China’s network equipment manufacturer TP-Link Router is also a German antivirus software company Avira “We are developing a security service in partnership with Avira”. However, there is a report posted on Reddit on the overseas bulletin board that “TP-Link routers are sending a large amount of traffic to Avira’s server even if related services are turned off.” It has become a hot topic.
Privacy Concerns, Violation of GDPR.
I recently enabled a DNS gateway to be able to see requests from my router, and network devices. Was surprised to find 80K + requests (in 24 hours) out to an Avira “Safe Things” subdomains
*.safethings.avira.com (far more than any other server).
Digging into this more, I found that it is related to the built-in router security “Home Shield” that ships with newer TP-Link routers – https://oem[.]avira.com/en/solutions/safethings-for-router-manufacturers
Here is the kicker though, I have the Avira / Home Shield services completely turned off (I wasn’t even subscribed to their paid service for it). The router doesn’t care, and sends ALL your traffic to be “analyzed” anyhow. See this response from TP Link (towards bottom of review) from last year – https://www.xda-developers[.]com/tp-link-deco-x68-review/#:~:text=TP%2DLink%20says%20the%20network%20activity Update: I emailed reviewer to confirm TP-Link never updated him after.
I contacted support about this again, and was given a non-answer about how the requests are to check subscription status. 80K + requests a day to check subscription status? Also the rate of requests is not constant, it is higher when my internet traffic is higher. To me this lack of consistent answer / response from TP-Link is as concerning as the requests themselves.
I’m not seeing much online about this issue, as I don’t think many people realize it is even occurring (since traffic is outgoing straight from router, as opposed to an individual computer). Hoping to gain some attention on this issue and get a real answer / response from TP-Link about what exactly is going on here. As well as a concrete timeline and promise for a fix to stop these outgoing requests, when we aren’t even using their anti-virus services.
Edit: Additional details, this is on their WiFI 6 AX3000 (Archer AX55) Router. From the XDA Review looks like this is also happening on their Deco series. If you want to easily check your own router, you can use any DNS Gateway (NextDNS, Cloudflare Gateway Pi-Hole etc.) Just be sure to set the DNS servers under “Advanced->Network->Internet->Advanced Settings” because the DHCP DNS server setting will only apply to the devices inside the network, not the router itself.
Edit #2: I’ve also contacted Avira directly regarding the endpoints, in the hope that they’ll be more straightforward than TP-Link about the purpose. Will update here when I receive a response.
Edit #3: If anyone knows of good industry contacts, who can dig into this more or get real answers, please send a message! I’ve seen GamerNexus brought up a few times, but don’t see any contact method.
Comment from user on reddit, no source: TP-Link says the network activity is due to “the Avira cloud data base [distinguishing] whether [the network request is] secure data or malware.” A firmware update is in the works that will turn this functionality off if no Avira network features are enabled in the app, but there is no estimated timeline for that yet.
transcribed from reddit
At this time, we are yet to fully conclude this, however, it is very clear that this device sends user data to a third party without permission/consent. This would be a clear violation, at the very least of the General Data Protection Regulation (GDPR) rules. Germany-based Avira said it would have to modify its services because it needs to be GDPR compliant.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- Rockstar confirms hack after Grand Theft Auto 6 leak - 19 September 2022
- Uber Data Breach: Ride-hailing Giant Investigating disruptive ‘incident’ - 16 September 2022
- Gitea 1.16.6 Remote Code Execution (RCE) (Metasploit) - 15 September 2022