Thursday, March 28, 2024

U.S. Defense Dept Purchased Chinese IT Equipment with Known Vulnerabilities for Use at Sensitive Base.

Yet another Chinese Communist Party-linked company has been supplying technology to critical entities within the broader U.S. national security apparatus, The National Pulse can report.

In a previous investigation, it was revealed that smart TVs manufactured by the Chinese government were being sold on U.S. military bases and were potentially sending data on millions of Americans back to China.  This followed another National Pulse story that exposed a Silicon Valley tech startup that was sharing massive amounts of Americans’ personal data with Chinese state-owned firms.

Now, it has been discovered that TP-Link – one of the top manufacturers of internet routers and other electronic devices in the world – have been discovered to have many security vulnerabilities. The U.S. Government’s National Institute for Science & Technology (NIST) maintains a database of such vulnerabilities and the list for TP-Link is extensive.

TP-LINK DEVICES IN THE UNITED STATES.

A review of the online retail websites for United States military exchanges, the retail stores located on American military bases worldwide, shows multiple TP-Link devices being sold. This has the potential for an enormous risk of data compromise and should be considered a matter of national security. The Army & Air Force Exchange Service, which also serves the Space Force, currently lists 28 TP-Link devices through its online store. The Navy Exchange lists 13 TP-Link devices on its site. No TP-Link devices were found listed on the Marine Corps Exchange or Coast Guard Exchange websites.

In addition to online sales and retail stores on military bases, a review of federal contracts through the website USASpending.gov reveals purchases of TP-Link equipment by the Department of Defense for operational purposes.

For example, one contract from 2021 was awarded to FCI Tech for $174,195. The transaction description simply says “TP-Link.”  Another 2021 DOD contract was awarded to FCN, Inc. for $6,287 and included an order for “4 TP-Link non-cellular ethernet wireless routers.” Later in the year, another contract with FCN for 4 more TP-Link routers was awarded for $138. The contract award specifies the model of router was the TL-WR902AC. In 2022, a critical vulnerability report was published in the NIST Vulnerability Database regarding this particular model stating, “This vulnerability allows unauthenticated attackers to execute arbitrary code.”

The agency within DOD that awarded these particular contracts was the Defense Information Systems Agency (DISA) located at Fort Meade in Maryland, which is also home to U.S. Cyber Command, the National Security Agency (NSA), and other military intelligence units. According to an article from 2020, DISA has planned to partner more with the intelligence community, particularly the NSA, on cyber capabilities. They may want to start with not purchasing vulnerable Chinese equipment.

Four additional contracts between 2021-2022 totaling $9,703 were awarded for purchases of TP-Link equipment by the Defense Logistics Agency. In 2017, the Naval Undersea Warfare Center purchased 8 fiber network converters made by TP-Link. In 2014, NASA purchased 3 TP-Link power over ethernet injectors for Kennedy Space Center. As TP-Link is one of the most popular brands of networking products, there are likely many more such devices throughout the government, however, the examples listed above were specifically noted in publicly available contract documents.

WHAT IS TP-LINK?

TP-Link primarily manufactures routers, network switches, access points, wi-fi range extenders, and related accessories, including mesh network devices under the brand name Deco. They also make smart home devices under the brand name Tapo, including smart lighting, smart plugs, smart switches, smart cameras, and robot vacuums. Additionally, they have entered the smartphone market under the brand name Neffos.

As with the Chinese smart TV companies, TP-Link collects an extensive amount of data through its devices and openly states that anyone’s personal information can be shared throughout the companies’ network, which means that user data will end up in China.

TP-Link’s Privacy Policy states, “Your information will be transferred or transmitted to, or stored and processed in…Places we have infrastructure or data centers, including the United States, Ireland, and Singapore, among other Countries where TP-Link Products and Services are available.” TP-Link is headquartered in Hong Kong and Shenzhen, China.

The policy goes on to say, “These countries may have different privacy standards that differ from where you are. Please note that data processed in another country may be subject to different laws and may be accessible to government, judicial, law enforcement, and regulatory agencies in those countries.”

According to a company news release, TP-Link enjoys a 17.8 percent global market share and has been ranked the number one provider of wireless local area network (WLAN) products for 11 years running by International Data Corporation (IDC), a global market intelligence firm.

Currently, 15 of the top 50 best-selling routers on Amazon.com are manufactured by TP-Link. Likewise, 10 of the top 50 best-selling routers at Walmart.com are TP-Link products.

LONG STANDING EXPLOITATION.

TP-Link products are a notorious security risk. A search of the NIST National Vulnerability Database for “TP-Link” yields over 250 results dating all the way back to 2012, documenting an extremely serious threat posed by these devices. In March 2022, the website GizChina, which reviews Chinese technology products, reported that TP-Link routers had been discovered sending a users traffic to a third-party company, despite user settings that had been switched off to prevent this.

In 2016, the company was ordered to pay a $200,000 settlement following an investigation into TP-Link routers that were found to violate FCC regulations. In November 2022, the FCC banned the importation or sale of devices made by other Chinese companies that pose a national security threat, including Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology. TP-Link was not on the list.

With all of the security vulnerabilities being discovered in electronics manufactured in China that can be exploited by the Chinese government, it seems these vulnerabilities are more of a feature, not a bug. An article last fall from Cybernews detailed a major security flaw in other commonly–sold Chinese-made routers being sold under the brand names Wavlink and Jetstream. The routers were found to have a built-in backdoor, which they called an “undocumented functionality,” that would allow internet traffic to be intercepted, detection of nearby networks, and remote control of network devices, among other things.

In addition to China’s creeping control over technology used in the United States, many have also sounded the alarm regarding Chinese purchases of American agricultural land. A number of state governments are looking to ban such purchases. According to the Silicon Valley Business Journal, TP-Link’s Chairman, Jeffrey Chao, recently purchased a 284-acre ranch in California in 2016.

More From The Pulse