This is Ryuta Hamamoto from TIMEWELL.
On March 23, 2026, the US Federal Communications Commission (FCC) issued a press release that sent shockwaves through tech circles worldwide. It announced a complete ban on imports of new consumer-grade routers manufactured overseas. In the statement, FCC Chairman Brendan Carr declared that "routers produced in foreign countries pose unacceptable risks to the national security of the United States or the safety and security of the American people"[^1][^2].
The target of this measure is most clearly TP-Link, a company with roots in Shenzhen, China. TP-Link boasts a market share of over 65% in the US home and small office router market (according to the Texas Attorney General's complaint), while at the same time being repeatedly linked to cyberattacks by state-sponsored hackers throughout 2024 and 2025[^4][^5].
I work in AI and organizational transformation, but when I heard about this issue, my first thought was that this is not somebody else's fire. Japan's TP-Link market share reached 59.9% by Wi-Fi router unit sales in 2024. According to BCN Ranking research, with its competitive pricing and broad product lineup, TP-Link has come to literally "dominate the majority" of Japan's home router market[^9][^10].
Equipment banned in the US is casually connected to the networks of Japanese homes and businesses. I feel that we have yet to fully grasp the risks that this fact implies.
Why TP-Link Became a Problem: The Reality of "Anomalous Vulnerabilities"
The story begins in August 2024. A bipartisan group of US congressional members sent a letter to the Department of Commerce requesting an investigation into TP-Link products. The phrase they used in that letter was striking: "anomalous level of vulnerabilities." This is not just a story about ordinary product bugs.
The technical vulnerabilities of TP-Link routers go well beyond the usual conversation about product defects. In 2025, a critical authentication bypass vulnerability tagged CVE-2025 was discovered and patched, where attackers could bypass router authentication and write new firmware — essentially a backdoor-equivalent problem[^8]. But the essence of the issue lies in who is exploiting these vulnerabilities, and how.
Enter "Volt Typhoon," a threat actor that CISA (the US Cybersecurity and Infrastructure Security Agency) and the FBI have identified as a state-sponsored hacker group linked to the Chinese People's Liberation Army. This group had been silently lurking in US critical infrastructure for over five years. According to JPCERT/CC's report, Volt Typhoon's distinctive technique is what is called "Living off the land"[^6]. Rather than dropping dedicated malware on target systems, they hijack legitimate tools and devices already present in the network, hiding malicious activity within normal traffic logs. Inconspicuous, and therefore long undetected.
TP-Link routers functioned as this "hiding place." Volt Typhoon infected vast numbers of vulnerable home SOHO routers (Small Office/Home Office routers), building a massive botnet known as the "KV Botnet." Through this botnet, they attempted attacks on US electric companies, water utilities, telecommunications providers, military ports, and other critical infrastructure. Ordinary citizens' routers were being used as relay stations for state-level cyberattacks.
The Department of Justice carried out an operation to neutralize this Volt Typhoon-built botnet in December 2023. New attack campaigns have since been confirmed, and the problem has not been eradicated. On April 23, 2026, Japan's National Cybersecurity Office co-signed a UK-led international advisory warning against "anonymous networks of compromised devices linked to China"[^7]. The list of ten signatory countries shows just how seriously this threat is being taken: the UK, US, Australia, Canada, Germany, the Netherlands, New Zealand, Spain, Sweden, and Japan.
The "Chinese-affiliated" Problem: Does Moving Headquarters Make TP-Link Safe?
When discussing this issue, TP-Link's counterargument always comes up. TP-Link was founded in Shenzhen, China in 1996, but moved its headquarters to Irvine, California, around 2023. Its statement on the Japanese TP-Link website explicitly declares that "TP-Link Systems is headquartered in the US and fully committed to complying with US law"[^11].
However, the US government does not view this headquarters move as solving the structural problem. The reasoning is clearly laid out in the lawsuit filed by Texas Attorney General Ken Paxton in February 2026. In the complaint, Paxton argues that TP-Link Systems labels products as "Made in Vietnam" while the reality of manufacturing and management is conducted within China, and is under the control of the Chinese Communist Party[^4][^5]. The accusation is one of deception: "the supply chain involved in product manufacturing is China-led, yet consumers were misled."
