|Router Security||Eero Routers||
Website by |
These are my random observations about the Eero mesh router system. This is not a review and is not limited to security issues. There is nothing below about Wi-Fi performance. My experience with Eero is based on firmware version 3.11.0-436 (current as of Feb. 2019) and Model A010001, which is a first generation router. I only have the one Eero device.
Getting started with Eero requires setting up an account with them. This, in turn, requires you give them a phone number which is used to verify your identity via text message. Do you want a router that knows who you are? Note, however, that you can provide an invalid phone number and do the identity verification solely with an email address. You are not told this during the initial setup. Anyone concerned with privacy can create a new email address used just with Eero and nothing else.
My initial setup experience did not match the documentation. I was not asked how big my house was or how many floors it had. The documentation, as it existed in mid-February 2019, left out a lot. For one thing, it does not mention that both Ethernet ports are the same and you can plug either one into your modem or gateway device. It also does not tell you how you know when the router is finished booting. And, what's with Bluetooth? The initial setup on Android wants you to enable Location Services on the device. Why? I set it up by entering the 16 character serial number into the eero app. That worked fine, no Bluetooth or location service needed. The initial connection between a new eero and the app is clearly done through the cloud. A new Eero does not create a Wi-Fi network out of the box as most other routers do. At the end of the initial setup, the app offered to connect my device to the new eero-created Wi-Fi network. I said yes, the app said it failed, but it had actually worked. Almost immediately, the app said the firmware was old and offered to update it. The updating went well.
Eero routers do not have passwords. The mobile app will continue to work day after day after day, it can not be password protected. However, you can log out of the mobile app. When you next login, you are verified with a temporary code sent to the email address on file as being the administrator for the system. I suppose they also do text messaging if they have a real phone number.
Eero is the only mobile app that I know of that shows you all the devices connected to each Eero device. This is great, as it lets you verify that devices are connecting to the closest Eero. I think this feature was added around July 2018.
The Eero app has a nice security feature. If you click on the message that says "9 connected devices" (see screen shot) it displays a list of devices that are "Currently on your network". For each device it shows the signal strength and current bandwidth, but not the name of the eero device its connected to (see screen shot). The nice feature is that right under this list is another list, one of devices "Recently on your network". And, since the eero app lets you give friendly names to devices (Bobs new iPad), this makes it easy to look for intruders. Screen shots were taken with the Android app in July 2017.
Eero creates two hidden networks on each frequency band (plus, of course, your named, visible SSID). One of the hidden networks on each band uses WPA2, the other uses no encryption at all. Tech support said not to worry, all data transmitted is encrypted, even when WPA2 is not used.
Big Eero fan? So much so that you convinced a friend or relative to also use Eero? The good news is that two Eero systems can be managed from a single copy of the app and a single Eero account. And, it's pretty easy too. The first step towards adding a second Eero system to an existing account is the Switch Network option off the hamburger menu in the top left corner of the app. The process is self-explanatory. After the second system is added, the same Switch Network feature switches between your two Eero systems. For more, see How do I add and manage multiple eero networks under my account?. After I added a second network to the Eero app on an Android device, I then went to use the Eero app on an iOS device - and the second Eero system was already there.
Basic Eero operation, without the extra Eero Plus service, supports Family Profiles (a.k.a. Profiles). Each device can be assigned to a profile and the profile can have a scheduled OFF/pause time, perhaps at bedtime for kids or dinner time. I tested this by having a device play a live stream at the time it should have been paused. The live stream stopped playing. The Chrome browser was redirected to pause.eero.com which says "Your device has been paused". However, Firefox just hung without a message.
The paused device had the Eero app installed and being "paused" did not prevent it from using the app to query the router. It could run a speed test. It could even use the app to query a second Eero system at a different physical location, all while "paused". However, in what might be considered a security issue, the "paused" device was able to remove itself from its Profile and thus become active again.
Eero is skimpy on status lights, there is only one. When initially powered on it is briefly green, then, while booting, it blinks green and when all is well it is solid green. This is not what the Eero website says should happen. The website says the light is white when all is well. It also says that blinking green means multiple Eeros detected. This is not true in my case. What was consistent, was that when the Internet was unplugged, the LED became solid red. It took a while though.
My first generation Eero got noticeably warm, especially on the bottom. Warm enough, in my opinion, to be concerned. And, this was without any devices connected to the router. While white, eero is virtually a black box. Many other routers report on CPU usage, eero does not. See Is it ok if my eero feels warm?.
