Security Experts Find Fault with Google OnHub

Google’s new OnHub Wi-Fi router promises to shake up the staid home and SOHO router market, but experts I spoke to for Infosecurity Magazine were divided over whether it will be more secure.

The radical new coffee cup (or pint glass if you’re me) design crams in 13 antennas and has been praised for offering not only a more svelte appearance but faster wireless speeds in the house.

But the most talked-about features from a usability and security point of view are the fact it is managed entirely from the Google On app, with security updates automatically delivered over the air.

In fact, the device won’t work unless it’s running the latest version.

On the face of it, this is a massive improvement on the traditional router experience, where the user would have to switch it off and on again, and if the colour of the blinking lights on the front still haven’t changed, put in a helpdesk call.

There have also been several research reports already this year pointing to major flaws in popular home routers, which are usually ignored for months by the vendors. And when patches do become available it’s unlikely a home or SOHO/SMB user would have the time, inclination or skill to apply them.

That’s why automatic updates seem like a good idea, according to MWR InfoSecurity security consultant, Guillermo Lafuente.

“The security of products is often undermined when they rely upon end users to perform actions such as installing updates,” he told me by email.

“Most end users stop caring about the management of their products once they have finished setting them up. When talking about a router the most likely scenario is that they will plug it in, switch it on, and remember that it exists only when their Internet is not working.”

However, the ability to manage the device from an app may also expose it to greater risk, Alert Logic chief security evangelist, Stephen Coty, explained.

“This also gives the potential attacker, who is comprising the mobile device or update server, the ability to gain access into the network through pushed updates or mobile configuration updates,” he told me.

“This will allow them to open up ports or services in which they can gain access to the network. This is a pattern which we see a lot with the conveniences that Internet of Things devices introduce in our day to day lives. It’s convenient to make our lives easier, but if compromised could lead to data leakage.”

For Imperva CTO, Amichai Shulman, automatic updates don’t necessarily make a device any more secure, although they “might be a good thing for home users.”

“I think that most problems with home routers (as well as most vulnerable business routers) has to do with bad configuration, back door accounts and weak passwords,” he argued by email.

To lock down risk, users should choose strong passwords and ensure the management interface is only accessible from the internal network, he added.

“I think that the biggest advantage of this new offering (which I deeply regard as an end user) is simplicity,” Shulman concluded.

“An average home today is becoming a complex networking environment with mobile devices, smart TVs, media streaming and what not. I do believe that vendors who solve the ease-of-deployment and ease-of-maintenance problem for home users are going to rule this market.”