Your router secretly sends your browsing data (every website you visit) to a company called NortonLifeLock for "security scanning." This is buried in a separate privacy policy that most users never see. Hackers backed by the Chinese government have turned thousands of TP-Link routers into a spy network. The U.S. government is so concerned it may ban the company entirely. Meanwhile, multiple security holes remain in the same router firmware.
What they claim: TP-Link Deco privacy policy states data is collected for "providing, maintaining, and improving our products and services" and implies minimal data collection for device management.
What we found: The Deco app (com.tplink.tpm5) requests 27 permissions including CAMERA, ACCESS_FINE_LOCATION, BLUETOOTH_PRIVILEGED, READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, and SYSTEM_ALERT_WINDOW. A mesh WiFi router management app has no legitimate need for camera access, storage read/write, or privileged Bluetooth operations beyond initial setup.
What they claim: TP-Link Deco privacy policy does not mention Avira or NortonLifeLock by name in the main Deco privacy policy. The HomeShield privacy policy is a separate document that users must independently discover.
What we found: HomeShield subscription service embeds third-party SDKs from NortonLifeLock (Avira) and F-Secure Corporation directly in the router firmware. When Network Security is activated, the device collects and sends DNS queries, HTTP headers, and DHCP data to NortonLifeLock servers. The SDK selection varies by model and firmware version, meaning data collection behavior can change with firmware updates without user notification.
What they claim: TP-Link privacy policy states "We will not sell your personal information" and claims data sharing is limited to service providers.
What we found: The privacy policy simultaneously discloses sharing data with "marketing service providers" who receive "anonymized user information" for advertising purposes. The HomeShield feature sends network traffic data (DNS queries, HTTP headers) to NortonLifeLock. The Deco app includes Google CrashLytics tracker. Data is processed across US, Ireland, Singapore, and unspecified partner locations.
What they claim: TP-Link Deco privacy policy discloses no specific data retention period. Users can request deletion but administrative emails cannot be opted out of without closing their account.
What we found: The FCC filing shows the Deco X55 is filed under TP-Link Corporation Limited (Hong Kong), while the original TP-Link Technologies is based in Shenzhen, China. Chinese law requires companies to comply with intelligence agency data requests. The corporate restructuring (splitting into HK and Shenzhen entities) was performed in 2024 during the U.S. national security investigation, raising questions about whether the restructuring changes actual data handling practices.
What they claim: HomeShield third-party SDK selection varies by model and firmware version — the data collection behavior can change with a firmware update without user notification.
What we found: The Deco X55 supports automatic firmware updates managed through TP-Link cloud. Users have no option for local-only management. Firmware updates can add, remove, or modify NortonLifeLock/Avira/F-Secure SDKs. The device processes all network traffic from every connected device. A firmware update could silently change what network data is collected and which third parties receive it.
What they claim: Three critical/high severity CVEs affect the Deco platform: CVE-2024-21833 (CVSS 8.8, unauthenticated command injection), CVE-2024-53375 (authenticated RCE via HomeShield), CVE-2026-0654 (config file command injection). Chinese state-sponsored actors have actively exploited TP-Link router vulnerabilities.
What we found: Microsoft documented CovertNetwork-1658, a Chinese state-sponsored botnet of ~8,000 compromised TP-Link routers used for password-spraying against U.S. critical infrastructure. Three U.S. federal departments (Commerce, Defense, Justice) opened investigations into TP-Link. The Commerce Department proposed banning TP-Link devices from the U.S. market. TP-Link devices were found on U.S. military bases.
What they claim: CVE-2024-53375 allows authenticated remote code execution through the HomeShield tmp_get_sites function — the OwnerId parameter is passed directly to os.execute without sanitization. Public exploit code is available on GitHub.
What we found: The HomeShield functionality that contains this RCE vulnerability is the same feature that TP-Link promotes as a "security" service for protecting your network. The vulnerability is exploitable even without HomeShield activation. The attacker gains root access and can dump any file from the device. No patch was available as of disclosure.
What they claim: The Deco X55 has 3 known CVEs including unauthenticated command injection (CVE-2024-21833) and RCE through HomeShield (CVE-2024-53375). The Deco app has SYSTEM_ALERT_WINDOW permission.
What we found: SYSTEM_ALERT_WINDOW allows the app to draw over other apps — a permission frequently abused by malware for phishing overlays and clickjacking. Combined with CAMERA, READ_EXTERNAL_STORAGE, and the router's ability to see all network traffic, a compromised Deco system (via any of the 3 CVEs) would give an attacker access to the phone's camera, files, and all network traffic from every device in the home simultaneously.
What they claim: TP-Link markets the Deco X55 as a home networking product focused on "seamless whole-home WiFi coverage" with no prominent disclosure of cloud dependency or data collection scope.
What we found: All device management requires a TP-Link cloud account — there is no local-only management option. The device has 7 hardcoded cloud endpoints (use1-api.tplinkcloud.com, euw1-api.tplinkcloud.com, aps1-api.tplinkcloud.com, devs.tplinkcloud.com, n-devs.tplinkcloud.com, time-a-g.nist.gov, time-b-g.nist.gov). As a mesh router, every packet from every device in the home passes through it.
What they claim: The Deco app requests CAMERA, ACCESS_FINE_LOCATION, and BLUETOOTH_PRIVILEGED permissions for a mesh WiFi router.
What we found: The Deco X55 uses Bluetooth only for initial setup pairing. The device has no camera. The router knows its own location from the network. The CAMERA permission enables QR code scanning for setup but remains available after setup. BLUETOOTH_PRIVILEGED is a system-level permission that goes beyond what BLE setup requires. ACCESS_FINE_LOCATION provides GPS-level precision unnecessary for router management.