Why Are Walmart and Our Government Making China’s Espionage Easier?

Joel Lauren Thayer
6 min readJan 30, 2024

--

There are at least 150 million Chinese routers in our global networks; some may even be used by our own government. Companies, like TP-Link, offer consumers routers that connect their home devices to the Internet. But here’s another one of its features — an access point for the Chinese government to enter into any place those routers are. That could be anywhere from the halls of an everyday individual’s house or within the walls of the Pentagon.

If you’re wondering how hackers can use an otherwise innocuous router to wreak havoc, then let’s break down what routers control. A router is your gateway into the Internet. Routers are responsible for sending information to the correct device — it’s the reason why when you send an email, the message isn’t shared with other devices within your house. They also have software that prevents cyberattacks from entering your home. In many ways, a router is your network's first line of defense.

Routers are also primary targets for hackers. Think about all that a person can access if they control the internet’s gateways. Access to your router allows them to read every message from every device in your house. But surveillance is the least offensive thing they can do. If your router is compromised, hackers could even manipulate data or information by taking control of the devices on networks using that router. Or ensure an email never gets sent or received. Or slow your Internet speeds to a crawl.

But what’s wrong with Chinese routers in particular? Well, TP-Link — one of the world's top manufacturers of internet routers — has many security vulnerabilities. The U.S. National Institute for Science & Technology (NIST) found that TP-Link’s most popular router “allows a remote attacker to execute arbitrary commands” on any device using the router. In layman’s terms, TP-Link provides a backdoor for Chinese hackers to control all of your devices. One outlet reported that TP-Link’s vulnerability was so blatant and large that it seemed more intentional than accidental. In other words, TP-Link’s backdoor seemed “more of a feature, [than] a bug.”

This is not uncommon for these types of routers. China-based company Jetstream’s routers had a similar backdoor to TP-Link’s that also allowed “an attacker the ability to remotely control not only the routers, but also any devices connected to that network.”

Worse, hackers in China know how to access these routers and have even orchestrated a sophisticated attack in Europe. The hackers used TP-Link’s backdoor, named “Horse Shell,” to gain “a remote shell for executing commands on the infected device, file transfer for uploading and downloading, and [have a] data exchange between two infected devices….” It even allowed the hackers to create a network of infected devices to share data more easily. In other words, the hackers had access to every EU device touching a TP-Link router. TP-Link’s backdoor even allowed the hackers to upload malware to cover their tracks after they finished pilfering EU consumers’ information.

But here’s the core issue: these faulty routers impact a person’s privacy and make foreign espionage extremely easy, especially for China. Companies, like TP-Link and Jetstream, are covered under China’s Cybersecurity law. The law forces Chinese companies that store data into a data-sharing arrangement with the government. Even without this law, the Chinese government could force TP-Link into giving them access to these digital backdoors. Then, they can log into your router themselves. Or they have TP-Link store data on state-owned computer servers.

Think they won’t do it? They have similar arrangements with Apple for the devices it sells in China. The Chinese government forces Apple to degrade its functions and protocols oriented towards maintaining the integrity of its customers’ privacy and encryption. If they would do it to an American company doing business in China, why would they not do the same to or ask for more from a domestic company?

With all of these issues, one would think that these routers would be hard to come by or something folks must lift from a nefarious vendor in a black market. Nope. You can get them at your local Wal-Mart or Amazon. In fact, Walmart had an exclusive deal with Jetstream. Amazon lists TP-Link as an “Amazon Choice,” and Walmart lists the item as a “Best seller.”

Just imagine what our enemies could do with a strategically placed router that’s so easily sold in the US.

The surveillance alone makes buying these routers for government use a national threat. Imagine China having direct access to every classified or private document in every government agency. That prospect is bad enough, but we now know that routers allow hackers to peer through walls by using Wi-Fi signals to create de facto heat maps to show where people are throughout the buildings. Or even map out classified areas of the Pentagon.

But how would they even get such dangerous products into our government? Procurement processes are a fairly easy way to get foreign tech into our government’s networks. China has already leveraged this strategy in a slew of other contexts. In 2021 and 2022, the U.S. Secret Service purchased Chinese drones that were known to have spyware. Worse, U.S. military bases purchased smart TVs from Chinese manufacturers TCL and Hisense that an investigation revealed were transmitting information back to China.

And yes, TP-Link routers have slipped through the cracks, too. As the National Pulse Reported:

[A] review of federal contracts through the website USASpending.gov reveals purchases of TP-Link equipment by the Department of Defense for operational purposes. For example, one contract from 2021 was awarded to FCI Tech for $174,195. The transaction description simply says “TP-Link.” Another 2021 DOD contract was awarded to FCN, Inc. for $6,287 and included an order for “4 TP-Link non-cellular ethernet wireless routers.” Later in the year, another contract with FCN for 4 more TP-Link routers was awarded for $138. The contract award specifies the model of router was the TL-WR902AC…Four additional contracts between 2021–2022 totaling $9,703 were awarded for purchases of TP-Link equipment by the Defense Logistics Agency. In 2017, the Naval Undersea Warfare Center purchased 8 fiber network converters made by TP-Link. In 2014, NASA purchased 3 TP-Link power over ethernet injectors for Kennedy Space Center. As TP-Link is one of the most popular brands of networking products, there are likely many more such devices throughout the government, however, the examples listed above were specifically noted in publicly available contract documents.

The worst part about these incredible oversights is that none of these companies were hiding the ball on where they were sending the data. TCL and Hisense’s privacy policies both explicitly said they were sending data to China. The same is true for TP-Link. For procurement officers to miss these provisions borders on gross negligence.

Frankly, we need significant reforms on how our government procures tech. We need to make it a federal mandate, much like we did with Chinese telecoms and TikTok, that no federal or state dollar can go towards purchasing technology from China or working with contractors that use those technologies. Period.

This issue doesn’t just affect government officials but also harms consumers. These routers are in our homes, offices, and stores. Given the extraordinary proliferation of these routers, we have no guarantee that our devices — or the information that runs over the top of them — are secure and safe from peering eyes. We need laws in place that prevent retailers, like Walmart and others, from selling these dangerous items. Given the scope and intrusive nature of these threats posed by TP-Link, a commercial ban on them is appropriate, much like we did in the telecom sector with Huawei and ZTE.

Our democracy depends on us getting this right, so we should use every tool in our toolkit to cleanse our networks from foreign enemy tech.

--

--

Joel Lauren Thayer
Joel Lauren Thayer

Written by Joel Lauren Thayer

President of the Digital Progress Institute and a DC tech and telecom attorney.

No responses yet