Pentagon Stocked Bases With Chinese Tech Known for Security Vulnerabilities

For all Washington’s fears about China’s growing power and antagonism to America, the Pentagon sure has a habit of making the CCP’s job of weakening the United States easy for them.

As highlighted in a recent National Pulse report, a company with ties to the Chinese Communist Party (CCP) has been supplying IT equipment to important entities that fall within the purview of the U.S. Department of Defense.

According to the report, TP-Link, one of the world’s top manufacturers of internet routers and other electronic devices, has been used on American military bases and purchased in large quantities by the Defense Department despite being a China-based firm that not only collects personal data through its products, but openly admits that any user’s personal information can be shared through TP-Link’s network.

That means the data of American users — including the data from military bases and other Defense facilities — can make its way to Beijing.

TP-Link’s Privacy Policy states that user information “will be transferred or transmitted to, or stored and processed in … places we have infrastructure or data centers, including the United States, Ireland, and Singapore, among other Countries where TP-Link Products and Services are available.”

The above language conveniently neglects to mention that those “other countries” naturally includes China, where TP-link is headquartered.

The policy goes on to warn, “These countries may have different privacy standards that differ from where you are. Please note that data processed in another country may be subject to different laws and may be accessible to government, judicial, law enforcement, and regulatory agencies in those countries.”

TP-Link’s reach, and thus the vulnerability of the American people to Chinese spying, goes beyond government and extends into the nation’s homes. Currently, 15 of the 50 best-selling routers on Amazon are made by TP-Link, as are 10 of the top 50 routers at Walmart.com.

In a press release, the company says it has a 17.8 percent global market share, and that the International Data Corporation (IDC), a global market intelligence firm, has ranked TP-Link the number one provider of wireless local area network (WLAN) products for 11 years.

The National Pulse describes the extensive partnership between TP-Link and the Department of Defense:

The Army & Air Force Exchange Service, which also serves the Space Force, currently lists 28 TP-Link devices through its online store. The Navy Exchange lists 13 TP-Link devices on its site. No TP-Link devices were found listed on the Marine Corps Exchange or Coast Guard Exchange websites.

In addition to online sales and retail stores on military bases, a review of federal contracts through the website USASpending.gov reveals purchases of TP-Link equipment by the Department of Defense for operational purposes.

For example, one contract from 2021 was awarded to FCI Tech for $174,195. The transaction description simply says “TP-Link.” Another 2021 DOD contract was awarded to FCN, Inc. for $6,287 and included an order for “4 TP-Link non-cellular ethernet wireless routers.” Later in the year, another contract with FCN for 4 more TP-Link routers was awarded for $138. The contract award specifies the model of router was the TL-WR902AC.

This is despite the fact that the above model was included in a 2022 critical vulnerability report in the NIST Vulnerability Database with the warning, “This vulnerability allows unauthenticated attackers to execute arbitrary code.”

The DOD agency that awarded these contracts was the Defense Information Systems Agency (DISA). The agency is based out of Fort Meade, Maryland — as are U.S. Cyber Command, the National Security Agency (NSA), and other military intelligence units.

Furthermore, there were four additional contracts with TP-Link from 2021-2022 that totaled $9,703. These purchases were made by the Defense Logistics Agency.

In 2017, the Naval Undersea Warfare Center made a purchase of eight TP-Link fiber network converters. In 2014, NASA acquired three TP-Link Power over Ethernet injectors for Kennedy Space Center.

Thus, the federal government has been unabashedly filling its offices and high-security installations with TP-Link equipment for years, even though the company’s risks have been known for just as long.

After all, a search of the NIST National Vulnerability Database for “TP-Link” produces more than 250 results that go as far back as 2012, providing over a decade’s worth of documentation regarding the threat of these devices. 

And as the National Pulse report notes, TP-Link in 2016 was “was ordered to pay a $200,000 settlement following an investigation into TP-Link routers that were found to violate FCC regulations.”

But despite this, TP-Link was not included on a November 2022 FCC ban on the importation of Chinese products that pose a national security risk, a list that included tech giants such as Huawei and ZTE.

As The New American reported, the United States in February dealt a further blow to Huawei by banning U.S. firms from selling the smartphone manufacturer crucial components.

The federal government should take a similarly hawkish stance against TP-Link in order to close a dangerous crack in the nation’s national security wall.