For several years, networking equipment company TP-Link has partnered with Avira to secure products like Wi-Fi routers. The HomeCare and HomeShield features are here to protect users from cyber attacks and other threats, but it seems that the companies’ cooperation involved the transfer of user data to Avira as well.
According to a Reddit user under the nickname ArmoredCavalry, in just one day his TP-Link Archer AX3000 router transmitted a huge amount of data to the Avira SafeThings (*.safethings.avira.com) servers, in just 24 hours more than 80,000 requests were registered mainly to these platforms, as well as other services.
I recently enabled a DNS gateway to be able to see requests from my router, and network devices; to find 80K + requests (in 24 hours) out to an Avira “Safe Things” subdomains *.(far more than any other server).
SafeThings is a cloud-based cyber threat prevention platform that evaluates user traffic. Avira itself reports that this service interacts with home routers to avoid compromising IoT devices. As planned, users should have full control over home devices using a special application.
TP-Link routers caught transmitting traffic to a third-party company
Avira SafeThings is a cloud-based behavioral threat intelligence platform which interfaces with a service provider’s home router. It enables a connected home to operate securely without fear of compromised IoT devices. Service providers benefit from comprehensive report management options though the SafeThings Insights and Management Centre API. Consumers gain visibility and complete control over their home devices through a custom developed mobile app.
Although Avira claims that users get control over devices, it turned out that the service continues to work even without a subscription. Moreover, the router transmits data even if all related Avira/Home Shield services are off in the router settings. However, “the router doesn’t care and sends ALL traffic for further analysis anyway,” said ArmoredCavalry.
I have the Avira / Home Shield services completely off (I had no subscription to their paid service for it). The router doesn’t care, and sends ALL your traffic for analysis.
It is noteworthy that similar data appeared earlier on the XDA portal; according to their information, a similar problem was present in TP-Link Deco X68. At the request, the company promised to fix the problem in the future firmware; and representatives of XDA itself clarified that the router manufacturer did not name any exact deadlines for fixing the problem.
TP-Link says the network activity is due to “the Avira cloud data base [distinguishing] whether [the network request is] secure data or malware.” A firmware update is in the works that will turn this functionality off if no Avira network features are enabled in the app, but there is no estimated timeline for that yet.