I don't understand why people say there are no firmware updates.
Between my house, my parents' house and my girlfriend's parents' house, I have set up 4 different types of TP-Link routers. To my surprise, all of them continue to receive firmware updates years after launch. Most recently last month on some models.
I don't get the hate. They're cheap, they work and they have SOME security features which make them more than adequate for home use.
They're not perfect, but then again, for the price point, what do people expect?
Agreed. Are TP-Link the bastion of advanced security/tech/features and futureproofing? No. But they do what they say they do on the box, and do it reliably which unfortunately is more than you can say for a lot of things these days, no matter the price/payment model.
If you just need a basic ass device for simple non-critical shit without a bunch of proprietary bullshit and dark patterns, it's hard to beat TPLink for the money.
The fact that they still get support/updates long passed the typical lifespan of competing devices several times their price point is just icing on the cake.
> But they do what they say they do on the box
fuk no
their spec is overbloated SHT.
I've never seen a router crawl like 300kbps on a 1.2gbps line (simply changing that to a no-named cheap generic one got me 880mbps)
fck I don't even care about backdoors -- even if you put them, just fking at least make them up-to-spec
The "hate" is the same as the backlash to Huawei, which is the suspicion that there's Chinese government-accessible backdoors that can cripple infrastructure.
However, as far as I'm aware none of that has been found yet. And since multiple countries have state-level and state-funded hackers / IT security experts who have the time, budget, and capability to completely dismantle and disassemble these devices (plus enthousiastic hobbyists), you'd think they would have found concrete evidence already. If there was any.
I have faith in "our" capacity to uncover backdoors.
I suspect its likely because TP-Link tells/is forced to tell the Chinese government about 0days that are still unpatched which would give them the advantage to conduct large scale espionage and recon before its fixed.
Very similar to how Microsoft gives the same info about 0days to the NSA to use for the same exact reason.
> I suspect its likely because TP-Link tells/is forced to tell the Chinese government...
I think if we are there, then we should assume all 0days are known by various states before patches are available regardless of whether companies are setup to share that information or not. You don't need to get the company to share that information, just one person in a company, and I don't really see that as being a challenging task for a state to do.
Assuming otherwise seems more risky.
Hence zero-trust, buzzwords aside.
You should absolutely assume breach as part of your company's security policy/trust model.
Then why target TP-Link for actions?
Are they the next biggest vendor after Huawei?
I dunno if they're the next biggest, but they are one of the largest in the consumer space. They've been the best selling networking devices on Amazon for nearly a decade and ISPs use their products when bundling WiFi setups with ISP service (although those are usually centrally managed by the ISPs themselves)
Why take that chance, for some slightly cheaper routers?
I have respect for human creativity, and the limits of public servants. Its not easy to keep constant vigilance against all possible backdoors. Easier to restrict core infra devices from openly hostile areas.
Why take the chance that the food you buy from the grocer may be contaminated? I have respect for human creativity, and the limits of farmers. It's not easy to keep constant vigilance against all sources of contamination. Easier to restrict food to only what you produce yourself.
Glibness aside, there's clearly a continuum to the concept of 'we live in a society', and to how far the monkey brain's tribe extends. But the argument against routers is clearly arising from a biased set of priors, whether fairly or unfairly.
Because it's a strategic issue. The internet is critical infrastructure. While TP-Link might not have contracts with ISPs and datacenters, it doesn't take a lot of imagination to think what damage you could have with 30% of the home / small business routers under your control.
This could range from plausible deniability stuff (like the examples in the article), to targeted investigations / attacks (Bob who works at the Gov Accounting office for Miliary Spending), all the way to a 100-million unit botnet turning to provide a few days of distraction ("Bad hackers compromised our OTA system. Sorry!") on while a certain island is being eminant-domained.
Your food example is not the same. You can't trojan-horse an apple pie, or target an individual customer from the supplier-side (yet). If you decided to poison them, that's pulling the pin from the grenade right now.
> Why take the chance that the food you buy from the grocer may be contaminated?
Food doesn’t have the incentives here, and because the FDA is involved with food production they regularly discovers issues and issues recalls etc. Even better manufactures can no longer influence food after it enters a distribution center limiting their ability to hide issues.
Now suppose you deploy a home router with automatic updates, that’s not necessarily malicious but means the device can be under the manufacturer’s control whenever they wish. Saying we haven’t discovered malicious activity is therefore meaningless here.
we know domestic suppliers are complicit with domestic spying. what do we buy? what are the options?
People are living paycheck to paycheck and need to make every eurodollar count.
The Chinese, regardless of how you feel about them, are great at making cheap shit that mostly works.
Because I don't think the chance of getting a compromised router is any greater than any other router. Chance probably higher there's a US government backdoor in other routers.
> which is the suspicion that there's Chinese government-accessible backdoors that can cripple infrastructure.
Which is real rich coming from the US after the Snowden leaks showed Cisco was willingly cooperating with the NSA and planting NSA backdoors in their hardware destined for overseas.
Them wanting to ban TP-Link (and Huawei) have nothing to do with cybersecurity and more to do with "We don't want to allow anyone else to play the same game we are playing."
I didn't realise there was so much TP-Link hate - as consumer networking gear goes I think they're pretty good and trustworthy. Vs. say Tenda or XGFHIU.
(I use mainly Mikrotik at home, but my only AP currently is a TP-link 'extender' (it's 'extending' via ethernet, and the only AP doing so), it's ok.)
Kind of like Anker in batteries and earphones: maybe at some point it was the 'dodgy Chinese brand', but now a solid contender/front-running third-party.
I don't if there's any connection (no pun intended) but in my head TP-Link kind of took over from D-Link at some point as a sort of low-end-Netgear/Asus competitor.
It would be great if someone had compiled some data (with sources) on home routers based on release dates and date of last firmware update received. That could be translated into a “sw sustainability index” for home router vendors which I believe would be useful.
Absolutely. I have an older unmanaged switch that is still getting updates MANY years later. I've been consistently impressed with TP-Link. I even picked up a WiFi 7 router with all this talk of banning them. Just feels like politicians removing players from the market so the companies they can invest in do better since they are the only choice available.
Yeh, I was going to say. My m4R is at least 15 years old and got a firmware update last month
Same here. Running a small fleet of TP-Link gear across three homes. They all get firmware updates regularly.
I just brought a new TP-Link (Omada brand) to replace a (also fairly new) D-Link router that would just stop working, every couple of weeks; requiring a reboot.
The performance of my network immediately jumped up.
The D-Link might have a hardware issue (but it’s not worth trying to get them to address it, as it’s intermittent by weeks, and they’ll just gaslight me, if I try), or it could just be crap firmware. A lot of hardware companies treat their firmware teams like shit.
Doesn’t matter. I’m avoiding their routers, in the future. I have had good luck with their switches, though.
I don’t use them anymore, but the TP-Link EAP225v3 remains the lowest latency WiFi access point I have ever used. I occasionally miss them.
Really? I bought an Archer AC1200 at Costco. It was a recent model at the time but received no updates after 1 year.
This may be true, but until when? PRC can demand anytime and have you part of a botnet. Are you comfortable leaving it in their hands?
As someone from Europe, I certainly am at least equally uncomfortable with products from the US. Made in USA to me equals zero concept of privacy protection but plenty state surveillance (CLOUD Act, Cisco having hard coded back doors every two weeks etc.) and recently even lack of rule of law and even threats of annexation of European land and interference in domestic elections.
Sure, China will probably also spy and conduct industrial espionage, just as the US, but they appear to be a rational actor and have never threatened the sovereignty of European countries.
the US has a recent history of extra-terrestrial law enforcement, both in ally countries (kim dotcom, meng wanzhou), and non-ally countries (bin laden). that's the main fear. w.r.t. the US, everybody is at risk, all the time.
if you don't do anything wrong, you won't get into trouble, and out of 8 billion people in the world, only a handful of people get in trouble. the problem is, the definition of trouble can change.
- [deleted]
Who can guarantee that the Cisco/UniFi or whatever Made in USA gear won't be a host to a state sanctioned "lawful interception software" politely pushed to many devices with the help of a National Security Letter?
Is this supposed to be some kind of gotcha? Of course this can happen. and not only I support it but I think they should do it more and use it to get a shot on any criminal or foreign power.
We can do it, but we shouldn’t expose ourselves for the possibility of our opponents doing it. That simple
Who is "we" in this context?
I'm neither from US nor from China, so I don't belong to either "we". So in my case no hardware is safer unless I design the board and develop the firmware on top of it.
Even then, I'm not sure whether there are hardware vulnerabilities baked in.
I think it’s safe to say that by “We” we can assume it would be your country and its allies.
War and spying has been a thing for a long time now. I think it’s unreasonable to expect countries to not make use of their respective industries and enterprises to get an edge on each other.
The fact is that this kind of hardware is just very good for that so as I a costumer, I feel you and I think the best we can do is buy a custom hardware and install a custom OS. Like open-wrt.
But I will not complain of my country doing that because when I see adversaries doing it, it’s completely reasonable that it also do. In fact, game theory, mandates it.
> I think it’s safe to say that by “We” we can assume it would be your country and its allies.
I live in a country which has been spied on for years by its closest "ally". See Crypto AG scandal for more details. So in my case there's no "we".
Yeah, the most realistic trade-off might be installing OpenWRT and some tripwires to see whether anyone is trying to do something nefarious remotely.
In spying, there's no "we".
> In spying, there's no "we".
Sometimes your own government is the most likely to spy on you.
> Yeah, the most realistic trade-off might be installing OpenWRT and some tripwires to see whether anyone is trying to do something nefarious remotely.
I agree with that, but its beyond the reach of most people.
I think zero trust or low trust within your LAN is also a good idea. So is firewalling ISP supplied routers.
Thats also fair. I agree.
There are no allies in this world. There are opponents, and opponents who say that they are your allies.
If a government has a backdoor it can be exploited. What if your US made router's backdoor is discovered and abused by a Chinese party? No backdoor can be made to only exclusively be unlocked by its creator.
[dead]
Compared to it being in the hands of the US, who couped my country and bombed my neighbours?
Definitely.
Yeah this US centric view that deemed china as the "bad guys" also problematic
because in some parts of the world like middle east,south american,africa etc
the US is deemed more evil than china etc
I do not know those countries, but in South, South East and East Asia the US is not the threat, its a potential ally against China. In most of Europe it is an important ally.
Allies to spy on each other, but they are not a threat in the way actual or potential enemies are. The fact the the US spied on Germany, and Britain spied on Belgium does not really make them threats.
It was an important ally, Europe is currently investing billions in uncoupling its reliance on both Russia (for natural resources) and the US (for defence and natural resources) because neither party can be trusted anymore.
> Europe is currently investing billions in uncoupling its reliance on both Russia (for natural resources) and the US (for defence and natural resources)
Russia, yes.
I do not see any real expectation of Europe not being reliant on the US. See the many discussion here about reliance on US cloud services. Where else are these natural resources to come from? Where is the technology or the money to scale up to what the US has?
1. Canada (2nd largest country in the world after Russia).
2. Internally.
USian hubris won't end well for the US.
Europe is offloading it's reliance on Russian LPG just to buy more from the US.
You didnt read the comment that I replied????
lol, US didnt just doing only "Spy", read the comment tree first
Can you link to a source where that's demonstrated? If these devices have a backdoor surely both HN hackes and the NSA would have found it by now, right?
> much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box.
The same is true of any country, including the USA. Australia & the UK have laws to that effect, and the USA backdoored RSA and Juniper off the top of my head.
Unless you run purely open source, your only choice always has been which country had open slather to spy on you. There are no real contenders for open source phones right now, so for most of us guaranteed privacy was never a choice. (I have high hopes for Halium in the future, as I hate this.)
