What should you do with a router product the government is considering banning?

[aum]

Multiple U.S. government agencies and departments are backing a proposed ban on future sales of America’s most popular brand of home internet routers, TP-Link, over national security concerns, according to Washington Post reporting.

 

So if you have a TP-Link router, what should you do now?

 

Experts say that most people shouldn’t feel the need to chuck it out. It’s OK.

 

But over time, they said that it’s worth considering routers that have a stronger security track record and that aren’t made by a company that originated in China, as TP-Link did. (The company is based in Irvine, Calif., and says it has no ownership links to the Chinese company from which it was spun off.)

 

But that’s where things get tricky.

 

There have been attempts at digital security standards for internet-connected gadgets, but they mostly haven’t stuck or been enforced. You’re largely on your own to figure out if your router has strong security measures and to keep it secure. I have some advice, but we need more help.

 

This problem goes far beyond routers. Now that our cars, garage door openers, robot vacuums and doorbells may have internet-connected features, it’s glaring how little is done to ensure the safety of their digital portals to the outside world.

What’s the worry about TP-Link routers?

 

Quick reminder: Routers are gadgets that typically beam Wi-Fi to your devices. They’re gatekeepers to your internet activity. You might have a router from your internet service provider, or one that’s combined with the modem that pulls the internet into your home.

 

Routers can be a security nightmare. Criminals or government-backed hackers have remotely hijacked people’s routers as launchpads for scams or corporate spying.

 

Your personal information probably won’t be stolen if your router is hijacked. But it’s not great if your gadgets are unwitting participants in crime. “You don’t want the FBI to knock on your door,” said Nick Biasini, head of outreach for Cisco Talos, a cybersecurity group.

 

Specialists in security of internet-connected devices say most router manufacturers could do more to improve their security protections, and that TP-Link has been criticized for not responding quickly enough to known vulnerabilities. Many review sites have recommended TP-Link routers for their quality and price.

 

TP-Link “promptly troubleshoots and patches vulnerabilities,” the company said in a statement. “TP-Link’s security track record meets or exceeds most of its competitors.”

 

TP-Link suggested I talk to Matt Wyckhouse, founder and CEO of device security company Finite State, who said it’s unfair to say TP-Link has a worse security approach than its peers.

 

If you have a router, or a combined router and modem, from your internet provider, you might not be able to tell which company made it.

How to keep your router secure

 

The key security feature for a router is automatic software upgrades and security fixes, said Stacey Higginbotham, a policy fellow at Consumer Reports on the technology advocacy team.

 

Smartphones and laptops typically do this for you. But router companies don’t necessarily disclose whether they will push out automatic upgrades and patches at the base-level software — called “firmware” — on your router.

 

You also want to know for how long the manufacturer will keep updating the security software for your router model. Again, this information is often unavailable or opaque.

 

If your internet provider gave you Wi-Fi equipment, contact customer service to ask if the firmware is being updated automatically behind the scenes. Most larger internet providers do this, but it’s worth checking.

 

If you’ve had the same router for at least four or five years, talk to your internet provider about getting a new model. The manufacturer may no longer be updating the software, and you’d be better off with a fresh router.

 

If you’re buying a router on your own, some of the Consumer Reports reviews say whether the devices’ firmware is automatically updated. (You may need a subscription to read them.)

 

Higginbotham also said Amazon’s Eero brand does a good job of automatically updating its routers’ security software and disclosing up front how many years you can expect those updates to continue.

 

(Amazon founder Jeff Bezos owns The Post.)

This cannot be your responsibility alone

 

Most Americans have multiple home gadgets connected to the internet, but their digital security can be an afterthought for manufacturers, said Glenn Gerstell, a former top lawyer at the National Security Agency. Lax security has let creeps peer into homes through baby monitors or track vehicles from a connected car system.

 

Manufacturers may also stop supporting essential features that rely on internet connections. Imagine not being able to run your dishwasher because the manufacturer let the software go kaput.

 

As with routers, you have almost no way of knowing which connected devices have strong security or when the manufacturer might let a wireless feature die.

 

Gerstell, now a senior adviser at the Center for Strategic and International Studies research organization, wants a combination of industry self-regulation and government mandates to better inform people about products’ security and to enforce minimum standards.

 

Wyckhouse said it would help if the government followed through on a program announced in 2023 to establish a seal of approval for connected devices that have met security standards. It would be similar to the UL certification that tells you whether consumer electronics have safe batteries.

 

Higginbotham’s group and other consumer advocates have suggested legislation to require connected device manufacturers to tell you up front how long their products will keep getting software and security updates, and to give you six months’ notice before those stop.

 

Automakers must include seat belts in cars to protect us, and Higginbotham said that manufacturers of internet-connected products should similarly be required to follow digital safety best practices.

 

Source