TP-Link says your data goes to the US, Ireland, and Singapore — but never mentions China. Yet the company is headquartered in Hong Kong, the router hardware is designed and tested in Guangzhou, China, and the US government is considering banning TP-Link over national security concerns about Chinese government ties. The privacy policy is silent about where your data actually originates and who at the parent company can access it. TP-Link presents HomeShield as an optional security subscription you can choose to enable. But the HomeShield code actually runs on your router whether you activate it or not — and it has a critical security hole that lets hackers take over your router through that always-running code. A similar TP-Link router was caught sending over 80,000 requests per day to a security company's servers even when the user never turned that feature on.
What they claim: TP-Link Deco privacy policy states parental control browsing history "is only stored on the TP-Link product for you to review and won't be uploaded or stored on TP-Link cloud servers."
What we found: HomeShield privacy policy contradicts this: when Parental Controls are activated, "network traffic data (including DNS/HTTP header/DHCP etc.) is uploaded to TP-Link Cloud to generate daily/weekly/monthly comprehensive reports." Additionally, Antivirus features collect "client application info (IP address, requesting URL, File name, File path)" which is processed by third-party SDKs from NortonLifeLock and F-Secure embedded in the router firmware.
What they claim: Deco app has only one tracker (Google CrashLytics) according to Exodus Privacy analysis.
What we found: While the app itself contains only CrashLytics, the HomeShield privacy policy reveals that the router firmware contains SDKs from NortonLifeLock Inc. and F-Secure Corporation. The Deco privacy policy additionally discloses use of web analytics services, advertising serving technologies, and third-party marketing service providers. The tracking ecosystem extends beyond what static app analysis can detect because significant data collection occurs at the firmware level.
What they claim: Deco privacy policy states data is transferred to US, Ireland, and Singapore via AWS. Policy does not mention China.
What we found: FCC filing lists applicant as TP-Link Corporation Limited (Hong Kong). Testing performed by UL Verification Services (Guangzhou), China. The V1 hardware uses FCC grantee code 2AXJ4 (TP-Link Corporation Limited, HK). V2 uses 2BCGW (TP-Link Systems Inc., US) — a corporate restructuring specifically to distance US operations from the Chinese parent amid a national security probe. The US Commerce Department has proposed banning TP-Link over ties to the Chinese government.
What they claim: TP-Link Deco BE65 supports Wi-Fi 7 with 6GHz band operation as a headline feature.
What we found: Privacy policy discloses that enabling 6GHz band and AFC function requires transferring nearby WiFi information to Qualcomm AFC server every 24 hours for location determination. This is a regulatory requirement (FCC), but users are not informed at the point of enabling 6GHz that their router will continuously report its location to Qualcomm. The feature is marketed as faster Wi-Fi, not as location tracking.
What they claim: FCC ID 2AXJ4BE65 lists applicant as TP-Link Corporation Limited (Hong Kong). FCC ID 2BCGWBE65V2 lists applicant as TP-Link Systems Inc. (US).
What we found: The same physical product (Deco BE65) is filed under two different corporate entities and FCC grantee codes. The V1 hardware is filed by the Hong Kong entity (2AXJ4), while the V2 hardware is filed by the new US entity (2BCGW). This corporate restructuring occurred specifically in response to the US national security probe. The firmware codebase, cloud infrastructure, and development teams are shared across both versions. The US entity was created to provide legal separation from the Chinese parent company.
What they claim: Deco privacy policy states users can opt out of data collection via app settings (About > Privacy Settings).
What we found: The Deco app includes Google CrashLytics tracker which sends crash and performance data to Google. The app requests INTERNET and WAKE_LOCK permissions that cannot be revoked without breaking functionality. The HomeShield SDK from NortonLifeLock and F-Secure runs in the router firmware itself, not the app — opting out in the app does not disable data collection happening at the firmware level on the router.
What they claim: Deco BE65 connects to multiple TP-Link cloud endpoints including use1-api.tplinkcloud.com, euw1-api.tplinkcloud.com, aps1-api.tplinkcloud.com, homeshield.tp-link.com, and ntp.tp-link.com.
What we found: A mesh router is a fundamental network infrastructure device that should operate independently. The Deco BE65 requires cloud connectivity for management via the Deco app, HomeShield features, firmware updates, and time synchronization. The privacy policy does not disclose the full list of cloud endpoints the router contacts. If TP-Link's cloud services become unavailable — or if the US ban takes effect — users could lose management access to their home network infrastructure.
What they claim: Deco privacy policy implies data collection is optional and user-controlled. HomeShield features are presented as protective security tools.
What we found: CVE-2024-53375 affects the HomeShield tmp_get_sites function and is exploitable even without HomeShield activation. The vulnerability allows remote code execution via command injection in the OwnerId parameter. This means HomeShield code runs on the device regardless of whether the user has subscribed to or enabled it. Additionally, TP-Link Archer AX3000 was documented sending 80,000+ requests per day to Avira SafeThings servers even when Avira features were not enabled.
What they claim: TP-Link markets the Deco BE65 as a secure home networking solution. The product page emphasizes "HomeShield" security features.
What we found: Three CVEs affect the Deco firmware lineage: CVE-2025-32107 (OS command injection, CVSS 8.0), CVE-2024-53375 (RCE via HomeShield code, actively exploited, no Deco patch), CVE-2024-21833 (unauthenticated command injection, CVSS 8.8). CISA added TP-Link vulnerabilities to the Known Exploited Vulnerabilities catalog. Microsoft identified compromised TP-Link routers in the Volt Typhoon state-sponsored hacking campaign. The US government proposed banning TP-Link routers over national security concerns.
What they claim: Deco app (com.tplink.tpm5) requests CAMERA, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, and SYSTEM_ALERT_WINDOW permissions.
What we found: The Deco BE65 is a mesh Wi-Fi router — a networking device that requires zero camera functionality, no access to phone storage, and no reason to draw over other apps. The FCC filing describes it as a "BE11000 Whole Home Mesh Wi-Fi System." Camera permission is justified by TP-Link for QR code scanning during setup, but remains available after setup. SYSTEM_ALERT_WINDOW allows the app to draw over other apps. Fine location access enables precise tracking of the user's phone, far beyond what is needed to configure a router.
What they claim: Deco app requests BLUETOOTH, BLUETOOTH_ADMIN, BLUETOOTH_CONNECT, BLUETOOTH_SCAN, and BLUETOOTH_PRIVILEGED permissions.
What we found: The Deco BE65 uses Bluetooth only during initial mesh setup. However, BLUETOOTH_PRIVILEGED is a system-level permission that goes far beyond normal Bluetooth pairing — it allows the app to pair, connect, and discover devices without user interaction. Combined with ACCESS_FINE_LOCATION (required for BLE scanning on Android), the app can continuously scan for nearby Bluetooth devices even after router setup is complete, building a map of Bluetooth devices in the home.