For those of us in East Asia or some country like Iran or Venezuela that the US likes to bomb periodically, China is the least objectionable spy master. Those of us in the West chose USA, as they were a reliable trusted ally. Then Trump arrived on the scene and make things complicated.
The real lesson here: If you're successful, don't skimp on security/software! Also, don't abandon software/firmware security support for your products so quickly.
If I was in charge over at TP-Link, getting news that tens of thousands of MY company's routers were compromised would have me furious! I'd be freaking out, making sure that we take immediate steps to improve software/firmware quality and to make sure we're in a constant state of trying to compromise our own hardware... To ensure no one else finds vulnerabilities before we do.
Instead, TP-Link seems to have just laughed and focused strictly on profit margins.
The real lesson here: don't forget to bribe the president of the US.
I'm sure TP-Link could help fund a second ball room.
This was my first thought. Why TP-Link, why now? Looks like another extortion scheme from POTUS.
If this was actually the lesson then they'd be banning Fortinet, but it seems these concerns about security don't apply to US listed companies.
Bold of you to assume those Fortinet vulns arent just exposed government backdoors.
This is like seeing a food poisoning outbreak at a fast food restaurant and concluding that it must be CIA/FSB/Mossad bogeymen trying a bioweapon. These breaches are things like not validating authentication tokens (at all, not just correctly) and that would be a big drop in professionalism from what we’ve seen from nation-state level attacks:
https://labs.watchtowr.com/get-fortirekt-i-am-the-super_admi...
Hanlon's razor, paradoxically, is the perfect cover for surreptitious malice. We've already got a perfectly reasonable razor telling people not to assume malice, after all.
And to be clear, let's not forget that the US government did intentionally and secretly conduct surreptitious biological warfare tests against entire US cities that deliberately inflicted disease upon and killed American citizens. There was an entire formal program that spanned decades - https://en.wikipedia.org/wiki/United_States_biological_weapo...
Of course, the US government doesn't have any secret programs anymore and never lies to us, so everyone can rest easy knowing nothing like this could ever happen again.
It occurred to me recently while driving in a high traffic area that (a) this area is congested every single day at this time and (b) if I shipped a piece of software that literally crawled to a stop for a two hour period every morning and a two hour period every evening that I would be deeply ashamed of myself and my work and that if I ran a department that did that I would have no priorities other than fixing this bug until it was fixed.
Yet we all know so many industries and products that just do not work like that and in fact the longer something is broken and it doesn’t seem to stop people from using it, the more it is accepted that it is ok for it to remain broken. I think that is somehow just a part of human psychology.
> It occurred to me recently while driving in a high traffic area that (a) this area is congested every single day at this time and (b) if I shipped a piece of software that literally crawled to a stop for a two hour period every morning and a two hour period every evening that I would be deeply ashamed of myself and my work and that if I ran a department that did that I would have no priorities other than fixing this bug until it was fixed.
The hubris of the spotless software engineer mind.
We have a solution for the traffic problem but you won't like it.
There is no "traffic".
YOU ARE THE TRAFFIC.
Cars and roads for cars don't scale well past very rural or very small suburban areas.
The solution to traffic is extremely hard and it involves:
* you and lots of other drivers voting to allow densification of highly serviced areas (close to central business districts, public transportation, hospitals, schools, ...) - at least mid rise apartment buildings, 4-6 stories high
* you and lots of other drivers voting to allow funding of public transit
* you and lots of other drivers voting to allow funding of reduction of car infrastructure (fewer car lanes, fewer parking spots, fewer highways, fewer car only bridges, tunnels, etc)
* you and lots of other drivers voting to allow funding of safe bike infrastructure
* you and lots of other drivers voting to allow congestion pricing in ... congested places
* you and lots of other drivers voting to allow funding for anti bike theft measures (police training, bike theft prioritization, bike serial number databases, ...)
* you and lots of other drivers taking public transit
* you and lots of other drivers riding bikes for medium length trips
* you and lots of other drivers walking for short trips
I used to live near and work in Boston (near Fenway). My solution was a bit more radical than yours: passenger cars should basically never be allowed inside Boston proper. The city was not meant for cars and it shows. Instead, build moving walkways and fix the issues with for example the Green Line averaging 6mph (walking speed).
Truck deliveries can happen 3am to 6am every Tuesday and Thursday, or by paying $1,000/day toll fee.
Yes it is radical and yes people would get used to it and think it is superior after a time.
It is sometimes better to not ship a product at all instead of shipping a completely and fundamentally broken product.
The thing is, customers really want cars because they're like fast fashion or fast food: the benefits are obvious and the downsides are slow and insidious, while people selling them get repeat business worth huge amounts of money.
I think this is you seeing the faults of other industries but being blind to yours.
No single person created the traffic jam "bug", the "users" are the biggest part. In many industries "the fix" isn't a few lines of code that you can one-click push to all users. You can't fix that traffic jam in code or even in infrastructure, you need to change society itself on top of everything else. It may not even be a defect as much as a supply and demand issue where supply is very scarce and impossible to ramp up, while demand is super high and growing. Cloud providers run out of capacity in some regions, their developers should be ashamed?
Software can be fixed quickly if broken. Capacity not so much. Software is also routinely launched broken, and subsequently stays in various degrees of broken or not usable enough throughout its lifecycle, with new and unpredictable issues replacing old ones.
If too many people wanting to drive a car in the same place, at the same time despite the predictable outcome due to the limited capacity is purely a failure of the city, country, road builder, then isn't a user not being able or not knowing how to properly use the software the fault of the developer? Is demanding more from the software than it can deliver the fault of the developer? How much cumulated time does this cost, sometimes for absolutely no reason whatsoever than an arbitrary decision of the developer?
You aren't "deeply ashamed" because you downplay the issues you (or your company) create as a developer and pretend they aren't problems for the users. A "part of human psychology" tells you 1000 smaller cuts are fine.
But people don't drive randomly. They drive in predictable locations where the city, county and country have decided they should drive. Building all the homes over there, building all the offices over here, and having the whole population go from there to here at 8-9 in the morning and back at 5-6 in the evening was not an individual choice. The government (collectively, all parts of it) made those choices for us. And if you think it's an individual choice to commute at all - consider that you'd get arrested if you slept on the street outside of your office.
It’s worse than that because let’s say you have people commuting to their office from a suburb and let’s say it takes an hour. So you increase the road capacity so it takes 30 minutes instead. This just lets people from even farther away to take 60 minutes to commute. This means the employers have access to more employees who live farther away and pay less in their cost of living. This means more business can open and more employees can be hired for overall less money. Overall the problem is that any time you increase capacity you are just inviting more cars.
Imagine if we did not have congestion control in TCP and instead every time we got congestion we just upped the bandwidth. Do you think at some point our ability to increase capacity would outpace the demand for what is for the most part a free resource (I know neither roads nor network badwidth are free but the cost is amortized such that it “feels” free to the users)? Or do you think demand would grow as fast or faster than capacity?
The real answer is to reduce demand. You can do this by introducing something like congestion pricing: make it expensive to use the resource when demand is close to capacity. Or you add some form of congestion control. For example you could dynamically set speed limits on secondary roads and when the freeway traffic flow slows down you slow down cars as they try to get to the on ramp of the freeway. Or you could raise the price of gas by $1/gallon to discourage car use and use the revenue to build more public transit. You could charge single person car use fees. You could keep roads free but make parking downtown extremely expensive and use the proceeds to build more public transit. You could reduce speed limits in the cities to no more than 10 miles per hour and strictly enforce that; obviously this only works if you have much faster and higher speed public transit: imagine choosing between buying a car, car insurance, gas, and still taking 3x as long to get to where you want to go compared to buying a $50-100 monthly pass and using public transit.
There is a big difference between 1000 smaller cuts and the one and only function of a piece of infrastructure clearly not working every single day.
Define "not working". The one and only function of a road is to support the wheels on top of it. Are you saying that there's regularly cars falling through the asphalt, or cars veering off the road when they meant to go straight ahead?
Your car is the traffic on that road. Every system has limited capacity, you loaded it beyond that point, you are the problem. The roads are designed for an advertised capacity and more people like you said "it's fine, we'll all jam in there and then blame the road". Then you complain and point fingers at anyone but yourself?
You were talking about reasons to be ashamed? How about that as a developer you don't understand system design and capacity/performance limits, and you don't understand that intentionally loading a system beyond its rated capacity is not the problem of the system. Even an LLM knows that.
I bet you only build systems with infinite capacity and performance.
This feels weirdly personal and I don’t know what your problem is exactly but I hope you find a way to solve it. Best of luck.
> The real lesson here: If you're successful, don't skimp on security/software! Also, don't abandon software/firmware security support for your products so quickly.
Why? Microsoft and Cisco also skimp on security.
The real lesson is don't skimp on your political payoffs/tribute/bribes.
Or maybe, don't capture 50% market share in a country that's decided your country of origin is the threat of the decade.
TP-Link's Headquarters are in California, they have a branch in Singapore and they manufacture in Vietnam, which of those were the threat exactly?
This whole thing is reminiscent of the TikTok CEO Chew Shou Zi - "But, I'm Singaporean, Senator".
It was a completely Chinese company until last year. Then it split in 2. The US headquartered half has 11,000 employees in mainland China and 500 in the US based on what I could find when I googled it. It’s solely owned by the founder of the original company and his wife who are Chinese citizens.
I don’t know whether it’s worth banning them or not, but putting your hands up and saying “what Chinese company?” is just absurd.
1. The company was founded Zhao Jianjun and Zhao Jiaxing who are brothers, I don't know where you got the husband/wife sole ownership from.
2. As you admitted, they have completely separated into 2 separate companies, claiming that it is still Chinese is akin to saying "tea is Chinese", that's completely absurd, yes, it was at some point in history, that point is not now.
1. I got the idea from the Tp-Link website. Zhao Jianjun is known in the US as Jeffery Chao. Him and his wife are the sole owners of the US company.
“in October 2024, established TP-Link Systems Inc., based in Irvine, CA, as its global headquarters and parent company with Jeffrey (Jianjun) Chao and his wife Hillary as sole owners. Jeffrey is CEO of the company.”
https://www.tp-link.com/us/landing/fact-sheet/
2. The sole owners are Chinese citizens, 95% of their employees are Chinese citizens living in China, most of the R&D happens in china, and the majority of the components of their products are manufactured in China.
They have an HQ building in the US, but 90% of it is leased to other companies.
This is a US based company in name only. It’s essentially a shell company designed to bypass a potential US ban.
Since 2018 TP-Link has manufactured products for the U.S. market in its own factory in Vietnam.
From your linked fact sheet.
They assemble final products in Vietnam. The majority of the components, including all of the chipsets, are manufactured in China.
That is what TPLink PR would like you to think.
The reality is the only part that matters, the chipsets, are produced in Chinese factories owned by TPLink.
They moved everything that doesn’t matter to the US recently in an effort to give the illusion that they aren’t putting chips manufactured under the control of the Chinese government into the majority of routers used in the US.
I’m not agreeing with banning them, but I can certainly see how it creates significant risks that I would want to mitigate somehow.
> the chipsets, are produced in Chinese factories owned by TPLink.
So are more than half the chipsets in the world. https://en.wikipedia.org/wiki/Category:Microprocessors_made_...
I agree with you that they shouldn't be banned, but the US casting aspersions against another country is pretty rich considering the involvement of the CIA, and NSA around the world.
It's hard to believe you're saying 2 in good faith. Companies don't change that fast, and you skipped the part where so many of the employees are still in China.
It took them 3 years to achieve this, so yes, they can change that fast...
