Well, it’s that time of year again – the start of a new year, which means one thing if consumerism is your thing: the annual Consumer Electronics Show (CES), which kicked off this week in Las Vegas.
Every year, with holiday wrapping paper still strewn about homes, CES brings thousands of vendors and tens of thousands of attendees to the Las Vegas Convention Center to tout the latest toys, home appliances, television sets and other gadgets destined for the shelves (virtual and physical) of retailers. It’s an orgy of consumerism: a celebration of cutting edge tech, “OMG!” features and cool product design, with rivers of “Best of CES!” coverage in the mainstream media, on gaming Less talked about: restrictive product designs that frustrate repairs, lax data collection and protection that violates consumer privacy and – of course – balky software that makes smart, connected devices easy prey for hackers.
That’s why, for the past few years, a few of us fighting for a more secure, resilient and sustainable future have gathered on the edges of CES to make our choices of the “Worst in Show” – a ceremony that highlights some of the consequences of our current obsession with tech.
This year’s Worst In Show features Cindy Cohn of the Electronic Frontier Foundation who awarded the product with the worst privacy, Stacey Higginbottom of Consumer Reports to award the CES product with the worst environmental impact, Kyle Wiens of iFixit to award CES’s least repairable product, Nathan Proctor of PIRG to award the (esteemed) “Who Asked for This?!” award, and Gay Gordon-Byrne of Repair.org to anoint the overall “Worst in Show for CES.
As in past years, Secure Repairs founder Paul Roberts was chosen to nominate the worst in show on the issue of cybersecurity. The winner: TP-Link.
The Winner (?) TP-Link
If you don’t know them, TP-Link is a China based maker of small office, home office (SOHO) routers and other home networking equipment. It is the biggest seller of wi-fi and SOHO routers in the US with about a 65% market share. At CES this year, the company is announcing a number of product updates including its new Deco BE68 Wi-Fi 7 router.
Unlikely to get much mention at CES are the deep concerns about the security of TP-Link’s products. In recent years, hacks of TP-Link devices have been a common theme in China’s state-sponsored hacking campaigns, which are targeting U.S. businesses, government agencies and critical infrastructure. Malicious actors – both cyber criminal and nation-state – compromise these devices using known-and-unpatched, or previously undiscovered (“zero day”) software flaws that allow remote attackers to take control of the devices. TP-Link devices are rife with such flaws. Microsoft in October reported that a malicious network of compromised SOHO routers it calls CovertNetwork-1658 was used by Chinese state actors to conduct password spraying attacks. That network was made up of thousands of compromised SOHO routers, the vast majority of them manufactured by TP-Link. That prompted the Departments of Justice and Commerce to launch investigations into TP-Link’s ties to China’s government and military.
Don’t get me wrong – security flaws in SOHO devices aren’t unique to TP-Link. Not by a long shot. But here’s the difference: as a China based company, TP-Link is required by law to disclose flaws it discovers in its software to China’s Ministry of Industry and Information Technology (MIIT) before making them public. That potentially gives China state actors a window in which to exploit the publicly undisclosed flaw in order to gain access to targeted environments. That fact, and the coincidence of TP-Link devices playing a role in state sponsored hacking campaigns raises the prospects of the U.S. government declaring a ban on the sale of TP-Link technology at some point in the next year. And for that reason TP-Link is this year’s winner of the CES “worst in show” for cybersecurity.
You can watch the video of Secure Repairs founder Paul Roberts presenting the award for the least secure CES device -and the rest of the worst in show awards above!