TP-Link product packaging

TP-Link serves outdated or no firmware at all on 30% of its European websites

The Chinese network equipment manufacturer TP-Link has 60 country-specific websites around the world, out of which 24 are in Europe. While we’re still waiting for TP-Link to release firmware updates addressing last month’s KRACK Attack Wi-Fi vulnerabilities disclosures; I had a look to see how up-to-date each of these 24 websites were in terms of available firmware releases. The results were discouraging to say the least.

Europe has a single “harmonized standard” for radio equipment including WiFi enabled devices. Well, Switzerland and Turkey wasn’t fully on board until directive 2014/53/EU went into effect  — but in essence there should be no need for country specific firmware for Wi-Fi networking equipment within the EEA-single-market.

TP-Link distributes a few different regional variants of their firmware, but the European market — with some exceptions that I’ll get back to later — gets the same EU variant of the firmware. This EU variant should meet European regulations and contains every language the device is capable of in one package. So whether you’re downloading from the French or the Polish TP-Link website you’ll end up downloading the exact same file.

I bought a TP-Link RE650 repeater last month, and noticed that my local TP-Link website here in Norway was two firmware releases behind the neighboring countries of Denmark and Sweden. After some digging around, I found more discrepancies with which TP-Link product had which firmware version in which country. I decided to dig a bit further.

I looked into nine TP-Link products that are sold in Europe, and checked the firmware version for the product offered in each of TP-Link’s 26 European websites (some countries have multiple languages but I found no difference between different languages within the same country). Eight of the products were randomly selected plus the RE650 that I own myself (which is the same as the cheaper RE500 without the performance cap). These were the products I tested — spanning multiple product categories, performance and price ranges, and release years:

  • AD7200 V2
  • Archer C3200 V1
  • AP500 V1
  • RE305 V1
  • RE650 V1
  • TL-PA9020P V1
  • TL-WA801ND V5
  • TL-WA850RE V2
  • TL-WR802N V4

That means that I checked a total of 216 support pages for their firmware version.

You can skip to the end and dig into the raw spreadsheet with my findings, or continue reading my analysis.

The state of TP-Link firmware distribution in Europe

Only the Czech Republic, Finland, France, Italy, the Netherlands, and Romania have the latest firmware versions available for all products listed on their regional websites. In other words, there are problems on 75 % of TP-Link’s European websites. If we extend that list to include countries with two or fewer missing firmware releases but no outdated firmwares, we can add Germany, Greece, and Poland to the list. That still leaves 62,5 % of the TP-Link websites in Europe with outdated or missing firmware releases.

Only three of the tested products had firmware releases available in every region, and only one of those had the most recent version available in all regions (two years since the first and only update).

25 of the firmware listings, or 11,57 %, were outdated as compared to the most recent version of the EU specific firmware release that is distributed within Europe. Firmware releases were unavailable for 39 (18,06 %) products. These numbers stack on top of each other, creating a 29,63 % chance that you’re either getting outdated or no firmware at all by visiting your local TP-Link website.

On some product pages in some countries (it seems entirely random which ones), there is a big red warning informing you that you shouldn’t install TP-Link firmware from any regional website except the one where you bought the product. However, within the EU I only found three products (33 % of products tested) that had anything but the unified EU-market variant and all of those were releases specific for the United Kingdom. Two of the UK specific firmware releases were as much as 6 months to a year out of date compared to the EU firmware. Notably, two of the UK specific firmware releases were for products that stick directly into power sockets. The UK’s power socket isn’t compatible with the power sockets most common in the rest of Europe.

I find it a bit weird that TP-Link added a big red warning for a problem affecting only 1,39 % (or 33 % within the United Kingdom) of their European regional websites given the more serious problem of outdated firmware. I’ll not say they are wrong to discourage users from installing firmware blobs from other markets, but the problem here is that TP-Link doesn’t serve the European market well. Users may be better off by not heeding their warning.

There are fewer firmware updates available in Switzerland than any other country; until recently they were not on-board with the unified European standard. All the updates that are available in Switzerland use the standard EU-variant of the TP-Link firmware. However, Austria, Belgium, and the Baltic countries also have fewer firmware releases than other countries, although I did confirm with a few web searches that most of the tested products were available for sale in at least two online stores operating in each country.

This all sounds pretty bad. The most recent European firmware versions can be as much as a year out of date compared to the US-specific firmware variant. Notably, the changelogs for the newer US-firmware include changes that don’t appear to be region specific in any way.

No auto-update

TP-Link has no auto-update in place for any of their products, as far as I can tell. I could only confirm this with my own RE650. Though, I also looked into other TP-Link products through the web interface emulators that TP-Link offers on its website and saw no evidence of automated firmware updates being an option.

You can login to the web interface of your router and manually check for and apply updates.

I reached out to TP-Link to inquire about how customers can keep themselves up to date on firmware updates. They offer no emailing lists, syndication feeds, or other notifications when your product is updated. A support technician who shall remain nameless stated that it’s “not suggest you update the firmware if the device is working fine.” The same technician also offered to personally email me if there was a new firmware update available. However, the firmware version offered in my country was already two releases behind when this email exchange took place. These emails were exchanged only a week prior to the KRACK Attack vulnerabilities were disclosed publicly.

Separately, I emailed TP-Link about methods for receiving security advisories. TP-Link publishes them on a dedicated support page, but there is no email list, syndication feed, or other method to be notified of new disclosure. TP-Link hasn’t responded to this email in well over a month. Again, this message was sent a week before the KRACK Attack disclosure.

Not only is TP-Link’s firmware distribution in Europe very unreliable and convoluted; but the customer is entirely responsible for periodically checking for and applying new firmwares themselves. I doubt many TP-Link customers care enough to check and update their firmware on a regular basis.

Conclusions

TP-Link’s firmware distribution seems to be a bit of a mess, to be honest, and the mess appears to be entirely of TP-Link’s own making.

The lack of auto-update combined with unreliable information on TP-Link’s website depending on what country you’re really makes it difficult for customers to keep their firmware up to date.

We’re a month in to the KRACK Attack vulnerability disclosure, and TP-Link hasn’t yet released updates for any of their products. Not that it’s likely that TP-Link would manage to actually release new updates to every customer’s regional website, nor would their customers would have any way of knowing about any updates.

I briefly looked into the firmware distribution of ASUS, Linksys, Netgear, and other competitors — and they all have a single global firmware download; or two–three regional variants at the most all being offered on the same download page. I even looked specifically at other products built with the same networking chipsets as TP-Link products uses: they still only have one–two different firmware variants being distributed globally.

Stay well away from TP-Link products if you’re any bit conscious about the security of your devices.