After re-activating a disconnected Internet, Eero incorrectly reported that a laptop was connected via Ethernet. There were, in fact, no connected devices. the laptop in question had been recently connected via Ethernet.
Subnets: My Eero defaulted to the 192.168.7.x subnet with the router at 192.168.7.1. To change the subnet do: Network Settings -> Advanced Settings -> DHCP and NAT -> Manual IP. There are three choices, one each in the three reserved-for-private-use subnets: 192.168.x.x, 10.x.x.x or 176.16.x.x. I opted for 10.0.0.0 and was able to modify the selection to 10.99.99.x. The subnet mask had to be manually changed. Interestingly, I was able to do this remotely, that is, the app was running on a device not connected to the Eero's Wi-Fi network. Two gripes: (1) there is no documentation on this at all. I searched the Help section of eero.com for "subnet" and came up empty. (2) you can not change the IP address of the router on the new subnet, its IP address always end with the number one. FYI: using a new subnet wiped out the list of previously connected devices.
When booting up, the Eero tried to access my modem. Modems, like routers, are computers. Many modems an be accessed from the LAN side using IP address 192.168.100.1. I blogged about this in 2015: Using a router to block a modem. Not only does my router block access to this IP address, it also logs any attempts at using this IP address. For years, there was nothing to log - until I booted the Eero. In the space of a few seconds, Eero made four attempts to access TCP port 80 on IP address 192.168.100.1. After it was finished booting, no more accesses. I asked tech support about this and they suspected it was trying various options to get onto the Internet, and that I should not worry about it. A bit disappointing.
A scan of the LAN side of the router with nmap, looking at all TCP ports, found three open (see below). Port 53 is DNS and is often open on the LAN side. I have no idea why 3001 and 10001 are open. With version detection (-sV) added, port 10,001 was reported to be "tcpwrapped".
A scan of the WAN side of the router with nmap, looking again at all TCP ports, found all the ports were closed. Nmap terminology can be confusing but a closed TCP port is not ideal. It is much more secure than an Open port, but an even more secure status would be "filtered," which means that there was no response at all. Steve Gibson refers to this status as Stealth in his ShieldsUP! service. A closed port does respond to say that it is closed.
The two Ethernet ports do not have LEDs. Considering the price of an eero system, it seems like a corner that should not have been cut.
More than once, the Android app (last seen March 1, 2019) has reported a device as being connected to the router, when it was not. In each case the device had been recently connected via Ethernet (no switch/no hub). In the most recent case, the Ethernet cable had been removed from the eero, well before the app continued to report that a device was using the Ethernet port. Obviously, their focus is on Wi-Fi.
Eero self-updates its firmware which, on the whole, is a good thing for non-techies. But every coin has two sides. My thoughts on how Eero self-updates are on the firmware self-updating page.
Eero tech support has been good. You can simply email them at support at eero.com (pretty easy to remember), contact them through their website or on the phone. And, they don't hide their phone number, they make it easy to find. I have contacted them about a half dozen times and the responses were quick and to the point. That said, eero is a consumer device and the tech support only goes so far. When things have gotten fairly technical, their response has boiled down to "trust us".
According to this note from Eero, Can my eero network have more than one administrator? the answer is no, a given Eero system can have only one nerd in charge and it is the person that initially setup the thing. If you need multiple techies, "you can share your login credentials." Beats me what this refers to as there are no login credentials.
September 4, 2020: Using the current Android version of the Eero app (22.214.171.124326), I noticed an important feature seemed to be missing: signal strength. The app did not report the signal strength of an Access Point to the main router, or, of a device to the Access Point it is communicating with. Eventually, I figured out that the Wi-Fi icons were the signal strength indicators but since they all had a good signal, I mis-took them for just indicating Wi-Fi (vs. Ethernet). This is a bad design, especially for someone without great eyesight. The app should use numbers to indicate both of these signal strengths.
When I first created the checklist of security features on this site, the ability to be notified of new devices joining your network was a pipe dream. Only one company had offered that feature and they disappeared after being purchased by Comcast. In the last couple years, however, this is becoming more common and Eero is among the companies offering it (along with Gryphon, Luma, Amped Wireless ALLY, Fingbox and Bitdefender box). Kind of like two factor authentication, it is no longer sufficient to know the Wi-Fi password, now you also have to be approved by the nerd in charge. New device notification was not a feature when eero was first released, I think it was added around November 2018.
