|Router Security||Google Wifi and OnHub Routers||
Website by |
In December 2016, Google's OnHub routers were replaced with Google Wifi routers. The OnHubs were single devices, GWifi swings both ways. That is, you can buy one and use it as a single router, or, you can buy two or three and use it as a mesh router system.
As for their security, David Gewirtz recommended them in December 2016. See Sacrificing router flexibility for security with Google Wifi and OnHub. I agree with 98% of what Gewirtz wrote. If you were going to buy a router for Grandma, Google Wifi would be my recommendation. Then again, now I'm not so sure. See my blog 7 mistakes Google made updating my Google Wifi router published May 8, 2017.
And, there are two security issues with Google Wifi routers. First, you are stuck with the 192.168.86.x subnet. Second, UPnP is enabled by default. NOTE: At the end of November 2017, an update was supposed to let you change the LAN subnet and the IP address of the router. I have yet to look into this.
This April 2017 article, How Google wants to re-invent the router is a puff piece that could have been written by Google's PR department. Except for one point that I had not seen mentioned anywhere else - Guest network users can see devices on the main LAN. Not good for security. Kinda makes a Guest network, not a Guest network. This is a quote from a Google person: "We've also made it really simple for you to share specific devices from your main network to your guest network. So if I want guests to be able to access my Wi-Fi but I don't want them to be able to see my hard drive and my desktop PC, I can do that. I can share my Chromecast, but not my NAS."
On the 5GHz frequency band, Google Wifi routers always use 80MHz wide channels. This is not optimal for a crowded Wi-Fi environment. The Ubiquiti AmpliF routers default to 80MHz channels but you can change this. Eero also uses 80MHz channels all the time, but their tech support made a case to me that it will co-exist well with nearby networks on the 5GHz band. I have to dig up the exact reasons why ....
The hockey pucks always transmit to client devices on both frequency bands. This was a problem when dealing with an iPad that, for whatever reason, preferred the much more crowded 2.4GHz band. It would have been nice to disable 2.4GHz on one hockey puck to force the iPad onto the much less crowded 5GHz band. Stepping back, there are no adjustments you can make regarding which clients connect to which hockey pucks.
UPnP is on by default. Everyone does this too, but its still miserable for the security of the Internet as a whole and Google, especially, should know better.
May 8, 2017: I blogged about 7 mistakes Google made updating my Google Wifi router.
The page here on Firmware Updating has a section on Google Wifi routers. Among the problems are that they system updates itself and reboots in the middle of the afternoon.
According to this July 2017 article, Google Wifi routers are based on ChromeOS. The open source GaleForce project lets you root Google Wifi.
FYI: Tech support forum for Google Wifi.
According to the app, tech support is available by telephone 24x7 at 844-442-3693. I have not tested this.
Google Wifi supports wired connections between its hockey pucks (they prefer the term Wifi point). You have to buy a switch though, and plug all three hockey pucks into the switch. It works, I've done it. The app detects that two of the hockey pucks use a wired connection.
The app does now show you all devices connected to a specific Wifi point. That makes it very hard to audit things, to insure that devices are connected to the closest access point. You have to pull up each device individually to see which Wifi point it is talking to. The app also does not show the signal strength between a client and the mesh point. Google Wifi clearly is not for techies.
The app seems to run all the time, in the background, at least on Android. I say this because twice, when an Android device with the app, went online, there was an Android notification that the system was off-line. I had not gone into the app and I was remote from the system it was reporting on. That the app runs all the time is not disclosed. Can this be prevented? And, while the heads up about going off-line is useful, there is no corresponding "All is well" notice when the system goes back online.
The leftmost tab in the app has messages from Google to you. It often says "Everything looks good and 3 Wifi points are online". But there is no date/time so the message could be old.
On the leftmost tab, a "card" tells you that updates were installed and the date/time when the updates were installed, it does not say what software version was installed. Also, it says that "Your Google Wifi just got better", even when the message is 6 weeks old.
