For many who work from home or in small offices, the router is one of the most important ways of staying safe online. Routers firewall the outside world, usually keeping much bad stuff away from our work. But what happens when your router itself is compromised?
The Netgear vulnerability
On Monday, ZDNet reported on a flaw in some of Netgear’s most powerful and highly-rated routers. An exploit allows malicious commands to be injected into the routers through a URL, effectively allowing hackers to take over the box, and then tunnel into your network.
Not good. Carnegie Mellon’s CERT team advised: “Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.”
An alternative approach was recommended that, ironically, used the vulnerability itself. It’s possible to issue a command using the vulnerability to disable the internal web server inside the router. Unfortunately, that makes it difficult to configure the router, since that’s done with the internal web server. Worse, it only lasts until the router restarts, so a single power outage could open the vulnerability back up.
Ars Technica reports that while Netgear has acknowledged the vulnerability, the company has not made any comments about when a fix will be forthcoming.
The traditional router company problem
Netgear is not alone in failing to protect its customers proactively.
Last year, we reported about how most Asus routers had a bug where the routers could be hijacked. In July, we reported how 400,000 D-Link Wi-Fi devices had a serious security hole. Just last month, we reported how the Miral botnet was able to exploit Zyxel and Speedport routers in Europe.
The problem with each of these devices is that while their firmware is upgradeable, not all of them get regular updates. While the consumer router companies do understand that their reputation is on the line, they are fundamentally hardware vendors and not security researchers.
Most consumers are unlikely to go into their router’s configuration panel and download and install firmware updates. Worse, some firmware updates don’t preserve router settings, causing an existing configuration to be overwritten as part of the update process.
Traditional routers have another classic challenge: reach. Most traditional routers don’t reach throughout an entire home or office, and so there are always dark zones, areas of low signal strength.
To combat this, most router companies have offered Wi-Fi bridges, repeaters, and even power-line network adapters as a way to extend the network.
The problem is that these approaches have been unreliable to operate and difficult to set up. They often require the creation of a second subnet with a second SSID, making it quite difficult to share internal networking resources across the bridge.
Enter the age of the mesh
In the past year, a new class of product has been introduced: the mesh router package. Generally, these devices consist of a group of smartphone-app controlled devices, all of which have their own internal smarts to set up and configure the network.
There are a number of vendors playing in this space, including Netgear’s Orbi, Luma’s mesh, and the Eero. Each promises to blanket your home or office with Wi-Fi signals, while making configuration seamless and easy.
These products are not cheap. You’re likely to spent three to four hundred dollars or more by the time you’re done equipping your space with mesh nodes. But they generally do a pretty good job of projecting your network throughout your home or office.
While their interface style is far more app-centric than the old style web-based interface that would make only an IT guy happy, these companies don’t really have the resources to stay ahead of every exploit and vulnerability that may be aimed at their products.
But, as Yoda once said, “There is another.”
Google OnHub and Google Wifi
About a year and a half ago, Google introduced an ambitious design into the router space called OnHub, a device that looks like a slightly up-designed Amazon Echo. It was a product created by Google but sold by partner manufacturers, in this case Asus and TP-Link.
The device, which is still on the market, was introduced with a lot of technology, including a pile of Wi-Fi antennas, along with ZigBee and Bluetooth. It also has a speaker, a USB port, and, in the Asus model, some sort of wacky gesture tracking.
Although the device was reasonably well-regarded as a Wi-Fi access point, at over $200 and with most of the inside tech not yet enabled, it seemed to be an overpriced solution.
It is, on the other hand, quite simple to set up. You use an iOS or Android app and just follow the wizard. There’s no need to specify protocols, channels, or any of the other settings we geeks have long needed to configure with pretty much any router.
Not much was subsequently heard about OnHub. For a while, it seemed like another Google experiment destined for barely-remembered ignominy on a dusty old Wikipedia page.