Did you not read the article? It's hard to take your comment in good faith if you didn't.
Three years would be an impressive timescale to move a company from one country to another.
Except they didn't do that. They moved the HQ.
I'll accept for the purpose of this argument that they fully split the company into two separate companies. But both of those companies are still mostly Chinese, going by the numbers in this thread.
> Did you not read the article? It's hard to take your comment in good faith if you didn't.
This is a weak attempt at turnabout. The article doesn't present any evidence of separation or non-Chinese-ness, it just quotes the company (and even that quote admits a bunch of Chinese assets). But even if it did, it wouldn't be bad faith to skip reading it.
> This is a weak attempt at turnabout. The article doesn't present any evidence of separation or non-Chinese-ness, it just quotes the company (and even that quote admits a bunch of Chinese assets). But even if it did, it wouldn't be bad faith to skip reading it.
1. Who else would document a company's restructure if not the company itself?
2. Yes, not reading an article and commenting on it is bad faith.
> going by the numbers in this thread.
3. So you have no evidence of it not being as the company says, just the vibes of others on this thread, okay Senator.
> 1. Who else would document a company's restructure if not the company itself?
If the company wants to give numbers, I'll listen to them. But the company made vague/unproven claims and that's not enough. Journalists can investigate.
> 2. Yes, not reading an article and commenting on it is bad faith.
Commenting on something talked about in the article doesn't require reading that specific article. You can use other sources.
> 3. So you have no evidence of it not being as the company says, just the vibes of others on this thread, okay Senator.
Other people brought objective numbers. Not vibes.
Why should I not use those numbers? You have not claimed any of those numbers are wrong, you're just calling people's conclusions wrong.
> TP-Link's Headquarters are in California, they have a branch in Singapore and they manufacture in Vietnam
"TP-Link is a Chinese company that manufactures network equipment and smart home products. The company was established in 1996 in Shenzhen. TP-Link's main headquarters is located in Nanshan, Shenzhen; there is a smaller headquarters in Irvine, California"
Just because a company changed its headquarters to US all of a sudden they are a US company? Even if 99.9% of its decision, operation and R&D are still in elsewhere?
That is like people saying Nothing is a UK company, when all I see is a Chinese company registered in UK.
It's like saying Apple Computers is an Irish company and not a US one because of where they file their corporate taxes.
You do realise all of Singapore is a front to export to China right?
Just make them liable for the damages and then they will start caring.
This might be one of the only cases where subscription model would work well to cover the maintenance cost.
> This might be one of the only cases where subscription model would work well to cover the maintenance cost.
1) Company takes your subscription money.
2) Company finds a vulnerability that's difficult to fix.
3) Company announces your device is EOL and ends your subscription, taking your money for doing nothing, and not helping when you need it.
You have a bright future in product management.
Or medical insurance.
Yea, in the real world, the CEO gets news that tens of thousands of his company's routers were compromised, and calls up his General Counsel and asks "are we liable for damages?" And if the answer is NO, he goes back to enjoying the house party in his luxurious third home.
Yeah, I know, at some point you cannot make them care for their customers wholeheartedly.
It depends on whether customers care.
> This might be one of the only cases where subscription model would work well to cover the maintenance cost.
Or -hear me out on this one, it is wild take- if you come out with a device, system or software that has fundamental flaws, you fix them at your own cost or get fined to oblivion if you don't.
If a company is not able to come up with reliable, quality products, then perhaps it shouldn't be in the business of creating said products to start with.
The fact that you suggest subscriptions to fix fundamental issues is a good reflection of how companies have managed to skew the general perception on what is "acceptable" as a product. In fact, they have pushed it so far, that they are feeding it to us backwards.
Pushing out minimal viable products and have subscribers pay to (perhaps, one day) get something that works shouldn't be the norm.
A car info/entertainment system that is too slow and buggy because the manufacturer couldn't be bothered to take the steps necessary to make sure it worked reliably? -> fix it
A phone manufacturer that throttles your system after a year because they couldn't be arsed to properly size their batteries originally? -> fix it
A router manufacturer shipping software so buggy their hardware needs to be rebooted periodically? -> fix it
Etc.
"Software is hard" or "product design is hard" are no excuses. Building airplanes that don't fall out of the sky is also hard, and yet we manage to do so. (Or, rather ironically, the ones that follow the "minimal viable product" software mentality do fall out of the sky. Looking at you, Boeing).
Those are the companies that abuse the customer trust and sell them something cheap under the guise of high quality, but in fact really cheap and not well thought.
Contracts will (and do) include boilerplate whereby the customer absolves the manufacturer of liability.
It’s fairly trivial to write a law that makes those illegal.
"No liability" already mostly only applies to defective products, not harmful ones.
The only industry with a broad "no liability for torts" is gun manufacturing.
The question is whether you want to interfere in the freedom of contract for this.
Almost all software everywhere comes with a 'no liability' clause. And arguable, open source couldn't exist without it.
The exceptions where liability is wanted negotiate that specifically.
There is precedent, for example, lemon laws related to automobiles. Unfortunately, governments have ceased to care for consumers like they once did.
Consumers can care for themselves, if we let them.
Respectfully, I think you have too much faith in the ability and general desire of individuals to protect themselves. Consider how successful scams and security breaches are. Consider, too, the unequal bargaining power between vendors and individual consumers (have you ever tried to negotiate a form contract with a megacorporation?).
We protect people because they have failed. These regulations tend to follow actual injuries; they are rarely promulgated in anticipation of them.
> Consider, too, the unequal bargaining power between vendors and individual consumers (have you ever tried to negotiate a form contract with a megacorporation?).
You don't negotiate the contents of your burger with McDonald's. If you don't like it, you go to Burger King or have a Döner Kebab.
There's plenty of tacit negotiations here.
> We protect people because they have failed. These regulations tend to follow actual injuries; they are rarely promulgated in anticipation of them.
Homeopathic medicine tend to follow actual health problems, too. That doesn't mean they are a good idea.
> You don't negotiate the contents of your burger with McDonald's. If you don't like it, you go to Burger King or have a Döner Kebab.
Not every industry is a competitive one with practically unlimited choices. Natural monopolies or industries with high barriers to entry tend to have the most leverage over their customers. Most people have only a single electricity provider, and there are only two major mobile OS vendors worth speaking of.
> Homeopathic medicine tend to follow actual health problems, too. That doesn't mean they are a good idea.
Some work; some don’t. The key is figuring out which solutions are effective and which aren’t. Nobody is proposing keeping fixes around whose costs aren’t worth the benefits to society.
> And arguable, open source couldn't exist without it.
Couldn't you just include selling a product or a licence for it as a requirement?
The GPL is a license.
selling a product or license
Generally most GPL'd software isn't sold (terms and conditions may apply).
IBM used to sell you the computer, and the software was free. The industry could resurrect that practice as a loophole.
If you sell the computer with the software preinstalled it would still fall under the selling a product part. So if you'd want to actually have a loophole you'd at best be selling the product without any software, and we both know how well that would go with the masses.
People in the comments are defending TPLink for how 'solid' their products are. As someone who just switched to UniFi APs from a Deco Mesh (wired), I have to admit that the difference is deep dark hole and bright sunshine day. Maybe people are comparing to spectrum charter modem combos but I definitely don't see how a router that loses firmware updates in a year can be praised. And it needs reboots so frequently. The Deco has an option now to reboot 'everyday'. This sounds something maybe needed for rare cases where the ISP expects a reboot, but the fact that your routers have that as a feature to keep it stable is a big red flag.
I was so used to this that when I started looking for this setting in UniFi OS I had forgotten the part 'networks are not supposed to be rebooted frequently!'.
There are some misconceptions here.
First, all of the TP-Link devices I use still have firmware updates regularly. I can't talk about Deco series, which I don't own.
Second, mesh capabilities are not consistent across different brands, that's true. On the other hand, comparing TP-Link, which is a home/SOHO brand to UniFi, which is essentially a prosumer/enterprise offering is not fair. I have a small mesh (three devices) at one of the places I run these devices, and it hands-off nicely, extends coverage, and gives me the speeds written on the tin.
Do I expect it to compare to a UniFi or Aruba mesh where the smallest element has more processing power than my router? Of course not. Do I expect it to run on a 300 sqm house with 10+ devices? Again, no. But as long as my network runs, I can access the devices with good connections and speeds they advertise, I'm golden.
Lastly, "restart everyday at this time" setting is present since forever on many devices. The feature is to help home-downloaders / data hoarders to renew their IP periodically. Heck, even JDownloader has a feature to reset your modem remotely if your modem supports to renew IPs (since 2004?). Assumptions don't help here.
I never had to automatically restart any of the routers/modems I used regardless of the manufacturer sans a couple Cisco/Linksys devices. E4200 which had two processors, one for the switch and one for the router. The router one stopped responding randomly to cut whole network off from internet, and my E900's processor crashed flooding whole home network with packets basically paralyzing it. Oh, that same E900 failed to negotiate with the on board RTL8139 Ethernet controller, so I had to buy another "Cisco/Linksys" RTL8139 card.
TP-Links I had never done anything remote. They even have the best latencies and WAN recovery when things go south on ISP side. My TP-Link 802.11AX extender works flawlessly with my ISP supplied WiFi6 modem, and despite having no mesh communication going on, running on the same SSID and handing off pretty reliably.
Ubiquiti has some higher end products, but Unifi is their home/SOHO product line.
Yes, a home product with a dedicated controller unit, Fx networking support, cloud based management with ability to self-host, traffic shaping and SDN capabilities.
People can dedicate a small cabinet to UniFi rack-mountable gear plus the network center of their house. TP-Link has none of those, and not aiming for that market, even.
It's comparing a Peugeot 3008 with a Mercedes-Benz G Class and adding that, Mercedes has serious off-road trucks like Unimog, but G Class is their end-user product.
Apples to Pineapples.
BTW, it's not hard for me to install and manage a high capacity UniFi network in any way. I don't use their devices, because I don't want to manage yet another network.
A 3 pack WiFi 7 BE65 mesh from TPLink at launch costed 1500$. They seem to have done their usual hardware switching to now sell a similar BE63 for 500$. But if you are going to compare the two compare the actual hardware equivalent product. For 500$ You can get a controller and a couple of APs from UniFi, the setup will be far better than a 3pack BE63.
From what I see, Deco BE series have multiple models, with slightly different port configuration. Looks like BE65 comes with 4x 2.5gbE and BE65 comes with 2x5gbE + 1x2.5gbE. Moreover the site has multiple other Deco BE models. Both BE63 and BE65 is on sale and can be purchased.
From my experience, TP-Link makes hardware changes with "H/W versioning" in their model numbers. I have many RE220 extenders with different hardware revisions, earlier ones doesn't supporting OneMesh. However, I don't find later versions performing worse w.r.t. earlier ones.
However, $500/unit, the backbone of the devices doesn't look underpowered, esp. when looking to both wireless and wired specs. Considering my RE700X is saying what's written on the tin, and being rock-solid despite working with a non TP-link device and and being behind two 30cm walls.
I expect these Deco devices to live up to their specs.
I’ve deployed 40+ unifi APs at some locations with 800+ devices over multiple ssids with no issues.
Not convinced that’s “home” or “soho”, unless you have a very generous meaning of “small” which leaves the 5 person office somewhat undefined.
Even our largest buildings at of multi billion dollar revenue company only get upto 2500 wifi devices.
I couldn’t figure out what was wrong with my WiFi. Turns out all I had to do is power restart it. All my problems went away after setting up weekly reboots. It is stupid that it works and it is stupid that it is the only solution for stable WiFi. Shame on tplink
its usually either low memory which basically crashes the devices or buggy software which works until you hit the bug at which point it requires a restart to get it working again. Most common is memory problems though because these devices have just enough memory to make it work.
