TP-Link routers, mesh systems, and range extenders frequently top our recommendation lists as some of the best-value networking products you can buy. So you might be alarmed by recent allegations that contend the products represent security concerns, and that TP-Link is keeping prices artificially low.
While the allegations are certainly concerning, they haven’t risen to the level of us pulling our recommendations. Not all TP-Link networking products are standouts, but we still feel confident in recommending the ones that are, such as the Archer BE230 and the Archer AXE75, our current top pick for routers. I’m the editor who handles networking hardware reviews and testing, and I’m here to tell you why.
What Exactly Is Going on With TP-Link Products?
Security researchers have long been concerned about potential vulnerabilities in networking products that hackers can exploit. Many of them involve brands that aren’t well-known in the US. A report from 2018 suggested that a hacker was eavesdropping on network traffic from more than 7,500 vulnerable routers from MikroTik, which mostly makes enterprise gear but also sells consumer routers in the US. But known vulnerabilities have also been discovered in products from many big-name brands, including TP-Link: Researchers discovered one in 2023 in the Archer AX21 Wi-Fi 6 router.
Potential vulnerabilities in routers made in China or with Chinese components specifically became more of a concern starting last year, when an influential report from the Hudson Institute, a think tank, suggested that Chinese-made Wi-Fi routers could be an entry point for state-sponsored hackers. The report mentioned, however, that there was no evidence of such involvement on TP-Link’s part.
“Indeed, any suggestion that Washington should mandate US-made routers or ban Chinese-made ones is beyond premature,” the report said. Still, it led federal lawmakers to call for the US Commerce Department to investigate TP-Link in August 2024.
In December, the Commerce, Defense, and Justice Departments did just that, according to a report in The Wall Street Journal, citing unnamed sources. The investigation was prompted by concerns, according to the report, that TP-Link doesn’t address security flaws and ships routers to customers without fixing potential exploits.
In response, TP-Link acknowledged that its products do contain vulnerabilities but insisted that the company was working with industry experts to mitigate them.
“We fully acknowledge that vulnerabilities exist across the industry,” a TP-Link spokesperson said. “However, contrary to claims of widespread vulnerabilities, comparative data places TP-Link on par with, or in some cases ahead of, other major industry players in terms of security outcomes.”
(Credit: Joseph Maldonado)
The investigation later expanded into a criminal antitrust probe, according to a report from Bloomberg News in April. Prosecutors are investigating whether TP-Link engaged in predatory pricing, according to the report.
No federal agency has yet commented on the reported investigations, and TP-Link has maintained that it is free of wrongdoing. The company says that its router division, TP-Link Systems, is headquartered in California and has no affiliation with the Chinese TP-Link Technologies. “These companies have entirely different ownership, management, and operations,” a spokesperson said.
Why We’re Continuing to Recommend TP-Link Products
That no government agency has confirmed that any investigations are actually in progress, coupled with TP-Link’s stance that it takes security seriously, is reassuring. But these are not the only reasons we’re continuing to recommend TP-Link networking products where appropriate.
The company tells us that Finite State, a software cybersecurity firm, reviewed its security practices and determined that TP-Link’s rate of vulnerabilities per product is significantly lower than those of other leading manufacturers, based on public vulnerability data such as CVE Details and VuIDB.
Get Our Best Stories!
Your Daily Dose of Our Top Tech News
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
(Credit: Joseph Maldonado)
TP-Link also tells us that it has not received any queries from the Department of Justice, which, according to Bloomberg, is conducting the antitrust probe. The company also said it does not sell its products below cost, and that it opens no back doors for spying.
“No foreign country has access to or control over our operations or customer data,” a TP-Link spokesperson said. “TP-Link operates in full compliance with US law and is committed to cooperating with government requests for information.”
In addition to TP-Link’s claims and assurances, we’re also basing our continued recommendations on our own deep cybersecurity expertise. It suggests that, based on available evidence, TP-Link’s products are certainly vulnerable to exploits, but not any more so than its competitors’ offerings.
“Any router, from any source, could be compromised at the firmware level,” said Neil Rubenking, our lead security analyst who has evaluated antivirus and other security software for more than 20 years and serves on the board of the Anti-Malware Testing Standards Organization (AMTSO). Rubenking said it would be possible for investigators to determine if TP-Link router firmware is compromised on a large scale.
“Disassembling firmware code and understanding what it does is totally possible, though it takes rare skill,” he said. “After analyzing the firmware of one router and finding it to be safe or not, [investigators] could simply take a hash of the entire code block and match it to other routers.”
Recommended by Our Editors
Private researchers routinely conduct such investigations, and if they discover flaws, manufacturers typically address them quickly. The fact that no such flaws potentially exploitable by state actors have been discovered so far, either by public or private investigators, gives us reassurance that TP-Link products aren’t uniquely compromised.
(Credit: maybeiii / Shutterstock)
Also, according to Rubenking, to make a given router more vulnerable than it would otherwise be, it would need to be physically accessible to a hacker before it is sold to a customer and placed into service.
“If that happens in the factory, well, it’s the easiest,” he noted. Rubenking is not worried about state actors doing something like that to compromise routers intended for consumers. But he sees a ban on government use of routers suspected to be physically accessible to hackers as reasonable.
We will continue to closely monitor the situation and adjust our stance as necessary. But, armed with the above knowledge and TP-Link’s current assurances, we’re confident that we can continue to recommend the company’s products to consumers for the time being. We also recommend networking products from many other brands besides TP-Link, such as the Synology WRX560 router for all-around performance, the Asus RP-AX58 range extender for people who own Asus routers, and the eero Pro 7 Wi-Fi mesh system.
Steps You Can Take to Improve Your Wi-Fi Security
Ultimately, our confidence in TP-Link products still relies on an uncomfortable reality: Networking devices, like any other devices that connect to the internet, have security vulnerabilities. Since nearly everyone has internet-connected devices, it’s critical to explore best practices for keeping them safe, whether they’re made by TP-Link or any other company.
This includes plenty of preventive measures, from setting up the latest WPA3 security on your router or mesh system to using proxy servers and VPNs to ensure no one can snoop on your internet traffic. You can follow easy steps to see who’s connected to your Wi-Fi and boot them off if necessary, and you can also take measures to protect yourself on public Wi-Fi.
Another uncomfortable reality is that you may very well get hacked. If you do, it can be a painful experience, to be sure, but we’ve outlined several ways to make sure it doesn’t happen again.
About Tom Brant
Deputy Managing Editor