There are two main aspects to this type of notification: is it before or after, and the mechanism for notices.
|On Android (I did not test iOS) the notices are pushed to you, it is not necessary to go into the Eero app to be notified. On Android, the notice starts small, just the word "Eero" on the horizontal stripe at the top of my Android device. A swipe down from the top of the screen shows a notice like the one here on the right. No doubt "Intel Corporate" is based on the manufacturer of the network adapter which anyone can easily learn from the MAC address. |
You are notified when the first device joins a new Eero network and given the option to always be notified of new devices. Whatever your initial choice, it can be changed later. In the app, the setting is at: Network settings -> Notifications.
Notification works even if the mobile device with the Eero app is not connected to the Eero Wi-Fi network.
For more see Notifications for Devices Connecting/Disconnecting from Network and How do I block unwanted devices on my network? and How Can I Identify New Devices on My Network? and FEATURE REQUEST: NEW DEVICE NOTIFICATION from Dec. 2016.
Wi-Fi exists in two different frequency bands, 2.4GHz and 5GHz. Each band (a wide range of frequencies) is logically divided into channels, a small range of frequencies. Not all channels are the same size, bigger ones are referred to as wider. Thanks to eero, I have spent way too much time researching channel widths.
As a dumbed-down consumer device, Eero does not let you change the wireless channel or the channel width, nor does it tell you what its using for either. Fortunately there are many Android and Windows programs that display this information. Probably on macOS too. The selection of a channel, and its width, impacts the interference between your wireless network(s) that those of your neighbors. If there are no strong signals from nearby networks then any channel will do and wider channels will be faster.
But, in a crowded Wi-Fi neighborhood, the channel width and the channel number become much more important. Some intelligence is needed in crowded areas to pick both channels and channel widths that avoid the strongest signals from your neighbors. If you and your neighbors use the same Wi-Fi channels, it is a lose-lose situation. You each interfere with, and slow down, the other.
NOTE: It's actually more complicated than that as channels overlap a bit, so even neighboring channels can interfere with each other. If, for example, you and your neighbor are on channels 1 and 2, it would be worse than if both of you were on channel 1. Wi-Fi has traffic enforcement rules that come into play when multiple networks are on the same channel. But different channels are seen as noise and can cause re-transmissions of data. But, I digress.
Channels are more of an issue on the 2.4GHz band which has fewer channels and more devices than the 5GHz band. Almost every router uses narrow 20MHz wide channels, so until I started with eero, channel widths were not a concern. But Eero likes to use 40MHz wide channels, at least by default. This screen shot of WiFiInfoView shows just how abnormal it is for a router to use wide 40MHz channels. Almost no one does it. My experience has been that even in a crowded Wi-Fi neighborhood, eero too often fails to down-shift to standard, narrow 20MHz wide channels.
For more on Wi-Fi channels see Which Wifi Channels Should I Use for My Wireless Network? by David Murphy for LifeHacker Feb. 22, 2019.
NOTE: Again, things are actually more complicated than the simplistic advice from Murphy and everyone else. Looking for a Wi-Fi channel with the fewest competing networks is only half the story, and perhaps the least important half. The full story includes the amount of data/traffic sent by the other networks. For example, two networks on channel 1 could be sending a ton of data (someone is streaming a movie perhaps) while the nine networks on channel 6 could be sending very little data. If so, channel 6 is the smarter choice. Problem is, we can't easily see the amount of data beng transmitted on Wi-Fi channels. So, we do what we can from data that is easily available. But, I digress.
At first, I thought Eero always used wide channels in the 2.4GHz band. But then I used other software to display the channel width and saw that mine was using a narrow channel. I assumed there was a bug with the Wi-Fi software I had been using initially. There probably was, but that's a red herring.
Further tests over multiple days, multiple cold boots and multiple locations for the eero in my home, showed that eero stuck with the wide channel most of the time. It can downshift to a narrow channel, I saw it do so twice, but in the very crowded Wi-Fi area where I live, it typically does not. This is bad.
Suppose a neighbor is playing a musical instrument, and it interferes with your hearing your TV. So, you make your TV louder, but, now it interferes with your neighbor. So, they play their instrument louder and, in the end, no one can hear what they want to hear. That's my best analogy for eero hogging a wide swatch of bandwidth on the 2.4GHz channel.
