@RSF 

There is not a way to disable remote access once the Deco as it is a cloud based device.

What it will come down to is practicing safe habits that apply to other things such as banking or email. Make sure your password is not easily guessed, your TP-Link ID can go up to 32 characters, you can have certain special characters too (https://community.tp-link.com/us/home/kb/detail/263). And the most important thing is to not share your login credentials.

This sounds like a critical vulnerability. Is the remote management at least end-to-end encrypted? If it’s not then any Deco owner is vulnerable to a hostile government that sends a warrant compelling tplink to give it control of the customer’s Deco. 

End to end encryption should be the default combined with optional 2FA. 

Agree with Mark. Given the list of controls available on the P9s I just bought I see absolutely no reason for any of those features to be accessible from outside of the LAN (setting up a VLAN, blacklisting, LED control, operating mode etc...). I've resorted to setting up MAC filtering to block all of the nodes from communicating with the Internet.

(Apologies for the late bump)

@Tony Which is fine as long as TP-link never ever suffer a password data breach, at which point there's potential for an attacker to tinker with people's networks.

It'san unacceptable policy. Users should have the option to allow cloud management or disable it and rely on local web-based management.

@Tony 

Hello,

I know, it is an old topic but looks like the issue is the same.

I have just set up my three Deco S4 units as APs and I blocked them to access the internet (on my firewall). My Deco app can't recognise them anymore despite my phone is on the network which was created by the same Deco units. 

Is there a way to set my Deco app to find the Deco units on the local network? Or it is only checking some sort of Cloud account where the Decos wanted to check-in?

If I can't have the app working with the S4 units without your cloud service, can you recommend another of your products that can be used as mesh APs and happy to work without internet access (like the BT Whole Home WIFI)? After all, I don't really need a cloud account, I need only local Access Points. 

Thank you.

@TP-Link I layed out a couple specific scenarios in which the cloud management feature introduces large security risks. Saying "there is no risk" either indicates you didn't even read my post before replying or you know nothing about security.

@Mark123 Exactly. In my other thread he said that there are no plans to allow users to disable this feature. These units need to be returned. The security risk is huge. I am waiting for they day they are hacked and everyone is pissed.