Certain TP-Link routers seem to share information about dns requests with Avira

Spread the love

Newer TP-Link routers seem to send data about numerous DNS requests to security company Avira, without the user’s knowledge or consent. The devices would do that for safety and it cannot be turned off.

According to a Reddit user and a reviewer from XDA, there are a lot of requests: XDA speaks of 42,000 and the Reddit user of more than 80,000 in a day. They are sent to *.safethings.avira.com. This is most likely done in the context of the HomeShield security service of the routers, which is provided by Avira on the cloud side. In that area, TP-Link offers three options: service off, the free variant and the paid subscription form.

What is striking, however, is that these tens of thousands of requests continue to be sent to Avira when the HomeShield service is turned off. That’s not the intention, TP-Link told XDA in May last year: “a firmware update to disable this functionality if Avira features are not enabled is in the works, but there is no timeline for it yet.” , the XDA reviewer reported at the time, based on a response from the company. That was in May of last year and the problem is still there.

The Reddit user claims that TP-Links customer service told him or her that the 80,000+ daily requests were to check the user’s subscription status. That doesn’t seem logical, given that according to the Reddit user, the amount of traffic to the Avira domain increases when the general internet traffic increases and there is no reason to check 80,000 times a day to see if the user has a subscription. TP-Link has not yet responded further.

If TP-Link doesn’t disable the feature, blocking the domain in, say, a Pi-Hole would still be an option, but that leads to another problem. The Redditor reports that the routers keep trying constantly in the event of a blockage, resulting in sky-high CPU usage on the router. That means degraded network performance and higher power consumption. An attempt to spoof the server also failed.

Although Avira can indeed use the data for malware detection and help the router owner with that, theoretically the data can also be used to set up advertising profiles. Advertisers are willing to pay for information that helps them create more targeted ads.

The routers where this behavior has been observed are the 2021 Archer AX55 and the 2022 Deco X68. According to TP-Link itself, the HomeShield service can also be found on four other models: the Deco X90, Deco X55, Archer AX90 and the Archer AX73. The Decos are mesh sets and the Archers are separate routers.

Avira also offers an antivirus package. This includes an optional cryptominer, as it turned out earlier this year. Sister company NortonLifeLock offers that in its antivirus too.

Image via XDA

You might also like
Exit mobile version