TP-Link is facing legal action from the state of Texas for allegedly misleading consumers with "Made in Vietnam" claims despite China-dominated manufacturing and supply chains, and for marketing its devices as secure despite reported firmware vulnerabilities exploited by Chinese state-sponsored actors.
The Lone Star State's Attorney General, Ken Paxton, is filing the lawsuit against California-based TP-Link Systems Inc., which was originally founded in China, accusing it of deceptively marketing its networking devices and alleging that its security practices and China-based affiliations allowed Chinese state-sponsored actors to access devices in the homes of American consumers.
It is understood that this is just the first of several lawsuits that the Office of the Attorney General intends to file this week against "China-aligned companies," as part of a coordinated effort to hold China accountable under Texas law.
The lawsuit claims that TP-Link is the dominant player in the US networking and smart home market, controlling 65 percent of the American market for network devices.
It also alleges that TP-Link represents to American consumers that the devices it markets and sells within the US are manufactured in Vietnam, and that consistent with this, the devices it sells in the American market carry a "Made in Vietnam" sticker.
However, the Attorney General alleges that, despite these representations, TP-Link’s networking and smart home devices are manufactured and developed by Chinese subsidiaries owned and managed by the company. The petition claims the facilities in Vietnam perform only final assembly, with the vast majority of components imported from China and Vietnam-sourced parts accounting for less than one percent of the devices’ components.
The lawsuit further alleges that the Chinese government confers subsidies on TP-Link, and that the relationship runs deeper than financial support; a Chinese military company is claimed to be working to expand TP-Link's manufacturing, research, and development facilities in Vietnam.
Getting to the meat of the claims, the lawsuit says that TP-Link falsely claims its devices are secure, yet security researchers and experts have for years reported on TP-Link's "numerous and dangerous" firmware vulnerabilities that Chinese state-sponsored hackers have exploited to access the devices.
This would seem to be different from the allegation that TP-Link allows Chinese agents to access its network devices. What the lawsuit actually claims is that TP-Link knows its products are insecure, and that Chinese state-sponsored hackers have taken advantage of the vulnerabilities. It stops short of openly accusing TP-Link of purposely providing backdoors for hackers or refraining from fixing vulnerabilities so that they can be used this way.
However, this didn't stop The Register columnist Rupert Goodwins from insinuating just such a thing some time ago.
Federal security agencies were also concerned enough about TP-Link routers being used in cyberattacks that a complete ban on their sale was reported to be under consideration in the US at one point. This week, however, it was reported that the US may instead lift bans on some Chinese firms operating in the US, and also walk away from plans to block sales of TP-Link products.
America's Cybersecurity and Infrastructure Security Agency (CISA) also disclosed two flaws in routers made by TP-Link last year that were actively being exploited and needed to be urgently fixed.
The Texas Attorney General also claims that TP-Link's mobile applications collect personal data from consumers while failing to obtain informed consent for this. Chinese national intelligence laws can require Chinese companies and citizens to support, assist, and cooperate with state intelligence work, the filing says, and it alleges that TP-Link’s Chinese affiliations could obligate it to comply with such requests.
- CISA sounds alarm over TP-Link wireless routers under attack
- TP-Link accuses rival Netgear of 'smear campaign' over alleged China ties
- Tens of thousands more ASUS routers pwned by suspected, evolving China operation
- China remains embedded in US energy networks 'for the purpose of taking it down'
By omitting this material fact, the company misleads US consumers and fails to obtain informed consent regarding their data, the Office of the Attorney General states.
The Office of the Attorney General is seeking a jury trial for this case, and wants an injunction to prevent TP-Link from claiming its products are "Made in Vietnam," and instead acknowledge that they are made in China. It further wants the company to be forced to make clear its ties to China, and prevent it from collecting consumers' data without obtaining fully informed consent.
"TP-Link will face the full force of the law for putting Americans' security at risk. Let this serve as a clear warning to any Chinese entity seeking to compromise our nation's security," Attorney General Paxton commented.
We asked TP-Link for its reaction to this news and will update if we get an answer. ®