I suspect its likely because TP-Link tells/is forced to tell the Chinese government about 0days that are still unpatched which would give them the advantage to conduct large scale espionage and recon before its fixed.

Very similar to how Microsoft gives the same info about 0days to the NSA to use for the same exact reason.

> I suspect its likely because TP-Link tells/is forced to tell the Chinese government...

I think if we are there, then we should assume all 0days are known by various states before patches are available regardless of whether companies are setup to share that information or not. You don't need to get the company to share that information, just one person in a company, and I don't really see that as being a challenging task for a state to do.

Assuming otherwise seems more risky.

Hence zero-trust, buzzwords aside.

You should absolutely assume breach as part of your company's security policy/trust model.

Then why target TP-Link for actions?

Are they the next biggest vendor after Huawei?

I dunno if they're the next biggest, but they are one of the largest in the consumer space. They've been the best selling networking devices on Amazon for nearly a decade and ISPs use their products when bundling WiFi setups with ISP service (although those are usually centrally managed by the ISPs themselves)

Why take that chance, for some slightly cheaper routers?

I have respect for human creativity, and the limits of public servants. Its not easy to keep constant vigilance against all possible backdoors. Easier to restrict core infra devices from openly hostile areas.

Why take the chance that the food you buy from the grocer may be contaminated? I have respect for human creativity, and the limits of farmers. It's not easy to keep constant vigilance against all sources of contamination. Easier to restrict food to only what you produce yourself.

Glibness aside, there's clearly a continuum to the concept of 'we live in a society', and to how far the monkey brain's tribe extends. But the argument against routers is clearly arising from a biased set of priors, whether fairly or unfairly.

Because it's a strategic issue. The internet is critical infrastructure. While TP-Link might not have contracts with ISPs and datacenters, it doesn't take a lot of imagination to think what damage you could have with 30% of the home / small business routers under your control.

This could range from plausible deniability stuff (like the examples in the article), to targeted investigations / attacks (Bob who works at the Gov Accounting office for Miliary Spending), all the way to a 100-million unit botnet turning to provide a few days of distraction ("Bad hackers compromised our OTA system. Sorry!") on while a certain island is being eminant-domained.

Your food example is not the same. You can't trojan-horse an apple pie, or target an individual customer from the supplier-side (yet). If you decided to poison them, that's pulling the pin from the grenade right now.

we know domestic suppliers are complicit with domestic spying. what do we buy? what are the options?

People are living paycheck to paycheck and need to make every eurodollar count.

The Chinese, regardless of how you feel about them, are great at making cheap shit that mostly works.

Because I don't think the chance of getting a compromised router is any greater than any other router. Chance probably higher there's a US government backdoor in other routers.

> which is the suspicion that there's Chinese government-accessible backdoors that can cripple infrastructure.

Which is real rich coming from the US after the Snowden leaks showed Cisco was willingly cooperating with the NSA and planting NSA backdoors in their hardware destined for overseas.

Them wanting to ban TP-Link (and Huawei) have nothing to do with cybersecurity and more to do with "We don't want to allow anyone else to play the same game we are playing."