I have not used the Deco access points but the Omada ones have web rock solid for me for about 4.5 years now and I used UniFi before that with no real issues either.
> I definitely don't see how a router that loses firmware updates in a year can be praised
My Deco M4 mesh units from 2019 are still receiving regular firmware updates (to be fair, I think more to bring compatibility with new features than for security updates, but regardless).
The Ubiquity hardware might be good, but the firmware is so shit, especially for IPv6, that I had to replace it with OpenWRT to get it to work (offer IPv6 prefixes for delegation).
I've got an TP-Link Archer series WiFi router that's about 5 years old, and it got an update a few months ago.
I think a lot of companies violate that lesson and continue to make money.
> Instead, TP-Link seems to have just laughed and focused strictly on profit margins.
Wait, what? TP-link provides security updates for about as long as their competitors - including providing security patches for devices that are officially out of their support window.
For example, last year they provided a critical security patch for a number of out-of-support routers, including the 14-year-old TL-WR841ND [1].
I really miss AirPort, it was the only router/ap with totally solid and easy software. Took the consumer market years to catch up with its mesh features, and they're still annoying with online registration.
Until it hits their wallet, they will not do a thing. Now if they were more concerned about longer profits and how this could impact their image, maybe they would change but it is rare you see that nowadays.
> The real lesson here: If you're successful, don't skimp on security/software!
cough Microsoft, Google, Apple cough
I'm not sure what news you are speaking of, can you link to specify?
But they got this far with $X in security spending, what’s the problem?
TP-link are definitely the worst of the worst. My cousin insisted they were fine as long as you kept the firmware updated, but then he lost all his bitcoins to hackers. TP-link, never again.
I'm sorry but your cousin did not lose his bitcoin due to some TP-Link hackers.
Yeah, that's not the lesson here at all. We're still in an era where you will suffer absolutely zero consequences for security lapses and breaches.
Everything that is happening with this administration is simply because it suits American foreign policy or the interests of one of the oligarchs. I mean this with absolutely no hyperbole: the pretense of there being any rule of law for the ultra-wealthy is gone. The White House is openly selling pardons, which have the added effect of cancelling out debts to the US government.
Tiktok getting banned? It had nothing to do with "national security". The government simply had less control over the content and the algorithm on Tiktok than they do on Meta and Google platforms.
Reading through this article, you have Microsoft pointing the finger at TP-Link. That's... rich. Becvause Microsoft has historically been horrible for security. It would take further investigation but I really wonder if TP-Link isn't just a convenient scapegoat.
I don't mean to be hateful with this, but what's the point of your post besides random conjecture and a sort of rant about something only vaguely related to the story?
I see the comment as quite on point. There are many longstanding real problems that have been allowed to fester (in this case, embedded security). While these problems are now being talked about, there is still zero intention to actually address them. Rather they're merely being abused as talking points by fascists pretending that "something is being done" when really the "solutions" are merely the consolidation of autocratic control.
Real reform here would be something like prohibiting tying software and hardware together as one product, source code escrow, etc. Things that actually create security and consumer choice, rather than merely one less vendor to pick from.
That this is a political issue, not technical
Sometimes I wonder if people talking about corruption in the US have ever been to a country that is as corrupt as they say the US is.
Pardons are not being openly sold. There is absolutely not great stuff going on with them but, really, the major difference I see is that it's happening during the administration, rather than in the last few hours.
The US is moving the wrong direction when it comes to corruption but let's not act like we're bottom of the barrel ir that this slide just started in 2024 (or 2016, if you'd like).
So far Trum pardons have wiped out over $1 billion in decided and sought fines [1]. There are pardons for the likes of Geore Santos (convincted for a whole host of crimes) for no other reason than he was a reliable Republican vote. clearly sending the message that if you are loyal, you can commit crimes and you will be pardoned. There's also the Teenessee House Speaker convicted for corruption [2] and the Binance founder [3] who allegedly aided in Trump's rug pull (sorry, "crypto offering").
Now this sort of thing isn't new. Famously on Clinton's last day in office he pardoned Marc Rich [4], who was convicted (before fleeing the country) on breaking sanctions by trading with Iran. It was widely rumored his ex-wife, Denise Rich, who had a lot of access to the Clinton's brokered a deal.
But what changed is the disastrous Trump v. United STates [5] decision last year that granted almost absolute presidential immunity. Now there's not the slightest fear of repercussions so the whole operation has gone into overdrive and it's so incredibly brazen.
I stand by my original claim: the TP-Link ban isn't technical. It's political. And I would bet all th emoney in my pockets that if the CEO had "donated" $1 million to the inauguration (like all the Tech CEOs did including Bezos and Cook) we'd likely have a very different outcome.
[1]: https://www.aljazeera.com/news/2025/6/8/fact-checking-claims...
[2]: https://www.nbcnews.com/politics/donald-trump/trump-pardons-...
[3]: https://www.reuters.com/world/us/trump-pardons-convicted-bin...
[4]: https://www.pbs.org/newshour/show/clintons-pardon-of-marc-ri...
As of today, you can add Guiliani's pardon to your list, together with a few other admistrative enablers of 6th Jan 2020 https://apnews.com/article/rudy-giuliani-donald-trump-pardon...
> But what changed is the disastrous Trump v. United STates [5] decision last year that granted almost absolute presidential immunity. Now there's not the slightest fear of repercussions so the whole operation has gone into overdrive and it's so incredibly brazen.
That really has nothing to do with it. The pardon power and it's discretion is well established to rest solely in the hands of the President. There can be no consequences for pardons otherwise, the Clinton things you mention would have led to something.
As far a fines go, if the 2B savings under DOGE was nothing, 1B of lost fines (which would probably have never been collected anyway due to negligence or bankruptcy) is nothing as well.
So the claim is that corruption only started in DC with Trump becoming President?
Did I read the last sentence correctly?
No, I'm saying that the slide didn't start with Trump. I also don't think much of what Trump is doing is much, if at all, worse than his predecessors but he has zero shame about it.
Since he's in the news and it's on my mind, I'm not sure the Cheney and the whole Iraq/Haliburton situation has been topped since then. Then there's ever member of Congress suddenly becoming a multimillionaire after they get into office.
The only norm Trump is breaking is that he doesn't care to sweep it under the rug
The Chinese see their exports rise because America no longer controls the world. They'll just sell their stuff to emerging markets.
Unfortunately people like you are hardly ever in charge of this kind of thing.
So let me get this straight: The US government directly buying stakes in Intel is A-OK, but any involvement from the CCP in any form in any company is Not Good ?
If the only issue at hand was indeed security vulnerabilities, then I can see many ways that can constructively address that (e.g. Since a large number of SKUs deployed in the US are managed by the Telcos, then force them to finance the support for continued firmware updates).
The US will probably be collecting the reciprocity of their actions, and they won't like it ... It's a very childish game they're playing and it will hurt them in 15 years time ...
> So let me get this straight: The US government directly buying stakes in Intel is A-OK
For America, yes. For China, no.
> but any involvement from the CCP in any form in any company is Not Good ?
For America, yes. For China, no.
This isn't a case where the "principled high road" has any practical meaning. This is a "You want your side to win but you want their side to lose? You're a hypocrite!" situation.
Sure the "principled high road" has meaning. Coming out of the 90's, the US had a dominant position in international institutions and a 'vibe' that it was willing to subordinate its interests in favor of the global community. The post GWOT shift to a 'selfish' position, clearly illustrated here by your argument, reflects the absolute cratering of international public opinion, and frankly the collective loss of trust in a less selfish America.
With the fall of the Soviet Union and apparent end of the Cold War, many people came to believe that we were at "The End of History", beginning a new era in which major conflicts were a thing of the past, and with that, strategic considerations were seen as a dated anachronism. Future conflicts were anticipated to be small "police" actions, with America filling in not just the role of world police, but also judge, jury and executioner of any country that had a problem with it. Simultaneously, there was obviously a lot of opportunity to loot the former Soviet states, and what better framework for organizing and legitimizing that looting than the "Rules Based International Order", defined and enforced by America, which would disarm any opposition to this looting by framing the looting as economic liberalization.
So the 90s vibe you speak of was in fact America imposing a global hegemonic order which was calculated to benifit, if not American interests, then certainly the interests of the western oligarchs who were aligned with America.
There's a difference between buying shares, something Western governments have done forever, and owning controlling interest.
There's also a difference between owning some shares, which is hands off, and having no legal blocks to killing the CEO's family if he doesn't do as wished.
You're comparing false equivalences.
Chinese ownership of corporations is entirely different in this context. Even with the current US leadership, no comparison. None.
I don't know if you've been paying attention lately, but the US Government is very hands on when it comes to directing businesses these days, and Congress lets the President do whatever he wants, whether strictly legal or not.
Do you really not think the current President wouldn't lean as hard on a US corporation as he needed to in order to get whatever he wanted?
Many, many Americans are in denial about how shockingly the country has fallen. It's just staggering at this point seeing Americans, of all people, warning about Chinese ties with business.
I remember everyone fear-mongering because some business member in China had ties with the Communist party. The US is literally commissioning executives from tech companies in the armed forces (https://www.npr.org/2025/07/03/1255164460/1a-army-07-03-2025), business leaders like Elon Musk literally became members of the administration while many more (Larry Ellison, Peter Thiel, among many others) are defacto mouthpieces of this administration. Trump is exerting absolute, unchecked, utterly lawless power to do whatever he wants whenever he wants, while occasionally looting those very companies for various kickbacks.
The US is currently an international shame, and a shame to 240+ years of its history. It is an abomination compared to all of its historic values and laws and checks. And anyone blind to this, yet still pointing at China, is intellectually defective.
To me the specific state compliance mechanism is irrelevant here if a third country simply cares about data and security.
Of course both governments utilize all measures they can to collect intelligence.
And then decide how much of that data they share with partners, and when. This has considerable security implications.
- [deleted]
- [deleted]
"Chinese ownership of corporations is entirely different in this context"
There is no difference. The US does not effectively have any law or checks on the power of the presidency at this point. Various tech companies had executives literally enlisted in the armed forces. The government has shown, repeatedly, that it will financially penalize any company that doesn't serve their agenda. It has controlled broadcasters and social media and financial organizations.
As an outsider looking in, any difference between the US and China is mostly illusory. It has all been revealed to be make believe.
Do you think it's childish in the other direction too? They have been limiting many US products for similar reasons for many years now.
To be entirely honest, yes, American leadership is currently very childish while Chinese one is everything but childish. And the simple observable consequence is that China is winning whatever pissing contest is going on while America is busy shooting itself into own foot, applying bandage and then claiming it won cause it is not bleeding anymore.
The US only ever plans as far as the next election. China plays the long game.
I mean, US seems to plan for the next two hours if that lately.
> So let me get this straight: The US government directly buying stakes in Intel is A-OK, but any involvement from the CCP in any form in any company is Not Good ?
Yes.
The US can't force intel to put back doors in products, but in China you can't refuse to do the same. It really just boils down to that. It is very possible for China to force a Chinese owned company to put in backdoors in hardware and firmware as demanded by it's intelligence agencies. The alternative is going to prison for treason. Network equipment is Prime Real Estate for such a directive. It's a no brainer for me unless tp-link can prove that they have completely moved away from being Chinese owned. If you have any proof that the US government has had Intel, AMD, apple, etc put in backdoors I would love to see it or documents that prove they can force such backdoors.
I think it's naive to assuming competing states would be fair. Most of what both say is just propaganda. Their main purpose is to serve their respective overclasses, nothing else.
> The US government directly buying stakes in Intel is A-OK, but any involvement from the CCP in any form in any company is Not Good ?
