[PSA] Newer TP-Link Routers send ALL your web traffic to 3rd party servers

This makes me wonder about all routers that have some kind of addition like TP-Link HomeCare built in.

ASUS has such a thing as AIProtection which uses TrendMicro.
Even my TP-Link Router (Archer AX50 Intel-Lantiq WiFi6 chipset) phones home to TrendMicro.

If this particular router phones home to an Antivirus endpoint like Avira, we are all going to have to check our routers regardless of the brand if they have built security additions like this.

That’s not only incredibly suspect, but depending on what data they’re sending, potentially unlawful.

hmm… Gamers Nexus has been on a roll with customer advocacy lately. I wonder if their team has any ideas to get something like this some visibility. This is definitely a privacy issue if not also a performance one.

After being bitten a couple times over the years by buying routers/network devices with poor support for third party and/or slow to nonexistent security patches (I guess I was spoiled by my linksys wrt54gs back in the day) this is the first thing I check nowadays. I don’t think the average user has any idea.

Paging U/Gamers-Nexus (not sure if this is an official account.

This would have been a cool thing for smallnetbuilder to look into but I don’t think they are very active any more.

Never use a router if it cant use OpenWrt!

I checked GN website, [email protected] is the contact. I sent them a link to this thread with a small message.

Thank you for letting us know.

Just flash it with OpenWRT, im never use original Router Firmware since i know OpenWRT

This is huge and probably very illegal in Europe. I would like to know if a european customer can reproduce. If so, bring Avira down with gdpr requests.

I really hated my current tplink router as i need an mobile app just to set it up and it has no offline web interface and guess what happens when the internet is down or the router just decided to nit work? you can’t access it.

just recently i’ve been researching for a good low power hardware to setup pfsense as it does not work with a raspberry pi and an usb lan will not do, so it’s either I learn how to do vlan and buy hardware for it ot buy a pcie lan and hopefully pair it with a low wattage hardware.

I had set up NextDNS on both IPv4 and IPv6 of my Deco X90, and did indeed noticed tons of requests was been sent toward Avira.

I then blocked *.safethings.avira.com , and the analytics shown 440K+ blocked queries from “dfp.safethings.avira.com“ and “ast.safethings.avira.com” combined within the past 24 hours which amount to more than 80 percent of my total queries.

Although thanks to more powerful CPU and RAM of Deco X90 my router seems to be able to handle these extra requests without significant issue. (CPU usage usually hovering around 20ish percent), so I will keep these domain blocked.

Update:
I kept *.safethings.avira.com domain block for the past week, and noticed there seems to be significant variations in the rate of DNS requests. After restart my router it usually accumulate < 10K blocked requests/24 hours, but will sometime flared up to the original level as I wrote above of a few request every seconds for a few hours.

I just tested the new firmware update, and it seems like my router are now consistently sending request to “ast.safethings.avira.com” once every 5 minutes which is a significant reduction, but still beg the question why are these requests needed to be sent at all.

Not to be tin-foil hat here but this surely this is by design. How could it pass QA/Engineering muster otherwise?

Avira is owned by Norton (which did the thing with the cryptominer they installed as part of the install)

Thanks for sharing this, OP

TP-Link Korea replied…

They ignore the question ‘why is it communicating with Avira when the service is disabled?’

Update: managed to block *.safethings.avira.com on AX73 router.
To all those, whose tp-link do not allow to block domains in security/firewall settings:

1. Go to the analytics tab and verify its working (not the best, but fail to find anything else for free) where you can create own denylist.
2. Link your network to that DNS service
3. In your router settings NETWORK > Internet > Advanced Settings enter Primary/Secondary DNS from the service where you registered.
4. Go to analytics tab and verify its your traffic is working throu that DNS
5. Add *.safethings.avira.com to the block list in that service
6. Restart your router!!! Else you get like 1k requests per minute.

They just fixed the bug yesterday.

This is their response from my BBB complaint:

Based on the recent feedback, TP-Link has identified flaws in the DNS request logic, resulting in frequent resolution requests. The company has released firmware update to avoid the frequent queries. You can find these updated on the follow FAQ: https://www.tp-link.com/us/support/faq/3329/.

Please note, DNS queries do not carry any personal information, there is no risk to our customer’s or their privacy. TP-Link takes user data security seriously, and the company adheres to the philosophy of transparency and openness.

If you experience any further issue, please let us know at [email protected]

Never use TP-Link. Enemy of freedom and privacy.

This is why we have 3rd party open source firmware and this is also why I swore off TP-Link hardware when they decided to block users from installing said open source 3rd party firmware.

So if a minor uses this router and their guardian hasn’t given consent to TP-Link, they’ll be breaking the law 80k+ times a day?

Yank it the hell out of your network and go buy a Cisco\Linksys.

Yeah, I think I’ll keep using my default Shaw router

I contacted support about this again, and was given a non-answer about how the requests are to check subscription status. 80K + requests a day to check subscription status?

It would be if you were checking 1/s. Aggressive, if not actually erroneous.