The middle tab, has three blue circles: Internet, Wifi points (a.k.a. hockey pucks) and Devices. If you click on the blue circle for Wifi points there is no additional info. The app has lots of additional info about the Wifi points, but its hidden in a different tab.
From the middle tab, when you click on the blue Devices circle, it defaults to showing real time bandwidth usage. If you click on "Real-time" you can see bandwidth for different time periods. The option for 1 day, for example, can serve two purposes. The software is stupid enough to show all devices that ever connected, even those that did not connect in the last day. Its count of Devices at the top, is of every device that ever connected. But, looking at the bandwidth, can tell you the devices that connected in the last day. This could help find devices that don't belong on the network.
It run an Internet speed test every two days (more or less). This is not configurable. It does not tell you what time of day the test was run, only the date. It keeps a history of speed test results for the last 60 days and reports the average download and upload speeds presumably for the last 60 days. If something changes regarding your Internet connection, you can not reset the averages. The history has proved useful in detecting a problem that might well have been silent. The network of a friend had tested at 110Mbps down for a couple months, then started testing at about 30Mbps. Many people would not notice this, but the app did.
The network history shows you real time data usage. Someone does not know the definition of the word history.
On a more serious note, the image at the right shows the network history for the last day (see it full size) and shows just how little Google cares about this app. For one, downloaded data is light blue, uploaded data is gray. But, the graph as nothing gray in it at all. 600MB of uploaded data just vanished. And, half the graph is light blue, half is dark blue. Why? What's the difference? None of our business, apparently.
There is no Help -> About to see what version of the app you are using. You have to go to the third tab, Network and General, App and support details. Even then, the app does not have a simple version number like all other software in the world. In Sept. 2017 it said it was "jetstream-BV10119_RC0003". In Nov. 2017 it was "jetstream-BV10122_RC0010". To find out when this version of the app was released, Android users have to go to the Play Store.
October 10, 2018: The more I live with a Google Wifi system, the less I like it. It's still up to its old tricks. The router rebooted at 6:50pm. How hard can it be to schedule reboots for the middle of the night? The last firmware update was Sept. 19, 2018 to version 10452.90.53. What changed in this update? Clearly, none of your business. The release notes say "General stability and performance improvements." That's it. This firmware was released in August, so why was it not installed until the 19th of September?
July 19, 2018: Things seem to be going downhill with Google Wifi. The software today was version 10452.90.45. A Google web search shows this firmware was released around June 27, 2018 (give or take). Yet, the Google Android app has no notice of the software being updated. The last notice in the app of a software update is from Feb. 6, 2018. What changed in this release? A quick Google search turned up no Release Notes from Google. It should not be this hard. And, this latest firmware update seems to be causing problems for many people. For me too. There was an error "weak connection between Wifi points". This error had no date/time, so I have no idea when it happened. And, it is impossible as the two Wifi points are Ethernet connected to the main hockey puck. As the app instructed, I ran the "Test Mesh" test. While it is running, you see no progress indicator of any type. When it finishes, it just says things are good, it does not report the speed between the main hockey puck and the Wifi points.
Feb 8, 2018: Things are going downhill. The system was updated to a new firmware release (10032.86.2), but there was no card in the leftmost tab saying that it happened. So, now we don't know when the new firmware was installed and we don't know anything about it. Hint, it doesn't do much.
Feb 4, 2018: There is new firmware available but that's all customers are allowed to know. And, they have to dig for this information, it is not displayed on the main/left tab. To learn of the available update, you have to go to the third tab -> Network and General -> WiFi points. Worse, right next to the message about an available update is a firmware version number, but, it is the old version, not the new version. So, you can't Google around to see what changes are in the new firmware.