Yes, it’s the US government. Of course it thinks advancing US gov controlled technology is good and CCP influence in the US is bad. That’s a completely rational stance and it’s not even hypocritical until the CCP bans some US product and the US gov complains.
> it’s not even hypocritical until the CCP bans some US product and the US gov complains.
It's not even hypocritical then. Both sides are protecting their own interests. These interests are partly at odds to each other. They're going to do what they believe is necessary, even if it "seems" hypocritical. That's not a bad thing, that's just ... how things work. China isn't innocent of this either. It's so weird how people are always painting this as "US bad".
Then look at it from countries that want to protect their sovereignty and culture. The smart move is playing the big guys against eachother not joining either side.
> That's not a bad thing
Except US was all about Capitalism and they have now turned back and embraced Socialism except its socialism for losses and should be paid by the tax payer.
Libertarian strawmen notwithstanding, there has never been a time when America didn't in some way regulate industry, particularly with regard to matters relevant to national strategic interests. If you're surprised by America doing this, it's because you got lost in a fantasy and forgot to check in with reality.
It's so weird how people are always painting this as "China bad"
Now imagine your not American. Now you have the choice between 2 nations you don't trust. Which one are you going to take? The one you don't trust that hasn't done you anything personally, or the one that recently went rogue and is making a point of it to make everyone's life a little more miserable, actively?
Yes, different groups with different interests and priorities will make different decisions. This is common sense, not some sort of "gotcha". If your country has more to fear from America than China, then obviously pick Chinese suppliers.
TP-Link makes really solid products, and if you don’t want to use their firmware then almost all of them can easily flash OpenWRT. In fact most of their routers are built from OpenWRT anyway.
I installed their mesh Wi-Fi system for my parents recently and was really impressed how seamless the process was. It did involve making a cloud account which I wasn’t thrilled about, however.
You aren't thinking low enough for firmware.
All modern WiFi APs require closed firmware blobs that run below or parallel to OpenWRT.
You replacing the router OS with OpenWRT does nothing when the radio has full DMA access and runs its own OS on its own processor. The OpenWRT layer will have no idea what it's running/infiltrating/exfiltrating.
I say this as someone who has been running and building OpenWRT forever. It's great but it isn't a panacea.
That's why I bought a PCEngines box (one of the last of their inventory before they went out of business) with completely transparent hardware and no Chinese manufacturer in the supply chain.
Neat.
If it dies tomorrow, what’s next, out of curiosity?
For anyone asking this question I might suggest Protectli. They've got x86 systems with coreboot. That's about as good as you can get these days for open source-ness without going really obscure or outdated. I've got a VP2440 as my router and firewall. You can neuter the intel management engine with coreboot, but there's still going to be firmware blobs somewhere in it, especially if you're trying to build a wifi ap.
One of my 2 pcengines APUs has developed an issue with its solder joints I suspect. It hangs at the bootloader unless the unit is already warm. Can't complain at all, it lasted ages and problems like this are just life for things that thermally cycle, it was in a pretty extreme climate for most of its life. Doesn't help with me needing a replacement now pcengines is out of business though, hence getting a protectli box.
> I might suggest Protectli
This is the route I went. After a decade plus of shite consumer routers and finally an EdgeRouter which died (along with Ubiquiti's quality) I bought a Protectli box, build and flashed Coreboot and run OPNSense.
It's been going strong with regular updates (and by regular I mean as regular as your Linux workstation) for over half a decade now.
It wasn't cheap, somewhere in the region of £700 after adding SSD and RAM but it's a way, way overkill model and never exceeds 10% RAM usage and 15% CPU with an IDS running and a bunch of VLANs and Gigabit symmetric WAN.
My original goal for overspeccing it was longevity, but I regret it now, I want to upgrade to 10G+ networking and I can't justify replacing it when it runs so well and wasn't cheap.
Thank you! Been liking for replacements like this.
Sure, but if you run OpenWRT you can pick the radio firmware image. And you can trust Qualcomm cause they're from San Diego and made Eudora; their firmware won't have intentional security issues.
And yet American products are the only ones we've ever had hard evidence on wrt intentional security issues in collaboration with US Intelligence.
Sometimes it's Swiss companies run by the CIA: https://www.npr.org/2020/03/05/812499752/uncovering-the-cias...
Source for this claim?
snowden-cisco-nsa-tao-interdiction.jpg
Comparing US intelligence to the other bad actor intelligence is wild - like comparing a paper cut to AIDS.
For now, at least.
The US intelligence apparatus is the GOAT of overthrowing foreign governments. They love it so much they even sometimes come back and overthrow the puppet regime they put in place a few years earlier (or just bomb the shit out of the civilians).
If it isnt AIDS then it is certainly a Cancer.
[dead]
Do you trust the seller on AliExpress selling the OpenWRT One router? OpenWRT links directly to it (from https://openwrt.org/start): https://www.aliexpress.com/item/1005007795779282.html
I run OpenWRT on my TP-Link and have been happy with it.
The radio sounds much like Intel's ME.
I think we all know there's a problem, but we don't have the power to do anything about it because what alternative is there? Ancient hardware?
I would first worry about Intel ME on my computer, and then about my router's firmware blob.
I use their Omada stuff for my business. I own a coffee shop where I have a few devices I need online and I provide free WiFi to customers. I needed something where I could run multiple networks, segregate my own devices, support a large number of clients, automatically turn off free wifi outside of business hours, run a captive portal, reserve a minimum amount of bandwidth for my own devices and prioritize my own traffic, etc. It’s absolutely packed with features and costs less than the stuff I run at home. It was a fraction of the cost of the Meraki gear I was considering. The performance is great too.
I don’t know how much I trust TP Link, but my risk level is very low. There’s not much an attacker could do if they get on my network. None of my data is accessible on that network and everything important has MFA anyway. The most sensitive things are my POS and menu displays and they are just client devices connecting to the internet. I probably wouldn’t run this stuff in an environment where I had complex security requirements.
I don't think the attackers are after your credit card records as much as they are after using your network as one base amongst thousands of others to perform illicit compute, generate traffic to a victim network, etc. That is: the attack is outbound from you to the victim, not inbound to you as the victim (at least not beyond the initial beachhead).
Omada does not really seem cheaper than unifi.
Where does OP make the claim that Omada gear is cheaper than UniFi gear? Perhaps you skimmed the comment and confused "Meraki" for "UniFi"?
OP does not make that claim. It just sounded like the choice was either tplink or something expensive like meraki.
TP-Link let me down twice.
I bought a cellphone from them many years ago and they never really supported it and I couldn't even buy a replacement battery.
Recently I bought a router with the firm intent of installing OpenWRT, but I received a newer revision that had a different CPU, less RAM, and less flash memory.
These events left a bad impression, but they do make affordable stuff with reasonable quality.
> Recently I bought a router with the firm intent of installing OpenWRT, but I received a newer revision that had a different CPU, less RAM, and less flash memory.
This also happened many years ago with Linksys (prior to Cisco). It’s not that uncommon for manufacturers to release new revisions of hardware without necessarily making it clear to the purchaser. If their purpose is to deliver a router and they can shave a few cents off the BOM with less RAM, but it still works with their software, why would they care. And once new revisions have been released into the supply chain, it can be hard to know exactly what version you are buying.
In the Linksys case, IIRC they eventually re-released the first revision WRT54G as the WRT54GL (for Linux), so that people who wanted different firmware could get the exact hardware they wanted.
Wouldn't it be nice if that was illegal? Sell whatever, but label it accurately, it's different hardware so it needs to have a different version label in the listing or something.
We see this all the time with SSDs, where a high-spec model is released to reviewers, then a low-spec model is mass-produced and sold under the same model number. That's fraud, isn't it? Shouldn't it be?
It’s only fraud if they sold you or marketed to you on those specs. But at least for things like reflashing your router, short of a few explicit opener vendors (like glinet) and Linksys AFTER releasing the WRTGL version, router manufacturers aren’t usually advertising on how much ram or flash memory space they have, any more than car manufacturers are advertising how much flash memory is in their ECUs. It’s not an intended or marketed purpose, so they’re not going to be changing model numbers just because they made an internal update.
Changing the flash in a router is pretty understandable. Changing a router's CPU is going to affect core performance, and so does changing parts in an SSD, and core performance should totally count as being used to sell the product.
“Core performance” only matters relative to what the company is selling you though. For example let’s say a company sells 2 tiers of switch. One does 10G and the other 1G. For whatever reason when they start selling these, it’s cheapest for them to sell the same internal hardware, but with the internals underclocked in software. Some hardware hackers discover this and start unlocking the 10G capabilities of the 1G units. Later down the road, the company finds a cheaper implementation of hardware for the 1G that still can do 1G but even if up-clocked can now only do 2.5 at best. That’s a change to “core performance” but it’s also not fraud. They didn’t advertise or sell you a “switch that starts at 1G but can be unlocked for 10G”, they sold you a “switch that can do 1G”. As long as that’s what they’re still selling you, everything else is ancillary.
I agree with the upclocking example, but "what the company is selling" goes beyond what's on the box. If the old 1G model can do 500k packets per second, but the new one can only do 200k, that should not qualify for the same model number. There are a lot of situations where that's going to cause real problems on stock settings, after people tested the capabilities and made purchases based on those tests.
I want the most important performance characteristics that would be on a good datasheet to be maintained, even if there is no datasheet.
But you can optimize software and use slower hardware to maintain the same performance, as an example.
In theory. It doesn't happen often past initial launch of a product.
If you can build a plausible case that you did this (eg. simply making your fw image smaller justifies using a smaller eMMC chip), and provide a few benchmarks that demonstrate equivalent performance in those scenarios, you'd be of the hook in any legal mandate to keep the performance the same even if your new hw revision ships with weaker hardware.
This is even a common product development strategy: ship to market asap, optimize the margins later.
> but label it accurately, it's different hardware so it needs to have a different version label
In my experience, TP-Link always has the hardware revision on a label on the outside of the box.
It's small text on a small label that online vendors don't bother to check.
Then don't buy online, if you can't trust the vendor?
At some point it won't matter that you run OpenWRT on it. Obvious case in point: at a certain point it doesn't matter that you run Linux instead of Windows on your Intel PC, because it'll still be subjected to Intel ME, Intel AMT, Intel SGX and god knows what else.
On a PC, Intel ME and the like can be accessed remotely only through an Intel NIC, which can be avoided by using a PCIe Ethernet card from another manufacturer, if the motherboard does not have such an interface on it. Even many of the Intel Ethernet interfaces are supposed to have the remote access disabled from the factory, but you cannot be certain about this.
A more serious problem is caused by the laptops having Intel WiFi, which is difficult to replace. With such a laptop one would have to disconnect the internal antennas and use an external WiFi dongle, to be sure that remote control is not possible.
At one point laptop wifi cards seemed to mostly be m.2 cards, which, while not usually trivial, were relatively feasible to swap out. Has that changed?
A lot of the time, they lock the slot to only their officially supported modules. Dell is rather notorious for doing that.
Hey, that's really timely for me.
I'm getting ready to set a mesh network for my older parents as well. Do you have any suggestions for hardware and software? I live a ways away from them so I need this to be pretty much faultless. I don't want to drive 4 hours for IT support.
Go unifi and manage it remotely.
My paranoia goes against this idea. How sure are you that the remote management is hardened? Assuming that disabling external control is actually effective, that seems like it removes most practical exploits one would encounter. A network configuration for a non technical person should be so simple it does not require regular maintenance.
The TP-Link option was great. If it was for myself, I'd build my own with OpenWRT but my goal was to minimize the chance of downtime in case I'm not available to help debug issues. They already had a TP-Link range extender running for 4+ years without ever needing to touch it, so I figured their mesh network was a good option too.
