Texas Sues TP-Link for Letting China Spy Through Your Home Router

What Happened

Texas Attorney General Ken Paxton filed a lawsuit against TP-Link Systems Inc. on February 18, 2026, alleging the company deceptively markets its networking devices as secure while enabling the Chinese Communist Party to access American consumers' home networks. Paxton described the case as "the first of several" lawsuits his office plans to file against companies affiliated with China.

TP-Link is one of the most popular router brands in the United States, with millions of units deployed in homes and small businesses. The lawsuit argues that despite claims of privacy and security on its packaging and marketing materials, the company's products have been exploited by Chinese state sponsored hackers to launch cyberattacks against American targets.

The Security Track Record

The lawsuit cites a May 2023 report by cybersecurity firm Check Point Research documenting how Camaro Dragon, a Chinese state sponsored hacking group, exploited vulnerabilities in TP-Link router firmware to mount cyberattacks against targets in the United States and Europe. The group deployed a custom backdoor called "Horse Shell" that allowed persistent access to compromised networks.

That incident was not an isolated case. TP-Link routers have appeared in multiple security advisories over the years, with firmware vulnerabilities that went unpatched for extended periods. The Texas lawsuit frames these security gaps not as unfortunate oversights but as a predictable consequence of the company's corporate structure and Chinese connections.

The China Connection

At the heart of the lawsuit is a structural concern. Although labels on TP-Link products state the routers are manufactured in Vietnam, the lawsuit alleges that nearly all components are first sourced in China. The company's supply chain, engineering, and corporate relationships trace back to Chinese entities.

China's national intelligence laws are central to the complaint. Under these laws, Chinese companies and citizens can be compelled to "support, assist, and cooperate" with state intelligence work. The lawsuit argues that TP-Link's Chinese affiliations could obligate the company to comply with such requests, giving Beijing a potential pathway into the home networks of American consumers.

The lawsuit also alleges that TP-Link's mobile applications collect personal data from consumers without obtaining informed consent, a separate consumer protection violation under Texas law.

TP-Link's Response

TP-Link denied the allegations as "without merit," asserting that it operates as an independent American company with infrastructure hosted on Amazon Web Services servers in the United States. The company has attempted to distance itself from its Chinese origins, restructuring to establish a U.S. based corporate entity.

Security consultant John Bambenek noted that the lawsuit may have limited practical enforcement impact given the challenges of regulating international supply chains. But the case represents a shift in how regulators treat security misrepresentations, framing them as consumer protection violations rather than purely technical matters.

The Federal Ban That Never Happened

The Texas lawsuit comes after the federal government failed to act on similar concerns. Three separate investigations were opened at the Departments of Commerce, Defense, and Justice into TP-Link's potential national security risks. A ban on sales of TP-Link devices in the United States was widely expected.

But the White House reportedly shelved that plan ahead of a diplomatic summit between President Trump and China's President Xi Jinping. With the federal approach stalled, Texas is now pursuing the matter through state consumer protection law instead, treating the security risk as a deceptive trade practice.

What Your Router Knows About You

Your home router is the gateway to your entire digital life. Every device on your network, from your laptop to your smart thermostat, routes its traffic through it. A compromised router can:

• Monitor all unencrypted traffic on your network, including browsing activity and device communications
• Redirect DNS queries to intercept web traffic or serve phishing pages
• Act as a persistent foothold for deeper network intrusions
• Collect metadata about every device connected to your home network, including model, operating system, and usage patterns

Unlike your phone or laptop, most consumers never update their router firmware. Many routers run outdated software for years, leaving known vulnerabilities unpatched.

How to Protect Your Home Network

Regardless of your router brand, basic network hygiene can reduce your exposure:

• Update your router firmware regularly. Check the manufacturer's website for the latest version at least quarterly
• Change the default administrator password. Many attacks exploit routers that still use factory credentials
• Disable remote management features unless you specifically need them
• Use encrypted DNS services like DNS over HTTPS to prevent traffic interception at the router level
• Consider routers from manufacturers based in countries with strong consumer privacy protections

The Texas lawsuit may not result in an immediate change for TP-Link users. But it highlights a growing concern: the device that connects everything in your home to the internet deserves the same security scrutiny as your phone or computer.