Jan. 14, 2018: A huge gripe is that the app fails to show the signal strength for each connected device. Heck, it doesn't even show the signal strength for each hockey puck unless you click on something for it to run a test. (firmware version 9901.53.2 from Nov. 2017 and Android app version jetstream-BV10127_RC0011 also from Nov. 2017)
Dec. 5, 2017: In the app, I click on Network and General and then on the 3 Wifi points. It says the software is up to date, running version 9901.53.2. Click on this, and it shows a history of firmware releases. An old history. Nothing about the current firmware. The most recent entry is 9460.40.5. When is that from? It does not say.
Oct. 6, 2017: Release notes history most recent entry is for 9460.40.5. The software on the routers however is 9765.65.2. What changed in this release is none of your business. When was the router firmware updated? Again, none of your business. Nothing in the public forum about the new software release. A Google search (ironic, eh?) turned up Release notes for 9765.65.2 which are disgraceful. Full text: "General stability and performance improvements" Not even a release date, just a release month: September.
On Sept. 12, 2017, the release notes history in the app showed that 9460.40.5 was the last installed firmware version. At the same time, the Wifi points feature in the app said their software was up to date and running version 9460.40.8.
So, what is new in version 9460.40.8? The only way to find out is to do a Google search. I do so on Sept. 12, 2017 and find nothing. But, I do find release notes for the previous version 9460.40.7. This is shameful. Judging by this thread it looks as if Google pushed some bad software and quickly fixed it. Clearly, they feel no obligation to tell you anything.
Jan. 3, 2017. NOTE: The below was written before Google released their second generation routers, Google Wifi. When Google Wifi was released, the software for the OnHub routers was upgraded to match that of the Wifi routers. Also, I have no first hand experience with Google OnHub routers. Interestingly, my initial security opinion of the OnHub routers was that they were a poor choice for reasons noted below. Now, however, I think Google Wifi routers are a good security choice for non-techies (see above).
Google's OnHub routers are part of a recent wave of consumer friendly routers. These devices do away with many features in an effort to keep things simple for non-techies. In and of itself, this does not make a router less secure, instead it is assorted design choices Google made.
For example, a Google OnHub router can only be configured by someone with a Google account. This means that Google not only knows who you are, but also where you are (based on both the public IP address of the router and nearby Wi-Fi networks). For the most privacy, create a new Google account that is used solely for administering the router and nothing else. Still, you have to assume that Google can get into the router at any time, so these devices are not for anyone who cares about their privacy.
Initially, the OnHub routers did not support Guest networks. This is no longer true.
Other missing features are parental control and content filtering. It also doesn't support VPNs, but it's not clear from the reviews I read whether that only
means that it has no VPN server or whether it also means that the router does not offer VPN pass-through.
Update Jan. 3, 2017: Functioning as a VPN server is the sort of techie feature that the recent wave of consumer oriented mesh router systems (Eero, Luma) omit. However, the OnHub does allow for VPN pass-through access, that is, LAN side devices can function as a VPN client.
As you would expect, the routers default to using Google's DNS servers which gives them an audit trail of every visited website. You can, however, change the DNS servers and I suggest doing so on the theory that Google knows enough about us already.
A fairly rare feature these routers do offer is that ability to self-update their firmware. While, on the one hand this is great for insuring users get the latest bug fixes, there can also be a down side to it depending on how the feature is implemented. I have not read a review with details on how this works.
In response to privacy concerns with their routers, Google describes the data collected and how to opt out here: OnHub, the Google On app and your privacy.
The WireCutter offers a detailed review in their article on the best Wi-Fi router. They say
There is only one Ethernet LAN port.
The routers do nothing to enable Google Cloud Print for printers on the LAN that do not support it natively. Printing from a Chromebook pretty much requires the Google Cloud Print service.
As for Wi-Fi performance, Dan Seifert of TheVerge found the Wi-Fi range much better than an Asus RT-AC66U router. And Joe Wilcox said "The usable wireless range far exceeds the Apple AirPort Extreme router that OnHub replaces in my home". On the other hand, SmallNetBuilder and The WireCutter were not impressed with the Wi-Fi performance. YMMV.