Texas sues TP-Link over China links and security vulnerabilities

Texas sues TP-Link over manufacturing

Texas Attorney General Ken Paxton filed a lawsuit against TP-Link Systems Inc. for allegedly deceiving consumers about its manufacturing origins and device security. The state claims the networking giant uses "Made in Vietnam" labels to hide its deep reliance on Chinese supply chains and state-managed subsidiaries.

This legal action marks the first in a series of planned lawsuits against "China-aligned companies" operating in the United States. Paxton’s office confirmed that it intends to file several more cases this week to hold these entities accountable under Texas law. The state argues that TP-Link’s affiliations allow Chinese state-sponsored actors to access devices inside American homes.

TP-Link currently dominates the American market for networking and smart home hardware. The lawsuit claims the company controls 65 percent of the U.S. market for these devices. This massive footprint makes the alleged security vulnerabilities and manufacturing deceptions a matter of significant public interest.

The Attorney General is seeking a jury trial to address these claims. The state wants an injunction to stop TP-Link from using "Made in Vietnam" labels and to force the company to disclose its ties to the Chinese government. Texas also wants to prevent the company from collecting consumer data without explicit, informed consent.

Vietnam labels hide Chinese origins

The lawsuit alleges that TP-Link represents its products as manufactured in Vietnam to appeal to American consumers. Most devices sold in the U.S. carry a "Made in Vietnam" sticker. Texas claims this labeling is a material misrepresentation of where the hardware is actually developed and built.

Investigations into the company’s supply chain suggest that Vietnam facilities only perform final assembly. The vast majority of components are imported from China. According to the petition, Vietnam-sourced parts account for less than one percent of the total components in these devices.

Chinese subsidiaries owned and managed by TP-Link develop the hardware and software. The state argues that TP-Link uses the Vietnam assembly line as a facade to distance itself from its Chinese roots. This practice allegedly misleads consumers who wish to avoid products manufactured in China for security or ethical reasons.

The relationship between the company and the Chinese government appears to go beyond simple manufacturing. The lawsuit alleges that the Chinese government provides direct subsidies to TP-Link. These financial incentives help the company maintain its dominant market share in the United States.

Texas also claims that a Chinese military company is working to expand TP-Link’s research and manufacturing facilities. This partnership suggests a level of state integration that the company does not disclose to its customers. The Attorney General argues that these ties create an inherent risk to American national security.

Security flaws risk consumer privacy

TP-Link markets its routers and smart home devices as secure networking solutions. The lawsuit claims these marketing materials are false. Security researchers have documented "numerous and dangerous" firmware vulnerabilities in TP-Link products for several years.

The state alleges that Chinese state-sponsored hackers have actively exploited these flaws. These actors use the vulnerabilities to gain unauthorized access to private networks. While the lawsuit does not explicitly accuse TP-Link of building backdoors, it claims the company knows its products are insecure and fails to protect users.

Federal agencies have previously expressed concern about the security of TP-Link hardware. The Cybersecurity and Infrastructure Security Agency (CISA) added two TP-Link router flaws to its catalog of known exploited vulnerabilities last year. These bugs required urgent patches to prevent hackers from taking control of consumer devices.

The following issues highlight the security concerns raised in the lawsuit and by federal agencies:

• Unpatched firmware vulnerabilities that allow remote code execution by foreign actors.
• Active exploitation of consumer routers by state-sponsored hacking groups.
• Lack of transparency regarding the company’s internal security audits and bug bounty programs.
• Omission of material facts about the potential for Chinese government access to device traffic.

The lawsuit notes that federal officials once considered a complete ban on the sale of TP-Link products in the U.S. While the federal government recently signaled it might walk away from those plans, Texas is moving forward with its own enforcement. The state argues that TP-Link’s failure to secure its devices puts every Texan with a home network at risk.

Intelligence laws threaten user data

TP-Link’s mobile applications collect significant amounts of personal data from American consumers. The lawsuit alleges the company fails to obtain informed consent for this collection. Users are often unaware that their data is processed by a company with significant Chinese affiliations.

Chinese national intelligence laws require domestic companies and citizens to support and cooperate with state intelligence work. The Attorney General argues that TP-Link’s Chinese subsidiaries must comply with these laws. This creates a pipeline for American consumer data to reach the Chinese government.

By failing to disclose these legal obligations, TP-Link allegedly misleads its customers. Consumers might choose different hardware if they knew their personal information was subject to foreign intelligence mandates. The state claims this lack of transparency violates the Texas Deceptive Trade Practices Act.

The Attorney General wants to force TP-Link to change its data collection practices. The lawsuit seeks to ensure that no data is gathered without a clear explanation of where that data goes. This includes disclosing whether the information is accessible to the Chinese government or its intelligence agencies.

Texas seeks a jury trial

Attorney General Ken Paxton stated that TP-Link will face the "full force of the law" for its actions. He framed the lawsuit as a warning to any entity seeking to compromise national security through deceptive business practices. The state is asking for civil penalties and permanent injunctions against the company.

The legal team for Texas is focusing on several specific demands to resolve the case:

• Correction of all labels to accurately reflect the Chinese origin of the hardware components.
• Full disclosure of all corporate and financial ties to the Chinese government and military entities.
• Mandatory security updates for all devices currently in use by Texas consumers to patch known vulnerabilities.
• Restitution for consumers who purchased devices based on misleading manufacturing or security claims.

TP-Link Systems Inc. has not yet issued a formal response to the lawsuit. The company has historically defended its security record and manufacturing processes. However, the specific allegations regarding the "less than one percent" component origin in Vietnam present a significant legal challenge.

This case could set a precedent for how other states handle "China-aligned" tech companies. If Texas succeeds, other state attorneys general may file similar suits. The outcome will likely impact how networking hardware is marketed and sold across the entire country.

The lawsuit also highlights the tension between state-level enforcement and federal trade policy. While the U.S. government manages international trade bans, Texas is using consumer protection laws to target the same companies. This dual-track approach increases the legal pressure on TP-Link and its subsidiaries.

The Attorney General’s office continues to investigate other technology firms with similar supply chain structures. More filings are expected as the state ramps up its scrutiny of the tech industry. For now, TP-Link remains the primary target in this new legal offensive.