The essence of this issue lies not in "where the headquarters is" but in "who develops and updates firmware, manufactures products, and manages the supply chain." China's National Intelligence Law (enacted in 2017) contains provisions that obligate Chinese companies and individuals to cooperate with government intelligence activities. The US government's concern is the structural risk that the Chinese government can use the law to demand access to TP-Link's firmware development teams and manufacturing lines. Simply changing the headquarters location does not eliminate this concern. That is why the US continues to treat TP-Link as a "suspect Chinese-affiliated company" on par with Huawei and ZTE, even after the headquarters move.
There is also a dispute over TP-Link's market share figures. While the Texas lawsuit claims 65% of the US market, TP-Link itself counters with 36.6% from its own 2024 research. It is difficult to say which is accurate, but in any case TP-Link is indisputably "one of the most widely used router brands in the US," which explains the scale of this ban.
Interested in leveraging AI?
Download our service materials. Feel free to reach out for a consultation.
What the US Ban Actually Covers — And What It Does Not
To accurately understand the FCC's March 2026 announcement, we need to clarify the specific contents of the ban. Many misunderstandings have arisen here.
What is banned is "imports and new certifications of new consumer-grade routers manufactured overseas." The key words are "new" and "new certification." Existing inventory that has been legally imported into the US can continue to be sold by retailers. As for existing routers that consumers have already purchased and are using at home, the FCC explicitly states that "continued use does not become illegal."
The FCC also announced an important mitigation measure simultaneously. For overseas-made drones and routers on the ban list, firmware security updates will continue to be available until January 2029. This is consideration to avoid leaving users in a "no support" state, and is a measure premised on a phased transition.
The condition "limited to US-made" also looks simple at first glance, but the reality is quite complex. As Forbes Japan reports, "even when a US-headquartered company performs basic design and software development at its own US facilities, if it outsources component mounting and final assembly to overseas locations in Taiwan, Vietnam, China, etc. for cost reduction, it is treated as 'overseas manufactured' and subject to the ban"[^3]. This effectively means that most major router brands are affected. Currently, very few router manufacturers have fully transitioned to US-only manufacturing, and US consumers are facing a confused situation of "what should I buy?" for some time to come.
Impact on Japan — What 60% Market Share Means in Terms of Risk
From here is the most important conversation for those of us living in Japan.
According to BCN Ranking's January-December 2024 aggregate, TP-Link achieved 59.9% market share in unit sales of Wi-Fi routers in Japan[^9]. If you check the bestseller rankings for wireless LAN routers at electronics retailers or Amazon, the sight of more than half of the top 10 products being TP-Link is now a familiar scene. The price range is reasonable, support for the latest standards like Wi-Fi 6 and Wi-Fi 7 came quickly, and Japanese-language support is well-developed. The reason TP-Link has penetrated deeply into Japan's network equipment market as a result of consumers' rational choices is well understood.
However, as the US debate shows, this "penetration" from another angle means "wide distribution of risk." Home routers are the first gateway connecting the internet to every device. Smartphones, PCs, smart TVs, IoT appliances — all of these communicate through the router. If the router's firmware contains an intentional backdoor or exploitable vulnerability, all communications passing through it are exposed to surveillance and interception risks.
The problem becomes more serious in the corporate and government sectors. Driven by cost-focused procurement, it is not uncommon for inexpensive TP-Link routers to be adopted in the internal networks of SMEs and local governments, or in public facilities such as hospitals and schools. Among security experts, there is a shared recognition that "TP-Link routers are used in corporate and government communication infrastructure more often than people realize"[^12].
Translating what Volt Typhoon did in the US into the Japanese context makes the outline of the risk clearer. Using home routers as a stepping stone, lurking for long periods, and infiltrating critical infrastructure networks like electricity, water, and telecommunications — this is not a scenario that can be dismissed as "impossible in Japan." The very fact that Japan's National Cybersecurity Office signed the April 2026 international advisory shows that the Japanese government recognizes the same threat as real[^7].
