Could an internet router made by a Chinese company — and used in millions of American homes — harm U.S. national security? Three U.S. federal agencies are examining whether products sold by TP-Link could be used to facilitate cyberattacks. The probes could result in a ban that would upend the U.S. consumer router market, in which TP-Link is a top-two player.

The investigations into TP-Link follow years of increasing scrutiny of Chinese telecommunications firms, as hacking threats linked to state actors in China become more common in the U.S. and elsewhere.

In a bid to insulate itself, TP-Link has followed a well-trodden path: it is distancing itself from China. According to its website, the U.S.-registered TP-Link Systems has severed ties with China-based TP-Link Technologies, and now strongly denies any outside influence over its operations. 

“As a company headquartered in the United States, no government — foreign or domestic — has access to and control over the design and production of our routers and other devices,” TP-Link Systems’s website says.

But a review of corporate records shows that TP-Link Systems is run by a co-founder of TP-Link Technologies, who divested from the Chinese entity less than a year ago. The U.S. company’s owner is 56-year-old Zhao Jianjun, a Chinese citizen also known as Jeffrey Chao, according to corporate records filed with the California Secretary of State. He took over as chief executive some time in the fall; in November, his name made its first appearance on a form filed by TP-Link’s U.S. entity. A man named Liu Yongsheng had been listed as the firm’s chief executive as recently as July.

Zhao founded TP-Link Technologies in 1996 with his brother, Zhao Jiaxing (Cliff Chao), in Shenzhen, China. After coming to dominate the Chinese market — in 2007 it touted itself as the country’s top market share holder and largest manufacturer of “home and small/medium business networking products” — it entered the United States. TP-Link USA Corp. was registered in Irvine, California the next year; it changed its name to TP-Link Systems six months ago, corporate records show.

The name change followed a larger shift in corporate structure. Until May of last year, the two brothers owned almost all of Shenzhen-based TP-Link Technologies, according to WireScreen. But on May 10, Zhao Jiaxing acquired his brother’s stake in the company.

TP-Link Systems now makes no mention of its Chinese origin on its U.S. website, tp-link.com. TP-Link Technologies, the Chinese entity, has a similar URL, but ending in “.cn.”

A spokesperson for TP-Link Systems said the two businesses have “totally unaffiliated ownership and operations” and that TP-Link Systems does not sell products to mainland China.

Still, wings of the Chinese state have publicly supported TP-Link, without drawing clear distinctions between the American and Chinese entities. After the Wall Street Journal reported the U.S. government probes last month, Chinese state media denounced the investigation as “suppression of Chinese companies,” referring to TP-Link specifically as a “Chinese router manufacturer.” 

Chinese municipal governments have in the past awarded subsidies to TP-Link Technologies’s domestic subsidiaries. Last April, the government of Dongguan, a city in Guangdong province, gave one of them $0.5 million in funding to develop local operations, for example. 

I don’t think the Chinese government is going to say, ‘Oh yeah, we’re clearly involved in this company.’ We just cannot trust equipment coming out of mainland China.

Joel Thayer, a telecoms lawyer

It is too early to say whether TP-Link Systems’ maneuvers to distance itself from China will mitigate U.S. investigators’ concerns about national security threats. What’s clear is that American authorities do not see a lack of direct state ownership of Chinese companies as evidence of a lack of state influence. Bytedance, another privately owned Chinese company, now faces a U.S. ban on its app TikTok that is set to take effect in less than two weeks — unless President-elect Donald Trump succeeds in delaying it.

Many China hawks, and a growing portion of the bipartisan establishment, say having private ownership or setting up U.S.-based subsidiaries should not shield Chinese firms from scrutiny.

Creating an American entity “is literally what Huawei did, while we had Huawei USA,” says Joel Thayer, a telecoms lawyer who has called for investigating TP-Link since last January. “I don’t think the Chinese government is going to say, ‘Oh yeah, we’re clearly involved in this company.’ We just cannot trust equipment coming out of mainland China.”

The United States has upped its efforts over the past five years to pull telecom infrastructure made by Chinese companies from its networks. The most notable example is Huawei, whose equipment Trump sought to “rip and replace” from the United States during his first administration. The company still has a subsidiary in Silicon Valley, called Futurewei. 

The Biden administration has levied more restrictions on Huawei and pulled licenses for state-owned firm China Telecom’s U.S. operations. Last month, Biden issued a notice to China Telecom that the Commerce Department had determined its presence in American networks to be a national security risk, a step that could precede a formal ban. 

Yet these measures have not insulated the U.S. from cyber threats originating in China. The Chinese hacking group dubbed Salt Typhoon compromised the systems of at least nine telecom firms last year, according to White House officials. And as 2024 came to a close, the Biden administration said a Chinese state-sponsored actor had hacked the U.S. Department of the Treasury.

To be sure, sophisticated hackers can access routers made by many manufacturers. They use sites like shodan.io and censys.com to obtain router IP addresses, and code downloaded from sites like GitHub or Telegram to scan for vulnerabilities and lists of default usernames and passwords. Lists of cracked routers are also available for sale on the dark web.

Federal data does not show particular vulnerabilities — weaknesses in hardware or software that bad actors can exploit — in TP-Link compared to other router brands.

“All you need is an IP address,” says Hieu Minh Ngo, a Vietnamese hacker-turned-cybersecurity-guru who the United States once sentenced to 13 years in prison for stealing the personal information of 200 million Americans. He suggests using router brands known for cybersecurity, changing login credentials from the default settings, setting up multifactor authentication, and making updates to software and firmware when available.

He paused, then added one last recommendation: “And don’t use Chinese routers.”

---