Then, in October, Google announced Google Wifi, which is pretty much OnHub 2.0. It is smaller (about the size of two Apple TVs stacked on top of each other) and it’s a Google-only branded product, like the Pixel.
Like the OnHub devices, one Google Wifi will act as a router. But buy a few more Google Wifi pucks and now you’ve got a mesh network.
As it turns out, OnHub also works seamlessly with Google Wifi. It’s controlled by the same app (no longer called Google On, but Google Wifi). And OnHub devices will mesh interchangeably with Google Wifi.
Each Google Wifi puck is $129. You can now also pick up the Asus OnHub for the same price. Google sells a set of three pucks for $299.
The Google advantage
On one hand, it looks like Google is simply entering the same market as Eero and Luma, with an easy-to-configure Wi-Fi network that removes all the hassles that have made setting up home Wi-Fi such a challenge for Muggles.
But step back for a second and consider the difference between some random networking startup and Google. Consider the resources, the reach, and the institutional understanding of the internet, and every node on it, that Google brings to the table.
Now, think about the exploits and vulnerabilities we discussed at the beginning of this column. Netgear clearly isn’t able to issue a Zero Day firmware update upon learning of a vulnerability. Even if they did, they’d have to somehow communicate to all their device owners and, generally speaking, get them to download and install the update.
Google, on the other hand, has enormous counter-cyberattack resources, a tremendous, definitive database of which sites have been good and which have been bad, a nearly infinite amount of bandwidth, and the ability to push updates directly to each OnHub and Google Wifi device in the field.
Yes, it does add yet another notch on Google’s Big Brother belt, because they theoretically will know even more about you than they did before. But since most of us use Google for all our web searching, most of our email, and nearly all our phone conversations, what’s a few more shared packets among friends? Besides, Google does allow you to turn off some data reporting.
The worst Google might want to do to you is feed you an ad you might actually care about. But the worst a hacker or nation-state sponsored organized crime group could do is steal your identity, penetrate your network, spam your friends and family with malware, and ruin your life.
Google wins the risk/rewards trade-off hands down.
Think about it from a business model perspective. When Netgear sells you a router, the best they might hope for is to sell you a repeater or, eventually, an upgraded router.
But Google isn’t in business to sell you routers. They want you online. They want you to be able to get online easily, stay online as much as possible, and be as safe as possible. That’s because Google makes money from just about everything you do online, not just from a one-off hardware sale once every three or four years.
Google has every reason, every motivation to want to make sure you’re safe online. It’s in their best interests. It’s a long view perspective. Combine that motivation with their enormous, bottomless resources and you can see why Google has such an overwhelming advantage over both traditional consumer and small business router vendors as well as over the new crop of mesh router startups like Eero.
There are a few trade-offs beyond the usual Google Big Brother concerns. The OnHub and Google Wifi devices have only limited configuration options. Yes, you can set up a guest network and choose your SSID, but you can’t prevent it from broadcasting.
You can’t use the Google devices as VPN endpoints. You can’t even determine your NAT address space. You’re going to be on 192.168.86.x and you’re gonna like it.
And yet, Google has added some new capabilities. You can specify a priority device and let that priority expire after a time. You can monitor device-by-device traffic. You can set up port forwarding. You can give guests access to certain devices on your network and not others. You can even control Hue bulbs and let your guests do the same.
Think about it. Just how much time do you have? How much do you want to risk your security to a company that won’t even say when they plan to issue a patch to a critical vulnerability?
I don’t yet have a lot of experience with OnHub or Google Wifi, but it looks very good on paper. That, plus the early OnHub reviews were generally good, just a bit bemused about the price and extra, unused internal tech.
I am planning to start recommending Google Wifi as the go-to solution for home and small office networking. It’s easy to set up, it’s functional, and it has Google’s deep field of experts keeping it safe.
Unlike with the Netgear, it’s unlikely you’ll wake up one Monday morning to an announcement from CERT telling you to throw out your Google Wifi because it’s been p0wn3d. That, alone, justifies my recommendation.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.