Under current Japanese regulations, there are no rules prohibiting the purchase or use of TP-Link routers. In the area of government procurement, the Cabinet Office and Digital Agency have been building guidelines for excluding "equipment and software with security concerns" since 2020, but these have yet to cover private sector use or SME procurement. This "regulatory vacuum" is an issue requiring urgent debate in Japan's cybersecurity policy.
Is TP-Link Really Dangerous? Thinking Fairly
Having written this far, there is one important point I need to address honestly. The question of "is TP-Link really intentionally embedding backdoors?"
Security researcher Brian Krebs (Krebs on Security) raised doubts about the US government's TP-Link ban proposal on his own blog. Krebs argues that "TP-Link's vulnerability count is about half of Microsoft's, and there is no data showing it is particularly dangerous compared to other router makers. The ban is closer to the context of a trade war than a rational national security policy."
This point deserves to be taken seriously. There is no public evidence at this time confirming that TP-Link routers contain intentional spyware. The vulnerabilities Volt Typhoon exploited may not be TP-Link-specific "intentional backdoors" but rather vulnerabilities common to other routers as well.
Even so, concluding that "there is no problem" would be premature. First, regardless of whether intentional backdoors exist, the fact that "devices with vulnerabilities were actually used as attack infrastructure by state-sponsored hackers" does not change. Second, the structural risk of China's National Intelligence Law is not eliminated by the fact that "there is no backdoor at this moment." There is no way to deny the possibility that, even if absent today, the Chinese government may demand future firmware updates to plant one — this "future risk that cannot be proven" is the core of the national security concern.
Third, and what I feel is most important, is that excluding TP-Link as "Chinese-affiliated" while replacing it with other Chinese products is meaningless. Beyond routers, surveillance cameras, smart speakers, IoT devices, cloud services — Chinese-affiliated products with similar structural risks have penetrated many parts of our digital infrastructure. Banning TP-Link does not "solve" the problem. A more fundamental digital supply chain security strategy is needed.
Actions Japanese Companies and Individuals Can Take Today
So what should we actually do?
Let me start from the corporate perspective. The highest priority is taking inventory of internal network equipment. The first step is to confirm the manufacturer and model of routers, switches, and access points installed at your office, factories, and locations, and understand how much TP-Link equipment is in use. In particular, for departments handling business information, customer data, and intellectual property, it is worth considering replacement priorities for network equipment.
Firmware updates are another measure not to overlook. Even if you continue using TP-Link, applying regular firmware updates to patch known vulnerabilities as much as possible is critical. As with the CVE-2025 authentication bypass vulnerability mentioned earlier, there are many cases where patches are provided but left unapplied, and these become entry points for attackers.
I will also touch on selecting alternative products. In the Japanese market, domestic manufacturers such as Buffalo and I-O Data exist as options. For high-security enterprise routers, products from US-based vendors like Cisco, Juniper Networks, and Fortinet are well-regarded. However, cost balance and operational management complexity also need to be considered.
As an individual user, please be mindful of at least these three things. Log into your router's management interface periodically to check for firmware updates. Change the default password. If remote management features (allowing external operation of the router) are enabled, disable them. These are basic security measures that apply to all home routers regardless of manufacturer, but the implementation rate is low, not just for TP-Link.
On "Trust" as Infrastructure
What I keep thinking about while following this issue is the concept of "trust" in digital infrastructure.
Once installed, a router is a device that is used for years without conscious attention. Plug it in and it works — it is an "air-like presence." But that "air" might actually be someone's eye. This possibility raises a question about "sovereignty in the digital age" that goes beyond mere security.
The US banned TP-Link not so much because of proven vulnerabilities as because of a precautionary judgment against the structural risk of "may not be trustworthy." Designing institutions by anticipating geopolitical risk rather than waiting for proof of technical safety — this is, on calm reflection, a rational approach. At the same time, taking this logic to its conclusion creates a world where we must always be aware of the risks associated with the country of manufacture and country of development when selecting equipment.
