For a few years now, TP-Link has been collaborating with Avira to provide various web-security solutions with its products like Wi-Fi routers. These features like HomeCare or HomeShield are meant to secure the users" connected devices against cyberattacks and various online threats.
However, a Redditor with the username ArmoredCavalry observed that their router, a TP-Link Archer AX3000, was sending loads of their data to the Avira SafeThings servers. The Redditor says that in 24 hours, more than 80,000 requests were made. They write:
I recently enabled a DNS gateway to be able to see requests from my router, and network devices. Was surprised to find 80K + requests (in 24 hours) out to an Avira "Safe Things" subdomains *.safethings.avira.com (far more than any other server).
For those wondering, SafeThings is a cloud-based threat intelligence platform that analyses user traffic. Here"s how Avira defines SafeThings:
Avira SafeThings is a cloud-based behavioral threat intelligence platform which interfaces with a service provider’s home router. It enables a connected home to operate securely without fear of compromised IoT devices. Service providers benefit from comprehensive report management options though the SafeThings Insights and Management Centre API. Consumers gain visibility and complete control over their home devices through a custom developed mobile app.
While Avira does say that users will be in control over their devices, the Redditor claims that the service continues to run on its own even though they haven"t subscribed to it and all such related options are disabled on their device. The user writes:
I have the Avira / Home Shield services completely turned off (I wasn"t even subscribed to their paid service for it). The router doesn"t care, and sends ALL your traffic to be "analyzed" anyhow.
Interestingly, this behavior was already confirmed earlier by XDA which found that the TP-Link Deco X68 was exhibiting this problem as it was sending out data even when the service was disabled. TP-Link said at the time that a future firmware would fix the issue but XDA was seemingly not made aware of such an event.
The XDA review says:
TP-Link says the network activity is due to “the Avira cloud data base [distinguishing] whether [the network request is] secure data or malware.” A firmware update is in the works that will turn this functionality off if no Avira network features are enabled in the app, but there is no estimated timeline for that yet.
If you wish to check if your own TP-Link routers exhibit such behavior, you can use a DNS Gateway to observe it.