Routers as “Modern Weapons”: Texas Sues TP-Link Over Alleged State-Sponsored Backdoors

Authorities in Texas have leveled allegations against the network hardware manufacturer TP-Link Systems, asserting that its devices may have served as a conduit for Chinese state-sponsored cyber-adversaries. Attorney General Ken Paxton has initiated a lawsuit, contending that the corporation deceived consumers by pledging robust security and inviolable privacy, while its products were allegedly exploited by entities associated with the Chinese government.

According to Paxton, this litigation represents the inaugural salvo in a series of legal actions slated for this week against enterprises linked to the Chinese Communist Party. This follows previous legal maneuvers in December against television manufacturers Hisense and TCL, whom the prosecution accused of harvesting telemetry regarding user viewing habits and potentially exfiltrating that intelligence to China.

The current indictment posits that TP-Link marketed its routers and ancillary equipment as fortified bastions of privacy, despite firmware vulnerabilities that facilitated offensives within United States territory. The prosecution cites a May 2023 report from Check Point Research, which detailed how the Camaro Dragon group—a threat actor tied to the Chinese state—leveraged weaknesses in TP-Link firmware for its campaigns.

A primary focal point of the prosecution’s argument is the provenance of TP-Link’s components, the majority of which originate in China. State authorities argue that this integration subjects the company to Chinese national security statutes, which mandate that organizations cooperate with intelligence agencies and relinquish data upon request. The Attorney General’s statement emphasizes that such practices constitute a dire threat to national security, potentially enabling clandestine surveillance of Texan citizens.

TP-Link has categorically refuted these allegations, with a spokesperson dismissing the lawsuit as meritless and affirming their intent to contest it in court. The corporation underscores that TP-Link Systems Inc. is an autonomous American entity, with its critical infrastructure situated within the United States. They maintain that the data of American users is sequestered on Amazon Web Services servers and note that the founder and CEO resides in California.

While the U.S. intelligence community has previously articulated apprehensions regarding the potential exploitation of TP-Link hardware for foreign intelligence purposes, some security analysts remain skeptical that a state-level lawsuit can effectuate substantive change. Legal scholars observe that cybersecurity is increasingly being viewed through the prism of consumer protection. Regulators and judicial bodies are beginning to scrutinize not merely the existence of vulnerabilities, but whether a corporation’s proclamations regarding security and product origin align with actual risk profiles—a determination that will prove pivotal in the proceedings against TP-Link.