[frogger8]

From the comments

Nothing in your analysis shows this. Moreover unless you explicitly deployed a root certificate on your clients (or if an app on the client did it), the router can't decode TLS traffic (deep inspection) without you getting certificate warnings on the client. In that case, the only thing the router can see is the dns request, the IP and the TLS SNI. In short your title is misleading.

permalinkembedsavereportreply [–]ArmoredCavalry[S] 11 points 14 hours ago*

I agree they couldn't be inspecting the contents of your traffic over TLS, but they could easily view destinations. I also agree, there's nothing in my analysis that proves that all the requests are related to network traffic. However, if you look at the wording of the reply (directly from TP-Link) to XDA in their review, I don't see how it could be interpreted any other way? Regardless, I probably should have made my title "appears that it may send traffic related data". I'll be happy if that isn't the case, but the lack of clear explanation from TP-Link when I've contacted support leads me to assume the worst

permalinkembedsaveparentreportreply [–]2fast2fourier 4 points 12 hours ago I think it's best not to write something that damaging without proof, especially when most people only read titles. Saying they're sending metadata and violating your privacy is all you'd need to hear.

[zinekeller]

... and I don't get your point in this useless pedantry? Sure that the data in of itself is not sent, but you seemed to imply that DNS queries don't reveal anything. In practice, you can build a good enough picture to decode what's their interests, what type of places they visit etc., which is worrying of itself. It's like saying to not worry because they didn't know you ordered a Big Mac while the fact that you went to McDonald's is being known is already creepy to a lot of people.

[rfoo]

I think the point is the original author did not prove anything was sent to Avira in this case. All they have is speculation that "the router is making DNS queries about a Avira safe things domain and the DNS query QPS is correlated to the amount of traffic in the network".

I agree this is tremendously bad code, but what they observed could also be perfectly explained with "some stupid code doing a Avira subscription check whenever something arrives at the router and they do that without a cache for negative answer, and even if the feature is turned off".

So we need more evidence.

[zinekeller]

> I agree this is tremendously bad code, but what they observed could also be perfectly explained with "some stupid code doing a Avira subscription check whenever something arrives at the router and they do that without a cache for negative answer, and even if the feature is turned off".

I do wish that it is at least it's Google-like (https://developers.google.com/safe-browsing/v4/update-api) and I hope that it's simply just a bad code, but the simplest method to check if a domain is blacklisted is to simply send the domain - there's no hashing and canonisation to deal with. And before counterarguing, this already happened with Avast (https://www.howtogeek.com/199829/avast-antivirus-was-spying-...), so while I agree that a stronger evidence is needed at the same time I can definitely consider it a smoking gun.

[kayodelycaon]

There’s a huge difference from sending metadata and sending everything. Most notably in the bandwidth required.

If I’m reading this correctly, it’s not sending every password and username it discovers.

It’s invasive but not to the point of being a complete set of malware.

[jjav]

There is really no excuse for any network equipment to be sending anything at all to external parties, unless you've specifically subscribed to some service where it becomes necessary. Which the OP said they don't.

Let's be careful to not normalize this type of data exfiltration from equipment that's supposed to be yours.

[tinus_hn]

This case is not that, but for instance update services and time servers are defensible reasons to connect to external parties.