ASUS routers with Merlin firmware work well in a mesh configuration.
Do any of TP-Link's mesh routers support OpenWrt? I didn't think there was overlap between the "easy to set up for my parents" and "easy to install custom firmware" subsets.
From what I could tell in the admin panel, those mesh routers _are_ OpenWRT. And they have an advanced section where you can upload a firmware .bin.
OpenWRT runs well on Deco M5 with a custom build.
https://forum.openwrt.org/t/ipq4019-adding-support-for-tp-li...
Assuming there isn't a hidden little core running a hidden little OS somewhere.
Yeah companies should be held guilty unless proven otherwise. Of course you can never actually prove anything, so they are all guilty by default. /s
You can't bootstrap nearly any embedded ARM SoC and run Linux without running some closed Chinese blob just to bring it up lol
And in reverse, you think Palentir has a transparent business model to trust with your data? I don't get why people find china more suspect than most of these billionaire led monopolies buying politicians and laws and spout paranoid gibberish about Christianity and anti Christ etc.
Both might be fundamentally evil or being, but they aren't different in danger based solely on how white they are.
Both can be bad at the same time
Right, but one is "white" and the other is "dark"
What about whataboutism?
And yes an American company in cahoots with the government having the ability to snoop on traffic and turn entire networks off, while bad, is nowhere near as bad as a Chinese one having the exact same capability.
The US company and the US government are 1000x more likely to leverage their position in an antagonistic way against US customers.
Their hypothetical does have weight, though. Damn near every desktop/laptop computer does have "a hidden little core running a hidden little OS" nowadays, after all.[0]
Obviously this particular one isn't in non-Intel equipment, but...
Devices from companies under direct or implicit CCP control should indeed be considered suspect until proven otherwise. Not just them, but them much more than local ones.
Of course there is probably a hidden little os running on hidden core within the hidden hardware running the hidden os.
China isn't the major threat for consumer routers; it's crappy firmware. Millions of networks have been compromised from non-state actor attacks on crappy consumer routers. You wanna protect America? Impose a software building code on critical network infrastructure (which should include consumer routers and modems). But they aren't gonna do that, because they're just trying to score cheap political points and put pressure on China for trade concessions.
Seemingly every year there is yet another Cisco vulnerability because of hard coded passwords. One as recently as July 2025. The entire network industry seems to YOLO the code running the world.
[0] https://sec.cloudapps.cisco.com/security/center/content/Cisc...
- [deleted]
It would be great to use this moment and do something like Cyber Resilience Act CRA to force companies to deal with the cybersecurity issues.
This is unfortunate and another sign that perhaps the "West" is unable to compete. TP Link for what it is... is a great product for home use and maybe even small office. Performance and price is unmatched and I have found they hold up over time pretty well. The price point of LinkSys/Netgear products is not even close. To ban the products under some bogus "security" concerns just leads me to believe on this side of the world a slow decline is in full effect.
The problem is that you just don't know.
Some of these bans are a matter of political operatives stoking vague fears for personal or ideological gain. That was almost certainly the story about the TikTok ban. And some of it is actual intel that will get declassified in 50 years. That may be the story behind Huawei.
Given that this administration likes to use the threat of bans and tariffs pretty liberally, it's probably the former, but look at it this way: the US govt is known to have shipped backdoored networked hardware to overseas customers they wanted to snoop on. In China, the govt is more authoritarian and more integrated in the industrial supply chain; I'm sure they do that shit too, because why wouldn't they.
> That was almost certainly the story about the TikTok ban.
At one point, the TikTok ban polled at 50%. "Certainly" couldn't be further from the truth.
>>In China, the govt is more authoritarian
Gonna need a citation on that one
I think there is no real doubt that the fact is true. What you perhaps refer to is the rate of change, and I'd agree with you that the US is doing far worse in that regard.
First DJI, now TP-Link. What is the endgame here? What will the American consumer technology market look like after all the best and cheapest products have been banned because they are Chinese, or have alleged links to the Chinese government? What will be the impact on the next generation of American engineers and scientists after growing up in an environment deprived of tech the rest of the developed world freely enjoys?
The large number of Chinese products currently permitted in the U.S. demonstrates that the bans were imposed not because of their nationality, but because confirmed security risks were identified.
The company's issue is not its country of origin, but its history of installing backdoors and its public declaration to abandon fixing security flaws for numerous devices still in use.
The issue started to be pointed out by numerous independent tech news outlets and communities far more than a year ago. Do you have a basis to argue otherwise?
> its history of installing backdoors
If TP-Link is known to have intentionally installed backdoors in its products, that is news to me. Can you provide a source for that claim?
Vulnerabilities have been found, of course, but that is hardly unique to TP-Link, and the existence of a vulnerability does not imply that it was put there intentionally.
> its public declaration to abandon fixing security flaws for numerous devices still in use
I have several machines that are still running Windows 10 and are (according to the Windows software) not eligible to upgrade to Windows 11, let alone for free. The Microsoft software informs me that I will no longer receive security updates on these machines.
When will the US government ban Microsoft products from sale in the US?
---
Still, I have much more context on the DJI ban. The law that will place DJI on the FCC's "covered list" states that if DJI is not audited by a (unspecified) US government agency, DJI products will be placed on the covered list and so be ineligible for FCC certification starting (IIRC) Jan 1 2026. In other words, the law was cleverly written such that nobody actually needs to do an audit to determine what nasty things DJI is actually getting up to; if nobody raises their hand, the ban will happen automatically.
---
Do not take me for an enthusiastic supporter of DJI, TP-Link, other Chinese companies, or the way America's political and business leaders have generally pissed away our technological advantage over China in the name of enriching themselves in the present (now past). I am, in fact, livid. But we will not dig ourselves out of this hole by becoming a backwater where Americans' relationship with consumer technology is as if they are living in a sanctioned country.
Yeah but it’s not like every Chinese tech product is being systematically scrutinized by the US government. It’s more like one gains attention and then everyone piles on.
It will probably look like our EV car industry, where the tech is somewhat on par and ahead in some places, but very overpriced and missing out on key innovations ie battery technology in the case of EV’s
You forgot Huawei.
I have TP-Link Deco's for our WiFi, sitting behind a Firewalla Gold. This has been by far the nicest, simplest at home setup I've ever deployed. Do I love that I chose TP-Link? No. But price to purpose it was the best product available to me at the time.
If TP-Link gets banned, my concern is what that means for the massive market share in the US. Warranty? Software updates? Or maybe that action is what turns them into an agent of the state. Or do you horde all the hardware until its valuable like DJI parts are today?
My guess is they’ll be forced to sell their US division to whatever company gives the government the most money (sort of like the Oracle-Tiktok deal).
I thought it was the Chinese owner of Tiktok that got paid money.
What is your evidence that the US government was paid any money as part of that deal (over and above any taxes that would have been incurred by any sale of any business).
He's referring to whoever paid in America to be gifted the largest propaganda platform.
I'm sure money also went to Chinese owners.
"Gifted" would be misleading if (as I suspect) the entity that ended up with American Tiktok is the entity that won a bidding war to make the most attractive offer to the Chinese owner.
> whatever company gives the government the most money
If only! Unfortunately it's whatever makes the Party leadership the most money.
funny how the association of "party leadership" is some socerlest regime, while we're talking US politics.
The U.S. is the bigger threat anyways. This just feels like America is coming online as a mafia state and wants their cut and their backdoors in things, otherwise they’ll destroy your business.
To be fair, I think this is most countries, they just don't have as much political power as the US. The UK's Online Safety Act is a good example.
My country (Australia) tried to legislate in 2016 that no one is allowed to use encryption, and if they were required to, for other obvious reasons like for medical data, then they were required to code in a back-door for law enforcement.
Prime Minister (at the time) Malcolm Turnbull announcing it: https://www.youtube.com/watch?v=i326eNOa6Us
The above is just the announcement and doesn't include answering media questions wherein we would have heard dear Malcolm's famous quote:
“Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia"
Very quiet audio of the last half of the above quote: https://www.youtube.com/watch?v=8VB3uQHa14g
Political understanding of mathematics and encryption has not progressed in the intervening 9 years, much the same as the thirty years prior. Regulating internet security is forming a similarly unfortunate trajectory.
An empire in every way except name.
TP-Link bribe/lobbying in 3, 2, 1...
I recently bought a TP-Link Omada ceiling mountable access point, which has been working great. My Ubiqiti APs are due for an upgrade and the Omada (for a separate network), at half the price of roughly equivalent Ubiqiti APs, is impressing me so far.
(The Ubiqiti's have been rock solid for years though, no complaints whoatsoever).
Netgear (US) and D-Link (Taiwan) were consistently disappointmenting enough that I swore off them many years ago, and buyers-remorse-PTSD prevents me from reconsidering them ever again.
I've found the ubiquiti devices to be somewhat overly complex and generally overkill for all home-networks I've ever used them for. All the graphs and stuff tickles a nerdy nerve somewhere in me, but honestly I can get equally stable networks for less than a quarter of the price, but without all the fancy bells and whistles that I only enjoy four about 2 hours after installing anyway
The ones i have were purchased back when Ubiquiti was trying to gain market share and get their name out there, so it didn't have the more premium price tag it enjoys now. The setup was complex, but I'm a bit masochistic like that, but I also needed device roaming to work properly and, however Ubiquiti achieved it, it has worked really well for me for a long time.
I only just logged in to the controller interface yesterday again after probably six months or so, when I was checking in to see if there were firmware updates. Once it's setup there's very little maintenance, but the initial setup can be intimidating.
I was thinking - wonder if anyone in Trump's inner circle took at short position on TP-Link before this? There's a lot of people who seem to have amazing insights into policy positions the US government is about to take.
Virtually every home router and a whole lot of small business routers should be considered “national security risks”.
TP-Link may be sore for getting singled out but they are certainly not unique.
There are many many risks.
If TP-Link is pathologically creating unsecure products -- through incorporation of enemy government backdoors or through other improperly handled security vulnerabilities, they deserve to be singled out as making the problem worse and imposing potentially wild cost of risk-mitigation on others.
Similarly, AI (just speaking about current AI), and the reasonably-predictable future AGI / super-intelligences (remember: more than one!) will present humanity with Enormous risk, and we'll (humanity) have no choice but spend the unbounded cost to mitigate that risk.
German avm fritz! is quite good at security maintenance.
are there us equivalents to them?
People worried about routers, meanwhile nearly every damn employee at Intel from the CEO to the janitor is Chinese.
The Intel ME chip is running its own OS on every single Intel chipset, even when the computer or laptop is shut down, and accessible directly through attached Intel WiFi or network cards. With full memory access, with no way to turn it off.
https://en.wikipedia.org/wiki/Intel_Management_Engine
The totality of reassurance we have about it is intel’s promise that they won’t put a backdoor in.
Asking: Chinese the ethnicity, or Chinese the nationality?
And, why exaggerate?
I get the sense of concern for strategic vulnerabilities - I feel that is a valid, and a separate topic to ascribing cause / blame / hypothetical bases for solution-making.
I don't get what to make of this. Is it all just security theater? The idea of having consumer networking hardware that isn't riddled with security vulnerabilities seems to be a ship that sailed long ago. I doubt this move will prevent major nation states from hacking into whatever they want.
> The company says it researches, designs, develops and manufactures everything except its chipsets in-house.
So, the plastic bits?
Presumably the software, the boards, connectors, antenna design, etc.
> connectors, antenna design
And also passives like SMD resistors. They are also refining copper and iron from raw ore. /s
They actually make their own iron in the heart of a dying star.
