Ctrl.blog

The state of TP-Link firmware distribution in Europe

Only the Czech Republic, Finland, France, Italy, the Netherlands, and Romania have the latest firmware versions available for all products listed on their regional websites. In other words, there are problems on 75 % of TP-Link’s European websites.

If we extend that list to include countries with two or fewer missing firmware releases but no outdated firmwares, we can add Germany, Greece, and Poland to the list. That still leaves 62,5 % of the TP-Link websites in Europe with outdated or missing firmware releases.

Only three of the tested products had firmware releases available in every region, and only one of those had the most recent version available in all regions (two years since the first and only update.)

25 of the firmware listings, or 11,57 %, were outdated as compared to the most recent version of the EU specific firmware release that’s distributed within Europe. Firmware releases were unavailable for 39 (18,06 %) products.

These numbers stack on top of each other, creating a 29,63 % chance that you’re either getting outdated or no firmware at all by visiting your local TP-Link website.

On some product pages in some countries (it seems entirely random which ones), there’s a big red warning informing you that you shouldn’t install TP-Link firmware from any regional website except the one where you bought the product.

However, within the EU I only found three products (33 % of products tested) that had anything but the unified EU-market variant and all of those were releases specific for the United Kingdom. Two of the UK specific firmware releases were as much as 6 months to a year out of date compared to the EU firmware.

Notably, two of the UK specific firmware releases were for products that stick directly into power sockets. The UK’s power socket isn’t compatible with the power sockets most common in the rest of Europe.

I find it a bit weird that TP-Link added a big red warning for a problem affecting only 1,39 % (or 33 % within the United Kingdom) of their European regional websites given the more serious problem of outdated firmware.

I’ll not say they are wrong to discourage users from installing firmware blobs from other markets, but the problem here’s that TP-Link doesn’t serve the European market well. Users may be better off by not heeding their warning.

There are fewer firmware updates available in Switzerland than any other country; until recently they were not on-board with the unified European standard. All the updates that are available in Switzerland use the standard EU-variant of the TP-Link firmware.

However, Austria, Belgium, and the Baltic countries also have fewer firmware releases than other countries, although I did confirm with a few web searches that most of the tested products were available for sale in at least two online stores operating in each country.

This all sounds pretty bad. The most recent European firmware versions can be as much as a year out of date compared to the US-specific firmware variant. Notably, the changelogs for the newer US-firmware include changes that don’t appear to be region specific in any way.

No auto-update

TP-Link has no auto-update in place for any of their products, as far as I can tell. I could only confirm this with my own RE650. Though, I also looked into other TP-Link products through the web interface emulators that TP-Link offers on its website and saw no evidence of automated firmware updates being an option.

You can login to the web interface of your router and manually check for and apply updates.

I reached out to TP-Link to inquire about how customers can keep themselves up to date on firmware updates. They offer no emailing lists, syndication feeds, or other notifications when your product is updated. A support technician who shall remain nameless stated that it’s “not suggest you update the firmware if the device is working fine.”

The same technician also offered to personally email me if there was a new firmware update available. However, the firmware version offered in my country was already two releases behind when this email exchange took place. These emails were exchanged only a week before the KRACK Attack vulnerabilities were disclosed publicly.

Separately, I emailed TP-Link about methods for receiving security advisories. TP-Link publishes them on a dedicated support page, but there’s no email list, syndication feed, or other method to be notified of new disclosure. TP-Link hasn’t responded to this email in well over a month. Again, this message was sent a week before the KRACK Attack disclosure.

Not only is TP-Link’s firmware distribution in Europe very unreliable and convoluted; but the customer is entirely responsible for periodically checking for and applying new firmware themselves. I doubt many TP-Link customers care enough to check and update their firmware on a regular basis.

Conclusions

TP-Link’s firmware distribution seems to be a bit of a mess, to be honest, and the mess appears to be entirely of TP-Link’s own making.

The lack of auto-update combined with unreliable information on TP-Link’s website depending on what country you’re makes it difficult for customers to keep their firmware up to date.

We’re a month in to the KRACK Attack vulnerability disclosure, and TP-Link hasn’t yet released updates for any of their products. Not that it’s likely that TP-Link would manage to release new updates to every customer’s regional website, nor would their customers would have any way of knowing about any updates.

I briefly looked into the firmware distribution of ASUS, Linksys, Netgear, and other competitors — and they all have a single global firmware download, or two–three regional variants at the most all being offered on the same download page.

I even looked specifically at other products built with the same networking chipsets as TP-Link products uses: they still only have one–two different firmware variants being distributed globally.

Stay well away from TP-Link products if you’re any bit conscious about the security of your devices.