You can see the wide channel in this screen shot of the Netspot Android app. Eero is the network with the strongest signal, the one labeled "ch 1 (3)". The width is obvious from the picture and was confirmed by three other Android apps. No other detected routers were using a wide channel.
|And, recall that eero creates three networks on each frequency band. One is visible, two are hidden. Of the two hidden ones, one does not use WPA2 or any encryption. I mention this again, because even when the visible network downshifted to a narrow channel, the hidden network using WPA2 did not. You can see this in the screen shot at the right, from the Android Network Analyzer app, which shows all three eero networks
on channel 1.|
This is also visible in a screen shot from the Netspot Android app, which shows three networks labeled "ch 1(3)". Two are using narrow channels, one is using a wide channel.
On top of this, my eero spent days in the same room as another router. The other router was using channel 1 on the 2.4GHz band, and so was eero. You might think with such a strong signal only 10 feet away that Eero would use a different channel. But, no. The entire time that I have been watching, eero has always used channel 1. I am not impressed.
The same thing happens on the 5GHz band where there are more channels to choose from. Eero always used channel 36 in my testing, and there were many other networks on that channel. Other channels on the 5GHz band had far fewer networks.
As for channel width on the 5 GHz band, eero seems to be married to 80 MHz channels. Back in October 2017, I asked tech support about the channel width on the 5GHz band and was told: "You should not have issues ... because of the way that eeros handle channels. From my desk, I can see close to 200 networks. I am not running into issues, and I am connected to eeros right now!"
I have tested eero in three different corners of my home and sometimes it down-shifted to a narrow 2.4GHz channel but most of the time it did not. I used to recommend eero, but considering what I have seen regarding channel selection and channel widths, I have my doubts, especially for anyone who lives in a crowded Wi-Fi neighborhood. I would not want my neighbor to have an eero, it needs to play better with the other kids in the sandbox.
Eero third-gen Wi-Fi mesh debuts at Amazon’s Fall 2019 Hardware Event by Jim Salter for Ars Technica Sept. 25, 2019. These third generation Eero routers are not really a new generation. Functionally, they are equivalent to an Eero Beacon from the second generation, but with an Ethernet jack. They use the same Wi-Fi 5 radio chipset as the Beacon. They are dual band, a step down from the more expensive Pro models which are tri-band. But, they are cheap. Three Eero Pros are $500, a single Eero Pro and 2 Beacons is $400, three gen-3 Eeros are $250. A single gen-3 box is $100, a single Pro model is $200. From a security perspective, they now integrate Alexa and it is not clear if Alexa can be disabled. When Eero CEO Nick Weaver was asked if Amazon does any tracking of any sort, said no. Even if this is true today, it does not mean it will be true tomorrow. You can use Alexa to speak to an Eero router and tell it to disable the Internet for one device on your network. Not sure what protects it from a child doing the same to get Internet access restored to their device. You can also tell Eero to turn the Guest Wi-Fi off and on. Not the main/private network, just the Guest network. These 3rd-generation Eero devices are not replacing anything in the Eero line. They continue to sell first and second generation devices. Avoiding Alexa in a router will get harder, Amazon is working to integrate it in routers from Asus, TP-Lnk, Linksys and Arris. Ugh.
Amazon bought Eero for $97 million and employees still got screwed by Rachel Kraus of Mashable April 5, 2019. A must read.
Eero Makes the Best Wi-Fi System (and I’ve Tried Them All) by David Pogue for New York Magazine March 5, 2019. This is disgraceful. What Pogue has written is as different from this web page as black is from white, as North is from South. The article exists solely to make commissions. It says nothing of the privacy concerns with eero, which are not unique to it but apply to many mesh router systems. It says nothing about Amazon buying eero which doubles or triples the privacy concerns. Quote: "What my wife and I love most about Eero is the design." Baloney. Eero is a small white plastic blob. Whats to like about that? Nothing. And if you did like white plastic blobs, you have many other mesh routers to choose from. In my home, eero sat on a piece of wood furniture where it looks awful, nothing could clash more. Quote: "[Beacons] plug directly into any outlet, so there’s no cruddy-looking cables..." The AmpliFi mesh router system was criticized for its candlestick shaped mesh points that also plugged directly into an outlet. For one thing, outlets tend to be near the floor and Wi-Fi performs better closer to the ceiling. Pets and small children can get at things plugged in close to the floor. Worst though, is that it offers no flexibility as to the placement of the Beacons and Wi-Fi definitely needs location flexibility to get the strongest signal. Pogue likes that the eero app lets you shut off the Internet for kids at bedtime. Many mesh router systems offer this feature. Pogue also likes that eero blocks ads and malware from your whole network for $100/year. That is a nice feature but, again, not unique to eero. And, this brings with it still more privacy issues. Finally, there are no links in the article to the eero website. Not one. All the links are to Amazon or Target. Buy buy buy.