They actually manufacture a synthetic star from which they gather their elements.
That is an excellent scifi plot point, I would read that book.
As a hardware founder, low quality plastic is not rocket science. On trips to China I’ve heard similar things about other companies, specifically that Foxconn makes everything it uses, including things like coolant or plastic for prototype production.
I don't think they were saying the plastic bits are rocket science, proverbally or not
Does anyone know what their chips are doing? Do you, really?
Until we have desk side silicon fabrication/placement, with accompanying tunnelling microscope features, we simply cannot trust our silicon in any way other than through utterly peaceful means, which is to say, through systems of human trustworthiness.
Technology never allows us humans to advance sufficiently well to do without it .. unless it is evenly distributed.
Right now we are all at the mercy of the masters of silicon. This is no joke!
Even with desk-side silicon fabrication, one would have to hope the hardware/software with the design tools wasn’t already backdoor-ed…
Reflections on trusting trust...
Absolutely. We'll never be 100% free until we can fabricate computers at home, just like we can write our own software at home.
You can measure input and output with commodity equipment. That will give a good, but admittedly incomplete picture of what the chips are doing.
> the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government.
These cowards have not yet finished banning TikTok
Because Jeff Yass asked Trump not to
OpenWRT is the way to go. If it doesn't run on it, I'd skip such router.
OPNSense on a dual NIC mini PC, the your WiFi comes from dumb APs.
Separating routing from WiFi has been the best thing I’ve ever done for my network.
OPNsense is decent too. Problem is that running anything open on those AP will still be a mess unless they support something like OpenWRT ;)
Separating router from the AP was something I considered too for building a 10 Gbps network, since I haven't found any WiFi router that could also handle 10 Gbps wired without some accelerator chip requiring non upstream mess to work.
I don’t get the end game here D-link isn’t any better. Are we heading for isp enforced hardware in our homes?
God help us.
Made by a company who's boss contributes to Trump's re-election campaign obv.
I've been really happy with the TP-Link smart plugs. I keep upgrading them as The Latest Standard That's Definitely The Real One This Time Trust Us Bro comes out, and the Matter ones are excellent. Getting an instant response from them is really nice. I see no reason to buy others.
I would buy only Hue but that's because I have more money than sense, and they don't actually make smart plugs last time I looked, they make plugs but label them all as lights in the app, which is more annoying than it sounds.
The real problem to solve ditching TP-Link _routers_ is that all routers are uniformly fucking awful, and all you are doing is choosing your particular poison. This is especially true after Apple exited the game so long ago. I use Google Wifi because it mostly works most of the time, but that's not glowing praise. But the world has become trained that rebooting a router once a week and praying that it works when it comes back is a perfectly normal state of affairs and we couldn't possibly do this any better.
I would buy only Hue but that's because I have more money than sense, and they don't actually make smart plugs last time I looked,
Ikea makes Zigbee smart plugs with power monitoring (Inspelning) that are ~10 Euro here (probably $10 in the US). Also Zigbee does not have all the security issues, since it is purely local and will talk with whatever hub/bridge you choose, e.g. Homey, Hubitat, or if you want to go free software Home Assistant or zigbee2mqtt.
It's somewhat insane to me that people use WiFi plugs for actuating things that actuate real-life electrical devices. Even more from companies that have a bad security reputation. Zigbee or Z-Wave all the way or possibly Matter over Thread, but the only Matter device that I had (an upgraded Eve Energy plug) has been a pain.
The real problem to solve ditching TP-Link _routers_ is that all routers are uniformly fucking awful, and all you are doing is choosing your particular poison. This is especially true after Apple exited the game so long ago.
I switched to Unifi gear (Cloud Gateway Max, two of their U7 access points, and a bunch of their managed switches) and they are a dream to set up. Making VLANs, associating VLANs with SSIDs, etc. is so easy. I had a TP Link managed switch and the interface was a huge pile of crap and I saved it several times after misconfiguration by virtue of it having a serial console. I only used it for two months or so because it was so frustrating.
Iirc ikea zigbee range have been discontinued in favour of matter
They just announced the Matter range, it isn't even in stores yet. I was at the Ikea store yesterday and they still had a good stock of Inspelning and most likely they will still have for a while (they only introduced it a year ago and it seems quite popular).
At any rate, Matter over Thread is still much better than WiFi security-wise (even though it's IPv6 routable) and Ikea's Matter over Thread plug will probably be similar price-wise. And the good thing is that probably even more people have a thread border router (Apple TV, HomePods, some Amazon Echo, Google TV Streamer 4k, etc.).
Still, these Ikea plugs are so cheap and Zigbee is extremely nice, so it doesn't hurt to buy and stock ten now for the future :).
I have some TP-Link smart plugs and was happy with them for a long time because their app could be used without an account. Then I recently got the new version of the app and it forces an account, there's no more guest mode. I'm done with TP-Link now.
The whole Tapo/Kasa interop thing was badly handled too a few years back. Put me right off, when most were dangling the seamless integration carrot to distract you from the vendor lock-in.
> all routers are uniformly fucking awful [...] the world has become trained that rebooting a router once a week and praying that it works when it comes back is a perfectly normal state of affairs
My OPNsense router currently has 74 days of uptime, and that's just because I ran an update 74 days ago. I've never rebooted it to solve a problem. The only wrinkle is OPNsense (and pfSense) is at least an order of magnitude more complicated than your average consumer router.
OTOH, my ubiquity access point reboots itself every time I change any setting at all.
> all routers are uniformly fucking awful,
The mikrotik I've been using has been pretty solid, and super super customizable.
Eve smart plugs are solid and don’t have any unnecessary cloud stuff.
I bought a dedicated router and separate WAPs and cable modem and it works really well. The converged devices are terrible though.
I was about to upgrade my router. Should I buy it now before it's banned, or not buy one that's about to be banned cause support/updates will be difficult?
tp-link routers are consistently the wirecutter consumer pick. They've always done me fine, although it's time to upgrade my 6-year-old one. (which prob demonstrates i'm not a router power user).
TP-Link produces solid and affordable network equipment. A great value for the money, which makes their products a popular choice for many customers around the world. But as almost all hardware vendors out there, TP-Link has weaknesses in their software. In a way, they are victims of their own success and popularity. I wish them to get their software security act together.
Banning such a bright tech company is totally unwarranted, unless there are proofs of their intentional wrongdoings.
Per company government acquisition "bans" are stupid for PR and security reasons. Brand-specific banlists are whackamole when the same hardware and software will be immediately duplicated with another cat-walks-on-keyboard brand name that will disappear within a year.
Instead, there should be in-depth, enforced audit, compliance, and evaluation standards for gear for particular purposes. If it doesn't meet particular standard(s), then it can't be purchased or used.
It's kind of curious that any topic on HN that involves China seems to devolve into how terrible and bad America is.
I guess it's another one that depends on your perspective, cause i was just thinking how any HN topic that involves China seems to devolve into how terrible and bad China is!
- [deleted]
Wow. Where are the actual details about the threat, what models are affected etc? How to mitigate the threat? Totally useless.
> Where are the actual details about the threat,
I think the Chinese do not want American backdoors in their products.
I'll just leave this little NSA intercepting Cisco products reminder here: https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa...
But Sir! We are talking here between USA <eagle sound> versus rest of the world that’s unsafe and all the time attacking USA people privacy. Cisco is India based, not American!
disclaimer: not connected in any way with Cisco, just disappointed business customer.
Reminder that <eagle sound> is actually the call of a red-tailed hawk, and that the actual call of the bald eagle is far less impressive.
SSL added and removed here! :)
> NSA intercepting Cisco products
They could have searched on the internet for the backdoor password. /s
We are unfortunately getting to the point where the only option for non-power users will be to create an online account to run local hardware you own; just like Windows 11.
I run OPNsense with a collection of Unifi radios (local controller) with great success.
If we throw out everything that is a vector for a Chinese supply chain attack / supports them economically then there won’t be any tech in the West
This feels like the painkiller autism thing. Some crazies theory became law
I've largely given up on trying to secure networks for people when they just run overt compromises.
What does this really matter when everyone is running agentic AIs on all of their devices?
Installing "apps" that have access to everything on a device?
Those same "apps" record everything around the device and upload that to the "cloud"?
For the average user, security doesn't even matter any more. I used to say people are running around in plain text mode, but it looks like that has been degraded to broadcast mode.
Try to only use open source networking equipment. It's also possible to piece it together rather than buy closed source, vulnerable hardware.
Librecmc/Openwrt is great for security and privacy.
With Librecmc, it doesn't contain non-free blobs and uses a Linux libre kernel.
This is a very one sided article. Shouldn't there be a comparison with TP-Link and all other brands available in-terms of security? Otherwise they're just targeting a company for political reasons.
The article is in response to a very one-sided government ban (well, reported ban) on TP-Link products. The company is being targeted for what appears to be political reasons, the article even said so in the first paragraph:
Experts say while the proposed ban may have more to do with TP-Link’s ties to China than any specific technical threats
It's a very lukewarm response TBH. I would expect a more authoritative opinion instead of rehashing what "experts say".
YOU are the security expert Brian, so stop writing like CNN Tech.
> Shouldn't there be a comparison with TP-Link and all other brands available in-terms of security?
No. Regards, Cisco
One more thing to note about TP-Link today is that they don't just abandon firmware updates but also switch chips and hardware.
For example, They will call some device Deco / Archer ABC with a Qualcomm chip that's latest and greatest. They might sell it for 499$ for example and then let reviewers do their thing to review these products everywhere with 5 stars. Great!
Six months or maybe a year down the road when the product starts getting traction as people start buying new WiFi standards like 6/6E/7 etc. they will swap out the chips inside and launch a v2 of that same product with either mediatek chips or a slower Qualcomm SOC. This affects performance and stability and it also drives down the pricing with cheaper hardware.
This has been done a lot with Deco units. Reviews are for original v1 hardware but what's being sold is a different hardware completely. Not only is this a firmware problem but keep in mind such practices really show lack of trust.
Great example of how to lose trust in a brand.
Previous report blaming TPlink slow to patch a CVE were already outdated as the CVE got patched. Yes TPlink are recieving updates if the products are not EOL. And even US products when EOL are vulnerable.
Seem more heavy lobbying to get their US marketshare here rathar than looking for secure products.
Also the report from checkpoint over firmware used to attache EU, the malware is firmware agnostic. As it can be used for other hardware.
I don't have any particular opinion on TP-Link (never used their products), but the idea that a low-cost vendor targeting home and SMB users is somehow a state-level agent trying to compromise those users... needs evidence.
I mean, in the case of actors like Huawei, you can at least credibly make the argument that the continued access of their support staff to internal provider networks is a significant risk, but that vector is entirely absent here.
Sure, embedded firmware has been, is, and will continue to be a tire fire prone to embarrassing compromises, but containing those is mostly about notification and containment by government agencies (which the current US administration is doing their utmost best to kneecap) and/or large ISPs (which in the US have traditionally never cared).
Forcing "foreign" products off the market in favor of "domestic" replacements with the exact same, if not worse, flaws won't fix a thing, unless you put some pretty significant controls into place that nobody is willing to enforce or even outline.
But it does provide ample opportunity to profit personally, and that’s much more of a priority for the current federal administration than fixing anything.
^^^THIS 100%. They are manufacturing low-cost products for home users. That is, if these claims are true, they have neglected a poignant question, why would they bother? They are targeting poor people's personal data, not businesses, not high-profile people, not government bodies.
- [deleted]
"TP-Link Systems told The Post it has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies, and that it operates them without Chinese government supervision."
Is that even possible? Or do you always have to be on good terms with the Chinese government to own engineering, design, and manufacturing capabilities in China?
