TP-Link_Archer_AX73__V2

TP-Link Archer AX73 V2 (US)

Reviewed in May 2024 by i46 s.r.o  ⓘ    |    Conclusion of the Fast Check:   ⚠️

Important. This router has been sold by TP-Link since at least 2021. Unless a major feature, impacting the security of the router, is deployed on the router post CRA-enactment, it will not be required to comply with the CRA.

This Fast Check is for information purpose only.

I46’s analysis finds that this router is relatively well secured, but still fails to meet all the requirements of the Cyber Resilience Act. Indeed, during the analysis of the router, i46 found that three core requirements of the CRA were not met:

  • Annex I, paragraph (b): “be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor made product with digital elements, including the possibility to reset the product to its original state”;

  • Annex I, paragraph (d): “ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;”

  • Annex I, paragraph (j): “be designed, developed and produced to limit attack surfaces, including external interfaces;”

 

Below, i46 details a few core features of the router, and provides their compliance findings for each of them.

Which product should i46 review next?

Let us know which product should be reviewed next, by sending us an email to info@i46.cz

Compliance Table

Feature

Findings

Compliance with the CRA

Unique Password

OK: 8 digits password (numbers only)

🟢 Yes

Strong password enforcement

No

🔴 No

Minimal surface (physical)

The device includes RJ-45 ports, power and reset ports

🟢 Yes

Minimal surface (software)

Port 80 (http) and Port 443 (https) are open

🟢 Yes: these ports are required for device management.

Minimal surface (software)

Port 53 (Domain) is open

🔴 No: DNS server should be optional as in most cases, it is not in use.

(Severity: Low)

Minimal surface (software)

Port 1900 (UPNP) is open

🔴 No: plug-and-play can be considered a basic functionality for this router.

(Severity: Low)

Minimal surface (software)

Port 20001 (secure connection between the WiFi router and the Tether app) is open

🔴 No: while the feature is part of the main functionalities of the router, this type of port must be closed by default.

(Severity: High)

As shown in the above table, the TP-Link Archer AX73 V2 fails i46’s Fast Check.

While the device does not need to comply with the Cyber Resilience Act, due to being manufactured before the Act’s enactment, it bears highlighting that the weaknesses identified during the Fast Check means that businesses and people wishing to use this router should proceed with caution.

Who is i46?

i46 s.r.o, a Czech Republic-based company, is a specialist in cybersecurity compliance for IoT manufacturers. Their team of experts meticulously analyzes various devices within their laboratory, forming the foundation for these initial assessments.

The Fact Check service is provided by Cyber Resilience Act.eu and  i46 s.r.o., as a way to empower the community. It is important to remember that the CRA Fast Check analysis is provided “as is” and shouldn’t be considered a replacement for a comprehensive cybersecurity assessment.

If you encounter any errors in this analysis, please don’t hesitate to reach out to us at info@i46.cz.

LA MISE EN CONFORMITÉ

Je suis un fabricant d'appareils connectés

Les fabricants d'appareils connectés sont les premiers concernés par la mise en conformité. 

La loi sur la cyber- résilience modifie le mode de fonctionnement des fabricants.

Notre guide explique ce que vous devez faire, le temps dont vous disposez pour vous mettre en conformité et les conséquences juridiques de la non-conformité.

Je suis développeur de logiciels

While free and open-source software, providing that their makers do not derive any profit from their distribution, does not fall under the purview of the Cyber Resilience Act, non-embedded software and software that remote process data from IoT devices need to comply with the Act.

J'importe / je distribue / je revends

Les importateurs, les distributeurs et les revendeurs de dispositifs connectés sont soumis à de nombreuses exigences en vertu de la loi sur la cyber- résilience et, dans certaines circonstances, peuvent même être considérés comme des fabricants.

Nos guides détaillent les responsabilités de ces acteurs.