The February 18, 2019 episode of the Mac Geek Gab podcast discussed the privacy implications of Amazon buying Eero (about 13 minutes into the show). One point was that Eero is an unknown to most people and they are already being trusted with all the data a router can learn, which is a lot. John said the initial eero setup was creepy; while he was on the phone with eero, they made changes remotely. They can peek into your network and tweak it. Every router knows the types of devices you have in your home. They know if there is malware on your network when using the Plus service. Now Amazon will know you have an older apple TV, a Tivo, what type of TV you have, that you have Apple devices, etc. So, when using Amazon it is possible you will see ads to buy a new apple TV. The eero customer service has been phenomenal. Let me add some context, your ISP is already spying on you, just as much as any router. To block your ISP, you need to use a VPN or Tor.
Why Amazon buying Eero feels so disappointing by Dieter Bohn Feb 12, 2019. Quoting: ... it's assumed that nothing good can come of Amazon getting yet another potential treasure trove of personal data. And it could absolutely be a treasure trove. Short of handing over the PIN for your phone ... there’s not a much more intimate set of information about you than what your Wi-Fi router knows. It knows when you're home and when you’re away. It can suss out what websites you visit (before the SSL kicks in, anyway) and how many movies you’re streaming ... [eero] pretty much knows the make and model of every gadget that I own. That's potentially valuable information to a company that sells gadgets, no?
Now that Amazon is buying eero, consider this haunting article from Bloomberg about Amazon privacy concerns: Your Smart Light Can Tell Amazon and Google When You Go to Bed by Matt Day, February 12, 2019. The article has nothing to do with eero, it's all Amazon (and a bit Google). Both want to know not only that you are watching TV, but also the channel. Some IoT vendors are fighting back. Quoting from the article:
"For several years, Amazon and Google have collected data every time someone used a smart speaker to turn on a light or lock a door. Now they’re asking smart-home gadget makers such as Logitech and Hunter Fan Co. to send a continuous stream of information. In other words, after you connect a light fixture to Alexa, Amazon wants to know every time the light is turned on or off, regardless of whether you asked Alexa to toggle the switch. Televisions must report the channel they’re set to. Smart locks must keep the company apprised whether or not the front door bolt is engaged ... Having already amassed a digital record of activity in public spaces, critics say, tech companies are now bent on establishing a beachhead in the home ... Public guidelines published by Amazon and Google don’t appear to set limits on what the companies can do with the information they glean about how people use appliances."
What type of data does eero collect and why? by Eero. My thoughts: There is no Last Update date. It says "We may share anonymized data... " and "we don't ever track the websites you visit or collect the content of your network traffic." The data they admit collecting is: the status of your network (to be expected), the devices that are connected to your eeros (a big deal), their assigned IP addresses (no big deal), signal strength, and data usage (a very vague term). They store your network settings in the cloud, so the US government can compel them to turn over your Wi-Fi password. They collect "information about your wireless environment like other routers in the area, their signal strength, WiFi channel usage" This tells them exactly where the Eero system is. This is far more accurate than a public IP address. They collect "usage data" which is not defined. Usage of what? By what? It can mean whatever they want it to mean.
Privacy for eero Devices, Applications and Services by eero. Last updated June 29, 2018. Quoting: We may share some or all of your Personal Data with our subsidiaries, joint ventures, or other companies under a common control (“Affiliates”) ...
Amazon to Acquire eero to Help Customers Better Connect Smart Home Devices Press Release February 11, 2019. Of course it is for our benefit. Every corporate buyout is. This lie is standard operating procedure.
Eero promises not to brick routers if you don't pay a subscription by Jacob Kastrenakes of The Verge June 14, 2018. The eero $99/year subscription is now, and will always be, optional. It adds content filtering, malicious site blocking, and subscriptions to 1Password and a VPN. As for the expected lifespan of an eero system, the company has not publicly stated how long it intends to support each of its routers. They claim that new features will be rolled out for "many years" after they stop making a given unit. And, after that, security patches will be made available for a really long time. The article says that even without Eero's cloud, the routers would remain largely functional. It has been reported elsewhere that when your Internet goes down, eeros stop working such that you can't even use your LAN. That was not addressed in this article.
NOTE: The topic of Eero routers was originally part of the Mesh routers page, but in February 2019 I got my own Eero, thus learned more about it and created this new page.