Japan has so far prioritized "cheap" and "easy to use" as the top axes when building IT infrastructure. The fact that TP-Link's share has reached 60% of shelf space at Amazon and electronics retailers is the result of those choices. Now, I wonder if the time has come to add a new question to that judgment criteria: "is the supply chain trustworthy?"
Whether the US measure is correct, or whether TP-Link is actually dangerous — the final answer to these questions is not yet held by anyone. But I believe it is worth re-examining the meaning of choosing "the status quo because we do not know." Looking up your router's model number takes about five minutes. Checking once where the network equipment you are using today was made and who manages it may be the entry point to this question.
Building Supply Chain Security into Corporate Strategy
If you have read this far and felt "where does our company even start?" — you are not alone. Cybersecurity risk is no longer an issue for the IT department alone, but a topic of "economic security" tightly linked to executive decision-making.
TIMEWELL's WARP consulting provides support for taking inventory of supply chain risk in AI and IT assets alongside AI deployment strategy design. Which vendor's hardware and software you depend on. Who controls firmware and model updates. What paths your business information can leave the company through. These questions are sorted out in both operational and executive language.
In companies that build and operate generative AI and business systems in-house, another geopolitical risk is surfacing: how much of internal knowledge is flowing into external SaaS. Rising interest in enterprise AI that runs on Japan-based servers — such as ZEROCK — sits on this same line of thought.
"We want to take inventory of our network equipment and software, but where do we start?" "How can we explain economic security to the executive team in a way that lands?" If these questions resonate, please feel free to reach out.
References
[^1]: ASCII.jp. "US bans foreign-made routers, citing 'anomalous level of vulnerabilities' in China-based TP-Link." https://ascii.jp/limit/group/ida/elem/000/004/400/4400790/ (2026)
[^2]: Reuters. "US authorities ban imports of new foreign-made routers over security concerns." https://jp.reuters.com/business/technology/ZJRRPTR2VVKHPLDKBEKX4AVNV4-2026-03-24/ (2026-03-24)
[^3]: Forbes JAPAN. "US fully bans sales of foreign-made routers — what can consumers buy?" https://forbesjapan.com/articles/detail/94909 (2026)
[^4]: GIGAZINE. "Texas sues TP-Link for 'aiding cyberattacks by the Chinese Communist Party.'" https://gigazine.net/news/20260219-tp-link-hacking/ (2026-02-19)
[^5]: Codebook. "Texas files suit against TP-Link over China ties and vulnerability issues." https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/43958/ (2026-02-18)
[^6]: JPCERT/CC. "How to prepare for the Volt Typhoon attack campaign." https://blogs.jpcert.or.jp/ja/2024/06/volt-typhoon-threat-hunting.html (2024-06)
[^7]: National Center of Incident Readiness and Strategy for Cybersecurity (NISC). "On the joint signing of the advisory on defending against China-linked covert networks of compromised devices." https://www.cyber.go.jp/pdf/press/Defending_against_China_linked_covert_networks_of_compromised_devices.pdf (2026-04-23)
[^8]: Codebook. "TP-Link patches critical authentication bypass vulnerability (CVE-2025)." https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/44805/ (2025)
[^9]: BCN Retail. "TP-Link surges! Top 10 wireless LAN router popularity ranking." https://www.bcnretail.com/research/detail/20260413_618449.html (2026-04-13)
[^10]: xexeq.jp. "TP-Link's Wi-Fi 7 router earns A rating, leading the Japanese market with 59.9% share." https://xexeq.jp/blogs/media/topics37578 (2024)
[^11]: TP-Link Japan. "Statement from US headquarters regarding recent media reports." https://www.tp-link.com/jp/press/news/21538/ (2025)
[^12]: Security Measures Lab. "US bans new sales of overseas-manufactured routers for security reasons — impact on TP-Link and Japan." https://rocket-boys.co.jp/security-measures-lab/sada-hospital-nurse-sns-post-medical-record-image-leak-privacy-risk-2/