release dates and date of last firmware update received. That could be translated into a “sw sustainability index” for home router vendors which I believe would be useful.

Yeh, I was going to say. My m4R is at least 15 years old and got a firmware update last month

Same here. Running a small fleet of TP-Link gear across three homes. They all get firmware updates regularly.

I just brought a new TP-Link (Omada brand) to replace a (also fairly new) D-Link router that would just stop working, every couple of weeks; requiring a reboot.

The performance of my network immediately jumped up.

The D-Link might have a hardware issue (but it’s not worth trying to get them to address it, as it’s intermittent by weeks, and they’ll just gaslight me, if I try), or it could just be crap firmware. A lot of hardware companies treat their firmware teams like shit.

Doesn’t matter. I’m avoiding their routers, in the future. I have had good luck with their switches, though.

I don’t use them anymore, but the TP-Link EAP225v3 remains the lowest latency WiFi access point I have ever used. I occasionally miss them.

Really? I bought an Archer AC1200 at Costco. It was a recent model at the time but received no updates after 1 year.

As someone from Europe, I certainly am at least equally uncomfortable with products from the US. Made in USA to me equals zero concept of privacy protection but plenty state surveillance (CLOUD Act, Cisco having hard coded back doors every two weeks etc.) and recently even lack of rule of law and even threats of annexation of European land and interference in domestic elections.

Sure, China will probably also spy and conduct industrial espionage, just as the US, but they appear to be a rational actor and have never threatened the sovereignty of European countries.

the US has a recent history of extra-terrestrial law enforcement, both in ally countries (kim dotcom, meng wanzhou), and non-ally countries (bin laden). that's the main fear. w.r.t. the US, everybody is at risk, all the time.

if you don't do anything wrong, you won't get into trouble, and out of 8 billion people in the world, only a handful of people get in trouble. the problem is, the definition of trouble can change.

Who can guarantee that the Cisco/UniFi or whatever Made in USA gear won't be a host to a state sanctioned "lawful interception software" politely pushed to many devices with the help of a National Security Letter?

Who is "we" in this context?

I'm neither from US nor from China, so I don't belong to either "we". So in my case no hardware is safer unless I design the board and develop the firmware on top of it.

Even then, I'm not sure whether there are hardware vulnerabilities baked in.

I think it’s safe to say that by “We” we can assume it would be your country and its allies.

War and spying has been a thing for a long time now. I think it’s unreasonable to expect countries to not make use of their respective industries and enterprises to get an edge on each other.

The fact is that this kind of hardware is just very good for that so as I a costumer, I feel you and I think the best we can do is buy a custom hardware and install a custom OS. Like open-wrt.

But I will not complain of my country doing that because when I see adversaries doing it, it’s completely reasonable that it also do. In fact, game theory, mandates it.

> I think it’s safe to say that by “We” we can assume it would be your country and its allies.

I live in a country which has been spied on for years by its closest "ally". See Crypto AG scandal for more details. So in my case there's no "we".

Yeah, the most realistic trade-off might be installing OpenWRT and some tripwires to see whether anyone is trying to do something nefarious remotely.

In spying, there's no "we".

> In spying, there's no "we".

Sometimes your own government is the most likely to spy on you.

> Yeah, the most realistic trade-off might be installing OpenWRT and some tripwires to see whether anyone is trying to do something nefarious remotely.

I agree with that, but its beyond the reach of most people.

I think zero trust or low trust within your LAN is also a good idea. So is firewalling ISP supplied routers.

Thats also fair. I agree.

There are no allies in this world. There are opponents, and opponents who say that they are your allies.

If a government has a backdoor it can be exploited. What if your US made router's backdoor is discovered and abused by a Chinese party? No backdoor can be made to only exclusively be unlocked by its creator.

Compared to it being in the hands of the US, who couped my country and bombed my neighbours?

Definitely.

Yeah this US centric view that deemed china as the "bad guys" also problematic

because in some parts of the world like middle east,south american,africa etc

the US is deemed more evil than china etc

I do not know those countries, but in South, South East and East Asia the US is not the threat, its a potential ally against China. In most of Europe it is an important ally.

Allies to spy on each other, but they are not a threat in the way actual or potential enemies are. The fact the the US spied on Germany, and Britain spied on Belgium does not really make them threats.

It was an important ally, Europe is currently investing billions in uncoupling its reliance on both Russia (for natural resources) and the US (for defence and natural resources) because neither party can be trusted anymore.

> Europe is currently investing billions in uncoupling its reliance on both Russia (for natural resources) and the US (for defence and natural resources)

Russia, yes.

I do not see any real expectation of Europe not being reliant on the US. See the many discussion here about reliance on US cloud services. Where else are these natural resources to come from? Where is the technology or the money to scale up to what the US has?

1. Canada (2nd largest country in the world after Russia).

2. Internally.

USian hubris won't end well for the US.

Europe is offloading it's reliance on Russian LPG just to buy more from the US.

You didnt read the comment that I replied????

lol, US didnt just doing only "Spy", read the comment tree first

Can you link to a source where that's demonstrated? If these devices have a backdoor surely both HN hackes and the NSA would have found it by now, right?

> much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box.

The same is true of any country, including the USA. Australia & the UK have laws to that effect, and the USA backdoored RSA and Juniper off the top of my head.

Unless you run purely open source, your only choice always has been which country had open slather to spy on you. There are no real contenders for open source phones right now, so for most of us guaranteed privacy was never a choice. (I have high hopes for Halium in the future, as I hate this.)

For those of us in East Asia or some country like Iran or Venezuela that the US likes to bomb periodically, China is the least objectionable spy master. Those of us in the West chose USA, as they were a reliable trusted ally. Then Trump arrived on the scene and make things complicated.