Newer TP-Link Routers send large volumes of requests to Avira servers (opens in new tab)

From the comments

Nothing in your analysis shows this. Moreover unless you explicitly deployed a root certificate on your clients (or if an app on the client did it), the router can't decode TLS traffic (deep inspection) without you getting certificate warnings on the client. In that case, the only thing the router can see is the dns request, the IP and the TLS SNI. In short your title is misleading.

permalinkembedsavereportreply [–]ArmoredCavalry[S] 11 points 14 hours ago*

I agree they couldn't be inspecting the contents of your traffic over TLS, but they could easily view destinations. I also agree, there's nothing in my analysis that proves that all the requests are related to network traffic. However, if you look at the wording of the reply (directly from TP-Link) to XDA in their review, I don't see how it could be interpreted any other way? Regardless, I probably should have made my title "appears that it may send traffic related data". I'll be happy if that isn't the case, but the lack of clear explanation from TP-Link when I've contacted support leads me to assume the worst

permalinkembedsaveparentreportreply [–]2fast2fourier 4 points 12 hours ago I think it's best not to write something that damaging without proof, especially when most people only read titles. Saying they're sending metadata and violating your privacy is all you'd need to hear.

I remember reading in the UK government's security assessment of Huawei that one of the issues is not necessarily data being sent to bad places or backdoors in the software, it's that the engineering processes behind these devices/software are completely unable to protect against any sort of supply chain attacks.

The sorts of things they highlighted were: no version control, no code review, production builds happening on arbitrary machines, no automated testing, poor access control on code, no audit trail on code changes, the list goes on, and that's just for the software side. The conclusion was that Huawei were about a decade away from being able to even claim they had no backdoors. And that's a major telecoms hardware provider, trying to sell into governments and major infrastructure projects.

I'm not in the least bit surprised that TP-Link are doing this, and also not at all surprised that when questioned on it they are (so far) unable to actually describe why it's happening or really seem to know anything about it.

I think this sort of product is built in a very different environment to what most HN users would expect.

This is why for home and small office use, I usually get AVM Fritz [1] network devices. They have been around for since forever, provide regular updates for their devices and over a long period. Their web interface allows for a lot of fine-grained configuration and their devices have been rock solid for me. They are a German company and as far as I know software development is also done in Germany, so I expect that they operate within the relatively strict privacy regulations of the EU.

[1] https://en.avm.de

That's before installing OpenWRT!

This kind of shenanigans make (once again) the case for 3rd party post market FLOSS firmware to be installed on every device I own. Sure, I spend some extra time researching which router/AP/phone/ereader/smart appliance will be compatible with OpenWRT/LineageOS/KOReader/Tasmota/ESPHome/etc., but I feel more confortable this way. I have more trust in a bunch of people doing this for owning their devices than some corporation whose goals clearly don't align with mine.

Before you say anything about this feature (which is apparently called HomeCare, https://www.tp-link.com/homecare/), you should probably know that Asus also has a AiProtection feature powered by Trend Micro (https://www.asus.com/content/aiprotection/) and D-Link having McAfee Secure Home Platform built-in (https://www.dlink.com/en/latest-news/d-link-introduces-new-e...). Definitely not vindicating TP-Link here (especially the alleged continuous querying despite the feature being off), just noting that this is not exclusive to TP-Link.

So how do we get routers that support open source firmware? It seems these things are getting more difficult to find.

TP-Link became a big no-go for me as soon as ax came out and I saw that they required account registration[0] for managing a personal, local router. Probably has to do with the fact that they're not western-owned and are 'legally required' to have such a system in order to be covered from 'borrowing' your data. I expect other vendors(Huawei,etc) to do the same, and it's insane that people don't revolt against such practices, especially considering we still have such vendors being installed by default in people's homes by the ISPs.And whilst a router is replaceable by the end user, something like an ONT is harder to find in most places, and the ISP doesn't usually give config details for an ONT.

[0] Edit: An online account for the mobile application, not the web interface of the router itself.

This was alarming since I use a TP-Link router, so I tried figuring out to what extent it's able to inspect and record regular (encrypted) traffic.

My TP-Link Archer AX50, running software version "1.0.11 Build 20210730 rel.54485(4A50)" is doing at least some sort of DPI on outgoing connections. I found a page in its settings (Advanced -> Security -> Antivirus -> History) that contains a log of connections I've made to "suspicious" domains, which include quite a few that I would consider innocuous.

After clearing that log, I loaded a few domains I'd seen in it, and verified that new entries were created. Wireshark shows that no DNS requests were made, and the DNS-over-HTTP used by Chrome didn't leak that traffic. I believe the router must be inspecting TLS headers for the ServerName field.

Didn't try to verify whether that data is being sent to a third party, but given that this thing is collecting data that it has no business looking at, it wouldn't surprise me if it's shipping it somewhere.

edit: the URL I tested with is <https://api.mangadex.org/docs.html>.

ALL routers send my web traffic to 3rd party server I would hope. I don't have a router to access all the websites on my home network after all.

Joking ofc, this is pretty bad. Terrible coding in the best case, outright spying in the worst. Neither instills a lot of confidence in TP-link.

The software answer would be easy: use OpenWRT or any other *BSD based alternative, but what about the hardware? A quick search for WAN interfaces for PCs returned nothing.

I never rued the day when I switched off the last "appliance" router after switching to a virtual router - OpenWRT running in a container on a Proxmox-managed host. I use a number of repurposed "appliance" routers (also running OpenWRT) as access points, some of them connected to additional "dumb" PoE-switches for IP-camera's. Those camera's run over their own VLAN and never get to touch the 'net, the same goes for "IoT" things (heat pump, PV-inverter etc). Xi and friends will be disappointed, even if they built backdoors in their equipment these only lead to a dead-end street.

I was annoyed by the Deco APP too. It provides remote management, which I believe that all data is forwarded through TP-Link's server.

My solution is running those devices as a Wi-Fi to LAN bridge, also setup my own NAT gateway (by bare-metal Linux, Openwrt... etc). Then blocking there devices from accessing Internet at gateway.

If I have more IoT devices at home, I will apply such policy to all of them.

Hasn't avira been just generally for a lack of better words completely fucking awful over the past year or two? The last I remember hearing about them was installing crypto miners along with their AV, which I can only imagine being bottom quality at this rate of insanely bad behaviour...

Readable link on mobile: https://www.reddit.com/r/hardware/comments/tbthjj/psa_newer_...

I setup cloudflare zero trust and started pointing my AC4000 to it, let's see what happens.

If you want to see TP-Link routers track record, and if you have an existing TP-Link router, check the updates page on their support website. Same kinds of vulnerabilities are fixed often across devices, as if not learning from their mistakes.

When it comes to budget routers I still turn to TP-Links when I can easily find a decent model on the market that is supported by openwrt.

Senior people at tp-link should go to jail for this.

GDPR fine & class-action lawsuit in 3...2...1

pwned

TP Link is a Chinese company. I won't trust them personally.

In China's current political status, it is impossible for Chinese companies to reject the autocratic government's requests for surveillance. You may endup in jail or even get killed.

Anecdotally, I've seen that TP-Link routers are ubiquitous in Chinese households. I don't draw any conclusions from that, but I did stop buying TP-Link devices.

It would be nice if the US took import controls as seriously as export controls.