TP-Link's European sites are falling behind when it comes to providing firmware updates, said Daniel Aleksandersen, a Norwegian technology expert, on Monday.
Aleksandersen says there's "a 29,63 % chance that you’re either getting outdated or no firmware at all by visiting your local TP-Link website."
The expert found this the hard way when he bought a TP-Link network repeater last month and tried to download the latest firmware version off TP-Link's Norwegian website, only to find out it was lagging two firmware versions behind the firmware versions available through the TP-Link Denmark and Sweden portals.
This discovery led Aleksandersen to start a research project on the firmware versions TP-Link was providing to users across its European sites for nine randomly-selected products. The results of this study are available in this OpenOffice spreadsheet.
According to Aleksandersen, only the Czech Republic, Finland, France, Italy, the Netherlands, and Romania have the latest firmware versions available for download on their reginal sites, for the nine products he selected.
The country with the fewest firmware updates available on TP-Link's regional sites was Switzerland, but this was because Switzerland only recently got on board with EU electronics standards and fewer firmware releases were available overall.
The expert pins the blame on TP-Link alone. This shouldn't have been an issue in the first place. EU electronics standards require hardware vendors to provide unified firmware packages that contain support for all EU languages and support for the radio frequency. Even countries not part of the EU have adopted the standard for conveniency's sake.
"In essence, there should be no need for country-specific firmware for Wi-Fi networking equipment within the EEA-single-market," said Aleksandersen, who also points out that most of TP-Link's rivals —ASUS, Linksys, Netgear, and others— provide one single "global" firmware download instead of country-specific versions.
The problems appear to be specific to TP-Link alone, as the company does not seem to care about customer security.
Aleksandersen says that TP-Link's websites do not provide emailing lists, syndication feeds, or other notifications so users can keep track of when the company releases new firmware versions or publishes security alerts for publicly-disclosed vulnerabilities.
If they want to make sure their equipment is secure, TP-Link customers have to visit TP-Link's websites at regular intervals and check to see if the company released new firmware. But as Aleksandersen discovered, this may not be enough for EU users, as some of the company's regional sites appear to be lagging behind.
Further, there's no firmware auto-update system implemented on TP-Link products, albeit there's a button in the administration panel of some devices that allows users to check for new firmware versions. Again, this requires manual action from users, as they'll have to log into their device and press the "check firmware version" button at regular intervals.
The researcher's findings are troublesome in context of the recently disclosed KRACK attack against the popular WPA2 WiFi protocol. TP-Link has issued a statement on the KRACK attack in mid-October, but the announcement only included a list of affected products, not if firmware updates are available. The company has not released any subsequent statement.
In light of Aleksandersen's findings, some European customers rushing to download a firmware patch against KRACK attacks may not be aware they're actually downloading two-year-old firmware.