TP-link router security issue


I am a little worried about the security issue of TP-Link routers because TP-link is a Chinese company.

I know the router cannot see the contents of the HTTPS traffic. But the router can see which websites you visited.

If I flash my TP-link router with OpenWrt, could I solve this security issue?
After I install OpenWrt, are there any other software supplied by TP-link that are running in my router?


OpenWrt does not phone home or collect that type of data (unless you specifically install packages to track and log said that information).

The boot loader (very low level software necessary for initiating the boot process) is likely 'from' TP-Link and will not be replaced when you install OpenWrt. I put 'from' in quotes because it is often something like uboot or another similar boot loader -- vendors will make certain changes to the code to make it function on their devices, but fundamentally it isn't really 'from' the vendors. However, the boot loader doesn't have any function after boot up has started.

Thanks a lot for your answers. If the boot loader 'installed by' TP-link is only responsible to load OpenWrt, is it safe to say "TP-link will not know which websites I visited after I installed OpenWrt"?

Yes, the boot loader would cannot spy on your activity.
Keep in mind, though, that your ISP can monitor (to a degree) the websites you visit and other aspects of your online experience. If you use a VPN, that prevents your ISP from being able to inspect your traffic, but the ISP itself could still potentially do that.

For the record, I don't think that TP-Link is spying on any online traffic/behaviors on their devices, although I will leave that to professional security auditors to make that determination.

Also worth noting: your typical day-to-day activities on most sites should be protected by encryption on a per-site basis (i.e. TP-Link and your ISP and anyone spying on the general traffic flowing through the pipe cannot directly view most of the specific information such as your social media or bank account information or the details what you are browsing). But it is possible to understand what sites you visit, when, and for how long.

Unless they put a TLS proxy in between…
Then they see everything with the right certs and the end user never knows.

'their devices' is kinda loose these days... a forum user recently posted that they'd enquired about an open port lan side on the router... user received no response apparently

well, may be for a mobile app... so, any audit would be best to also look at what the app is sending back to tplink... like you, i'd speculate it probably does not fit the typical definition of 'spying'... but i'm sure there is substantial probability it's more than a typical user is aware of if an app is involved...

then again... could be upnp or something I suppose and i'm just being alarmist :wink:

If anyone has physical access to a device, you can't be sure they didn't tamper with it. TP-Link manufactured it so you have to trust their entire supply chain. If you had a Netgear you'd have to trust their supply chain.

Encryption (HTTPS / TLS) is supposed to mitigate this - I don't know about what flygarn12 is saying about TLS proxies. I am not an expert.

You have to trust the entire OpenWRT supply chain when you install it. Every part of the process needs to be secure, and you have to hope that the NSA or other bodies didn't intentionally insert bugs that they will exploit. The alternative is trusting the stock TP-Link or Netgear firmware, which I think is a worse option.

Thanks for all the discussions.

My conclusion is that if you still want to buy a TP-Link router because it is cheaper, make sure you buy a model supported by OpenWrt.

The reason why TP-Link routers are cheaper because the company is subsidized by the Chinese government. Then, Chinese government possibly will order this company to spy on us.

Do you have proof of this? While I'm not saying I can personally refute your claim, I think it is incumbent on you to provide sources to support your assertion.

Obviously the Chinese government has been implicated in this type of influence in the past (for example, with Huawei and ZTE cellular base station equipment as noted in this article), but there is a major difference between the backbone infrastructure equipment and consumer routers.

1 Like