I'm hoping this encourages grey-market imports from Canada and Mexico. Become Brazil and smuggle in orders for all your friends and family when returning from your next vacation.
Regardless of what TP-Link says, the damage is done. I was recently looking for a bigger switch. I went with a use switch instead of buying a new TP-Link because I don't trust them. Now I just need more projects to fill my extra ports on the 24 port switch haha
An unmanaged switch is not going to realistically have exploitable vulnerabilities, the chances of that are dim.
A router, a managed switch or something having an OS is another story.
It's managed. I don't know, but I would bet that unmanaged switches have vulnerabilities too. Maybe they just aren't targeted.
What vulnerabilities would you imagine there to be in an unmanaged (aka: dumb) switch? Someone can force the switch to flood all traffic to all ports?
Bearing in mind that switches generally have special-purpose hardware that's responsible for handling switching, I find it unlikely that cheapass dumbswitches have enough CPU to copy LAN data and send it out to a remote system at any useful speed.
Also, next time you're looking for a switch (or if you're still within the return period for your used switch), consider Mikrotik switches. I've had four CRS326-24G-2S+ units for three, maybe five years now and I'm quite happy with them. However, I know nothing about their routers or WiFi APs.
"What vulnerabilities would you imagine there to be in an unmanaged (aka: dumb) switch?"
Probably stuff related to how they handle the MAC table and VLANs.
They aren't usually accessible until the network is compromised.
TP-Link cheap consumer configurable switches used to have, IIRC, a VLAN permanently available on all physical ports, giving access to everything going through a switch. After many complaints, they "upgraded" the firmware to support disabling the VLAN from the GUI, though it remained default enabled, and included a note with something like "we only had it that way because customers demanded it".
By "a VLAN permanently available" do you mean something like "all frames traversing the switch got a VLAN tag (whose ID was hard-coded) slapped onto them"?
If not, I'm not sure what you mean, as a cheapass dumbswitch always allows access to everything going through a switch. It's been my experience that any dumbswitch that can handle jumbo frames will fail to act on VLAN-tagged frames and just pass them through unmolested. (Ones that cannot handle jumbo frames might drop "large" VLAN-tagged frames on the floor.)
I don't like the terms "dumb" or "smart" when discussing switches, because it isn't very useful.
The term "configurable" is more useful, because it means that the switch can be configured (vs. non-configurable switches that may also be "smart", i.e., a "dumb" switch is really just a hub).
IIRC, the TP-Link models with this "feature" hard-coded into the GUI would enable a VLAN on all physical ports with VLAN enabled.
Oh, and it was fixed with a firmware update, so it's not like there was some hardware limitation.
> TP-Link models with this "feature" hard-coded into the GUI would enable a VLAN on all physical ports with VLAN enabled.
That's a slightly strange feature. I guess it was to cope with downstream switches (or administrators(!)) that refused to assign an administrator-assigned VLAN tag to untagged traffic?
> I don't like the terms "dumb" or "smart" when discussing switches, because it isn't very useful.
In the lore that I'm familiar with, there are three general categories, "dumb", "smart", and "managed". The boundaries between the latter two categories are fuzzy... with "smart" switches tending to offer you very little configurability, and "managed" switches offering you nearly everything you'd expect from an Enterprise switch.
It's true that the difference between "dumb" and "not dumb" switches are that the former offers no end-user configuration, but how do you succinctly distinguish between a switch that offers -say- only the ability to force link speeds on specific ports, and a switch that offers link bonding and IGMP snooping and VLANs, and etc., etc., etc.? Use the terms "Prosumer" and "Enterprise"? [0]
But yeah, naming is hard... case in point:
> vs. non-configurable switches that may also be "smart", i.e., a "dumb" switch is really just a hub
Perhaps this was a brain fart on your part, because that's completely incorrect. An Ethernet hub does absolutely no filtering... all traffic that enters on one port is flooded to all other ports on the device. This means that Ethernet collision detection is essential for operation when attached to a hub, and total throughput decreases sharply when one has many chatty stations on one's LAN. The feature that distinguishes a switch from a hub is that a switch doesn't flood unicast traffic because it learns which ports have which MAC addresses behind them and routes traffic based on that information.
[0] Though, if I were king of the world, every consumer-grade switch would have the features of a low-to-mid-range managed switch. While I understand why things are the way they are, it's a crying shame that dumbswitches are the norm.
I don’t like that TP Link routers regularly force you to accept new terms of service within their app. If you don’t, then you can’t access much of their configuration options. Basically you get locked out of your own device. I feel like these dark patterns should be illegal.
- [deleted]
- [deleted]
I don’t even know what my software/hardware can (be exploited to) do (given that they are not formally verified).
Does it mean that I am an enemy of the state?
I am surprised at the amount of people on HN who don't use OpenWRT. I thought this was hacker news!
Seems hard to overestimate their market when if you go to Walmart 75% of the routers they have in stock are TP link
It's a bit of a racist trope to see the Chinese as more sophisticated in the way they handle international relations, especially compared to what's currently going on in the US. The Chinese are totally capable of being boorish and loud and offensive. They even had a name for this trend: "Wolf Warrior Diplomacy." You might think that's something Pete Hegseth invented.
Salt Typhoon is a serious ongoing attack on lawful intercept systems in telecom networks. There's nothing any individual can do to protect themselves from this, and it's probably deployed everywhere that US style lawful intercept specifications are implemented in telecom networks.
Of course the irony is that domestic surveillance is the attack surface for this exploit.
I would like to be able to weigh the risk of a TP link router being a national security threat against something like Salt Typhoon. But there's a lack of transparency that makes that impossible.
If only there were US manufacturers that could produce things at a decent price and didn't actively hate their customers.
Eero used to be pretty close. Years ago, I used to stalk the subreddit despite never owning an Eero just because the (US based) devs would often drop knowledge bombs. AFAIK they wrote the entire software stack in house.
I have no idea if that's still the case, especially post AMZ, but worth looking into if so.
Eero was great before they were purchased by Amazon, cut to the bone, and went to shit as Amazon capitalized on their brand cachet. I miss them so :(
Are you speculating or do you have actual evidence of layoffs or other large cuts stemming from the acquisition? Link to old news articles perhaps?
I doubt the old guard was super pleased with the acquisition and many probably left voluntarily after seeing their dreams of profitable exit abruptly become acquihired by AMZN. But I don't actually know anything about what happened then. (I'm presently at eero, joined long after the acquisition... FWIW my experience isn't really consistent with your claims)
You have the inside track so I'll defer to most. But on /r/eero the devs (specifically one in particular) always responded and were very engaged with the community. That sort of thing is only possible in a small passionate company. I don't trust any Amazon hardware in my home so I am curious if they're as good as they were. What is your experience like working there?
Addendum: looks like rank-and-file employees were screwed and the execs cashed in hard[1]. There was a lot of attrition after that. So I guess Amazon didn't have to lay people off, they did it themselves.
[1]https://mashable.com/article/amazon-eero-wifi-router-sale
This was all before my time. I don't have the impression quality has deteriorated from past gens of the product, quite the opposite from where I'm sitting.
Working there is interesting. AMZN corporate can be a drag but I imagine that's true for any FAANG or part of any large company.
I miss the insider information. Some Redditors were not nice and they all left Reddit and their insider information stopped flowing, it's a shame, it was cool to see behind the development veil.
The fact that TP-Link products are vastly better and cheaper than all their numerous competitors is indeed a bit strange. You have to either think that all the people at Linksys, Netgear, D-link, etc. are incompetents or that something a bit out of the ordinary is going on at TP-Link...
I see that at the company I work at. US management at many companies is about doing the absolute minimum for a maximum of profit. It doesn’t allow for competence or long term investment so companies turn into empty shells.
It’s not that unheard of. Does anyone make a better $999 laptop than Apple? Nope, the MacBook Air is faster and gets better battery life with zero fans and basically nothing on the market compares. That doesn’t make Apple “suspicious” more than any other company.
TP-Link is the best for the same reason Apple is the best. They just have the momentum of being in the lead.
I would also say that TP-Link isn’t wildly and unrealistically cheaper or anything.
Their prosumer/business Omada lineup is clunky and kinda sucks compared to Ubiquiti.
Zyxel WiFi 7 APs are more competitively priced than basically anything last I checked.
the other companies want higher profit margins.
> You have to either think that all the people at Linksys, Netgear, D-link, etc. are incompetents
They are. "Profit oriented". I bought a D-Link router once. Only one (1) port out of 4 was working. Great product, i never want to see something like this again. /s
> I bought a D-Link router once. Only one (1) port out of 4 was working.
Did you return that obviously damaged merchandise for an undamaged replacement? If not, why not?
I’m sure there’s some way to inject advertising - otherwise it’s just leaving money on the table.
I'm old enough to remember most cable modems and set-top boxes being manufactured in the US.
They were... not great...
I am pretty sure the companies that made those, had a monopoly on them and charged $500 a piece went bankrupt too.
There is, but corporate greed doesn't allow it.
I don't see anything here that suggests TP-Link is especially bad at security. What I do see is anti-China fearmongering by GOP officials.
OpenWRT for the win!
The mai reason I 2ill never buy any tplink consumer shit again, was that I could not setup the router without having direct internet access.(No way to SRT it up as lan only) And buying stuff that depends on internet services that shoudnt need to is a hard no for me.
Trump is getting a golden router isn't he?
TP-Gold router with polished surface so that the greatness could be fully reflected to its radiant carrier. Amen
The US government is becoming another Soviet Union.
people in comment is missing a point
this is a political move, if we apply the reason of security concern to anything. it would affect 80% of things US consume since its directly and indirectly come back to china as a part of supply chain
It's just another TikTok.
[dead]
[flagged]
Could you please stop posting unsubstantive comments and flamebait? You've been doing it repeatedly lately. It's not what this site is for, and destroys what it is for.
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
I'm so glad there's other American drone manufacturers that cater to the consumer market, like Skydi-oh right, they stopped making consumer drones after the successes in forcing DJI out of the market.
and their mil drones are subpar
https://en.defence-ua.com/news/which_western_drones_have_sho...
https://www.defensenews.com/global/europe/2025/11/07/of-fibe...
>drones from the American company Skydio proved ineffective in Ukraine [notably, a Skydio drone was used by the U.S. Army to drop a combat grenade for the first time], as they were unreliable in front-line interference conditions.
>The problems with Skydio drones in Ukraine were reported last year, and the manufacturer acknowledged the poor quality of its products.
>According to Alex, a key issue with today's low-quality products is the "information gap among many European and American manufacturers about current battlefield conditions and the timing of when they receive this information."
Surprisingly
>Some of the most effective ones have included the German-made Vector drones and Polish-made FlyEye drones.
[flagged]
You're comparing apples to oranges here. The USA is supposed to be capitalistic, free market, yada yada. China doesn't make that claim.
The main point the comment you replied to is trying to make is that the US doesn't put their money where their mouth is.
No. But which nation claims to be all about freedom, and which is known for restricting individual liberties for (whatever the people in charge consider to be) the greater good?
It's really silly to judge nations on their claims rather than their outcomes.
PRC restricts guns ownership, but to make your example less stupid, PRC shooting ranges has access to western pattern arms vs US where civies has more freedom to own guns but you know... not sanctioned Chinese origin guns. So even on muh 2nd amendment grounds, PRC within their right to play with guns (again not own), still less protectionist than US. Which mirrors how you know, almost every major US tech brands operated in PRC with reasonable controls/oversight but not vice versa.
[flagged]
Please don't cross into nationalistic flamewar, and please don't use someone else's personal details as ammunition in an argument. Not allowed here.
https://news.ycombinator.com/newsguidelines.html
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
[flagged]