[German]Do any of you have TP-Link routers in use? There is disturbing information of the "hands off these devices" type. This is because there are user reports that TP-Link router firmware is sharing network traffic with third-party vendors (specifically AVIRA via HomeShield). Blog reader Marcel alerted me to the issue on Facebook (thanks for that) and I came across several reports on the subject. The background is cloud integrations with certain AVIRA features implemented as part of a partnership between TP-Link and AVIRA. The whole thing could mean trouble for TP-Link – and can put companies or people in the home office in a lot of trouble – there is, after all, a GDPR violation.
Who is TP-Link?
TP-Link is certainly known to most blog readers as a provider of inexpensive routers. I myself have had articles about TP-Link here on the blog time and again – mostly about vulnerabilities. In recent years, I have gained a rather negative image of this provider – due to frequent vulnerabilities in their router firmware as well as unfixed vulnerabilities due to terminated support (see link list at the end of the article) – and also do not use these devices. Wikipedia knows: TP-Link Technologies Co., Ltd. is a Chinese manufacturer of networking products, smart home devices and phones for the home and small and medium-sized businesses. TP-Link develops, manufactures and sells networking equipment products such as routers, UMTS modems, switches, wireless LAN access points, powerline, ADSL modems, print servers, media converters, IP cameras, network cards, smart home and power over Ethernet worldwide.
TP-Link HomeCare/HomeShield (Avira)
According to TP-Link Germany's HomeCare website TP-Link HomeCare (or HomeShield, how it is called in English language markets) is offered with Trend Micro. HomeCare or HomeShield offers a range of features that allow users to create a personalized, secure network for the whole family. Features include antivirus, parental controls and QoS (quality of service). For example, using an app, parents can use the parental controls feature to block inappropriate content, set daily limits for total online time, or see what websites your children are accessing.
The website lists the routers that support HomeCare. According to the TP-Link description, the virus protection seems to come from Trend Micro. However, the name of the former German antivirus manufacturer AVIRA also comes up in the following comments. But the vendor has been sold, the new owner is NortonLifeLock (see Avira has been sold to NortonLifeLock). This info simply to put it in perspective.
Data shared with third-party providers
On XDA-Developers there is this article with a review of the TP-Link Deco X68, where for the first time a feature called HomeShield was addressed, which even costs money in a Pro version (which was mocked). It was already noted in the article that the reviewer noticed alarming network connections to an Avira website. Every minute, data is transferred to the Avira website, which is due to the partnership between Avira and TP-Link announced here. In this article, the reviewer states that there is no way to turn off this data transfer [from the app for configuring the features]. In addition, the router sent requests to ifconfig.me, a website that determines a user's IP address as well as other information such as the operating system, browser, and so on.
The XDA Developer article is dated from May 25, 2021. The author of the article asked TP-Link what the data queries about Avira were all about. TP-Link replied that the network activity [to Avira] was due to the fact that "the Avira cloud database distinguishes whether the network request is secure data or malware." A firmware update was in the works that would disable this feature if no Avira network features were enabled in the app, but there was no expected timetable for that yet, he said.
Then Saturday, the site PowerTechup revisited the issue in this article. The background is that several people on reddit.com criticize the data transfer of current TP-Link routers with Avira. The reddit.com post [PSA] Newer TP-Link Routers send ALL your web traffic to 3rd party servers… appeared 2 days ago. It states:
I recently enabled a DNS gateway to be able to see requests from my router, and network devices. Was surprised to find 80K + requests (in 24 hours) out to an Avira "Safe Things" subdomains
*.safethings.avira.com(far more than any other server).
Digging into this more, I found that it is related to the built-in router security "Home Shield" that ships with newer TP-Link routers (see).
Here is the kicker though, I have the Avira / Home Shield services completely turned off (I wasn't even subscribed to their paid service for it). The router doesn't care, and sends ALL your traffic to be "analyzed" anyhow. See this response from TP Link (towards bottom of review) from last year – www.xda-developers.com. Update: I emailed reviewer to confirm TP-Link never updated him after.
I contacted support about this again, and was given a non-answer about how the requests are to check subscription status. 80K + requests a day to check subscription status? Also the rate of requests is not constant, it is higher when my internet traffic is higher. To me this lack of consistent answer / response from TP-Link is as concerning as the requests themselves. […]
So the same facts that I have already outlined above: The TP-Link routers transmit data to the Avira domain every minute, regardless of whether the HomeCare (Home Shield) in question is enabled or not. That ends up with more than 80,000 requests coming over the line within 24 hours. Several users have reported similar observations on Reddit. Trying to block the requests is also not an option, they say. This is because it causes the routers in question to get stuck in a repetition loop. This, in turn, leads to CPU utilization spikes and causes problems with the general use of the routers in question.
If these devices are used for business purposes – and this also includes the use of routers in the home office – the users in question will fall into a GDPR trap. After all, IP addresses are considered personal data by data protection experts, so there would have to be a data processing agreement with Avira. However, this should hardly ever be the case – I have not even discussed what other data flows out (I assume that the complete URLs of the Internet requests are transferred for "malware protection").
PowerTechup writes in this article, that TP-Link might have to change the firmware of the routers because AVIRA is a German company and subject to the DSGVO. Meanwhile, yes, AVIRA is owned by Norton NortonLifeLock – but TP-Link is independently subject to the GDPR when doing business in the EU. For companies, or people in the home office, however, it now means that they would have to check whether the router sends data to third-party domains – and if so, the device would have to be shut down.
Because there is then a data protection violation – which is no small matter. Just think of doctors' offices or similar sensitive areas, where all kinds of data might be sent to the Avira cloud service for verification. All in all, this is the "tip of the iceberg", as other software such as virus scanners, Office, Windows, etc. are now flirting with the manufacturers' cloud.
Bottom line: I've had the discussion with German users, saying the the router can't intercept VPN connections, that are uses for connecting to a company from a home office. That might be true or false – if additional software needs to be installed on a client to establish Home Shield, an interception might be possible. The point is: An ddministrator who is responsible for GDPR related topic need to check, document and regulate this.
TP-Link TL-WA701ND AP and a 'Backdoor'
0-day vulnerability in TP-Link SR20 router
Vulnerability in TP-Link-Router TL-WR841N/TL-WR841ND
Fraunhofer test: Huge security flaws in common home routers
Avira for Business discontinued – EOL on Jan. 1, 2022
Investcorp from Bahrein acquires German AV vendor Avira
Avira has been sold to NortonLifeLock
Cookies helps to fund this blog: Cookie settings