Chinese routers?

Perhaps one to put the cat among the pigeons, but should we be concerned about using routers from Chinese companies like TP-Link? I remember the concerns about Huawei in our telephone systems not so long ago.

Well the UK government didn't seem too concerned (well until it was too late and they'd already spent billions on it all) so I wouldn't be too worried. But if you are indeed paranoid you'd be better purchasing a more business/enterprise grade router one of which is owned by a western company - to name a few Cisco, Juniper, or Palo Alto. You could even get a UK made router - a Firebrick - designed, developed, and manufactured in the UK. At that point of paranoia however you would probably also want to consider switching ISP to one which also does not use Chinese equipment - so at that point your choices are becoming limited (as you probably wouldn't know which ISPs use Chinese equipment). So then perhaps you'd also want to go with AAISP as your ISP who make the Firebrick routers and also use some Cisco stuff.

There's no short answer really. If you are extremely paranoid then yes - don't use Chinese equipment, but it's going to cost you a lot of money.

There are good reasons why USA is concerned about what Chinese hardware could be doing.

Put it this way a drug dealer could get paronided about police car park out side there house. Even though they are not there about that drugs and police don't even know you are drug dealer. Just getting a witness statement from your neighbor about something that happen else where.

Just say there could be good reasions why USA is making such big fuss.

It reminds me of that old quip that just because you are paranoid, it doesn't mean they are not out to get you. Most of this is well beyond my technical understanding but it was a genuine question.

I would build your own router if you have any security concerns.
You can build from suitable hardware but even the Chinese built 'mini-PC' style devices are able to use Open Source BIOSs and firmware such as Coreboot which is the same as APU devices from PC Engines.

There are great router/firewalls you can use from OpenSource such as PFSense, OPNSense and Untangle (which is not free though).

IMO BT are probably worse from a security perspective although their rationale for installing remote access to their supplied equipment is from a customer support perspective rather than anything nefarious but could still be misused.

I wouldn't be concerned as long as your endpoints are running patched software and the resources you access online are designed with security in mind, and the connection is encrypted. There's not really much that your Wi-Fi router can do other than maybe change the DNS servers to send you to compromised sites - but that would break HTTPS and should be immediately obvious.

I actually changed the DNS settings to use Quad9 rather than those that are automatically designated. While reading up on this a few days ago I also saw suggestions like having household devices, such as TVs connect via a guest wifi account rather than the main one and also disabling WPS.

Another thing you can do is run Unbound for DNS and use DNSSec (e.g. PiHole) then force all of your clients to use it with Firewall rules even those with hardcoded DNS entries e.g. most Amazon and Google devices, Samsung TVs etc.
All those devices mentioned should be on an untrusted VLAN

Edited by smouty (Tue 20-Apr-21 15:27:47)

It's all a matter of personal risk.

I don't think Chinese authorities are too interested in equipment designed for home users or small businesses.

I would be more worried about the quality of the software installed. Does the company take security seriously? How often is the firmware updated? How long is the device supported for?

I had a TP-Link router for 6 years and it worked very well. I still have it as a backup.

Edited by AndrewNi (Tue 20-Apr-21 15:41:40)

PiHole is good but you go full hog and set up own Recursive DNS Server. You being doing it all.

There lot guides ever where and other videos out there.

Youtube : Quick and Easy Pi-hole Setup 2021
YouTube : You're running Pi-Hole wrong! Setting up your own Recursive DNS Server!