They accuse TP-Link of spying on their users through the DNS of their routers


If you have a router from the manufacturer TP-Link from the Archer range or a Wi-Fi Mesh system from the Deco family, it is very possible that TP-Link is sharing all the web browsing traffic you are doing with Avira, the cybersecurity company which is responsible for providing security protection when browsing the Internet thanks to TP-Link HomeCare Pro. TP-Link HomeCare Pro is software integrated into routers and Wi-Fi Mesh systems that is responsible for monitoring our connection to prevent possible attacks, however, even if you deactivate it, it seems that it continues to send all the data to Avira for its treatment and improvement of the product.

  •    Newer TP-Link routers send ALL your web traffic to third party servers… 

What is TP-Link HomeCare?

Today’s home routers and mesh WiFi systems come with a lot of additional software to protect the clients that connect to them. For example, the manufacturer ASUS with its AiProtection and AiProtection Pro uses TrendMicro technology to protect us against threats, incorporating intrusion prevention systems and is even capable of detecting if a client is infected with malware and carrying out malicious communications. The manufacturer NETGEAR also incorporates software of this style called NETGEAR Armor, and together with the collaboration of the cybersecurity company BitDefender, it is capable of providing its clients with complete protection when they connect to home WiFi.

In the case of TP-Link, we have TP-Link HomeCare, which also uses TrendMicro services to adequately protect its clients, whether they are wired or WiFi clients. However, some high-end routers and Wi-Fi Mesh systems incorporate TP-Link HomeCare Pro whose services are provided by the popular firm Avira droidjack. It is in this last case where they accuse TP-Link of spying on customers, even though the HomeCare Pro service itself is completely disabled.

Avira’s standard features are aimed at providing protection for users against malicious content on the Internet, it also protects against network intrusions, and is even able to detect infected devices on the network and quarantine them, just like the other manufacturers such as ASUS or NETGEAR with their protection technologies for connected clients. This security suite also incorporates basic parental control features such as content filtering and time control.

Why accuse TP-Link of spying on users?

The problem is that there is no way to disable the TP-Link HomeCare feature on routers and Wi-Fi Mesh systems, although it appears to be disabled via the GUI, actually it is not, and it keeps sending all the data to Avira for further processing. According to some users who have been able to investigate this behavior, TP-Link sends a large amount of data to Avira, around 80,000 requests in just 24 hours. Last May XDA-Developers did an in-depth analysis of the TP-Link firmware and the manufacturer told them that they were working on a firmware update to allow the Avira service to be disabled completely.

Therefore, TP-Link knew that the HomeCare service was not effectively deactivated even though it did appear as deactivated through the graphical user interface. However, it seems that the manufacturer has not followed through on what he said, at least for now. This type of data that TP-Link sends to Avira is done to improve the products and the detection of possible security threats, so all the manufacturer’s customers benefit from this “collective” traffic, however, it is very possible that TP-Link is violating the General Data Protection Regulation by sending user data to a third party without the user’s consent. When we activate AiProtection in ASUS we must always accept the terms of the agreement, indicating that you accept that this information is shared with TrendMicro, however,

About sending 80,000 requests a day, TP-Link told a Reddit user that the data was only sent to verify if the owner had activated HomeCare or not, which sounds like an excuse because they are sending a huge amount of information, from order of one request per second. Many Reddit users have intervened indicating that they are also affected, and it is not possible to block the output of these packets because they continually retry and generate high CPU usage spikes and cause problems with general router usage. Other users signed up for the free version of HomeCare to see if this behavior would change, but it’s exactly the same. On the plus side, Avira is a company in Germany and is required to comply with the GDPR, so it might be forced to change how its service works.

Therefore, if you have a router or a Wi-Fi Mesh system with TP-Link HomeCare where Avira is used, know that right now they are sending a large amount of information even if it appears as disabled.

Home Shield by Avira

Going deeper into this, I found out that it is related to the “Home Shield” integrated router security that ships with newer TP-Link routers: -manufacturers

Here’s the kicker though: I have Avira/Home Shield services completely turned off (I wasn’t even subscribed to their paid service). The router doesn’t care and sends ALL your traffic to be “scanned” anyway. See this answer from TP Link (towards the bottom of the review) from last year