Router Security Google Wifi and OnHub Routers Website by     
Michael Horowitz 
Home | Site Index | Router Bugs | Security Checklist | Tests | Resources | Stats | About | Search |
I will be speaking about Router Security at the O'Reilly Security Conference in New York City at the midtown Hilton Hotel (Sixth Ave and 53rd Street). The conference runs from Oct. 30 to Nov. 1, 2017. I am slated for Nov 1st at 3:50pm in the Sutton South room on the second floor.


Google Wifi Routers

In December 2016, Google's OnHub routers were replaced with Google Wifi routers. The OnHubs were single devices, GWifi swings both ways. That is, you can buy one and use it as a single router, or, you can buy two or three and use it as a mesh router system.

As for their security, David Gewirtz recommended them in December 2016. See Sacrificing router flexibility for security with Google Wifi and OnHub. I agree with 98% of what Gewirtz wrote. If you were going to buy a router for Grandma, Google Wifi would be my recommendation. Then again, now I'm not so sure. See my blog 7 mistakes Google made updating my Google Wifi router published May 8, 2017.

And, there are two security issues with Google Wifi routers. First, you are stuck with the 192.168.86.x subnet. Second, UPnP is enabled by default.

This April 2017 article, How Google wants to re-invent the router is a puff piece that could have been written by Google's PR department. Except for one point that I had not seen mentioned anywhere else - Guest network users can see devices on the main LAN. Not good for security. Kinda makes a Guest network, not a Guest network. This is a quote from a Google person: "We've also made it really simple for you to share specific devices from your main network to your guest network. So if I want guests to be able to access my Wi-Fi but I don't want them to be able to see my hard drive and my desktop PC, I can do that. I can share my Chromecast, but not my NAS."

On the 5GHz frequency band, Google Wifi routers always use 80MHz wide channels. This is not optimal for a crowded Wi-Fi environment. The Ubiquiti AmpliF routers default to 80MHz channels but you can change this. Eero also uses 80MHz channels all the time, but their tech support made a case to me that it will co-exist well with nearby networks on the 5GHz band. I have to dig up the exact reasons why ....

UPnP is on by default. Everyone does this too, but its still miserable for the security of the Internet as a whole and Google, especially, should know better.

May 8, 2017: I blogged about 7 mistakes Google made updating my Google Wifi router.

The page here on Firmware Updating has a section on Google Wifi routers.

According to this July 2017 article, Google Wifi routers are based on ChromeOS. The open source GaleForce project lets you root Google Wifi.

FYI: Tech support forum for Google Wifi.

According to the app, tech support is available by telephone 24x7 at 844-442-3693. I have not tested this.

Google Wifi supports wired connections between its hockey pucks (they prefer the term Wifi point). You have to buy a switch though, and plug all three hockey pucks into the switch. It works, I've done it. The app detects that two of the hockey pucks use a wired connection.

Some thoughts on the Google Wifi app

The release history does not show the dates of each firmware release. In fact, the exact date of release is a Google secret. Their release notes only give a month, not a date. The release history also does not show the date/time when the firmware was installed. Nothing to see here, move along.

On the leftmost tab, the gripe is the exact opposite. While there is a "card" telling you that updates were installed and the date/time when the updates were installed, it does not say what software version was installed.

From the middle tab, when you click on the blue Devices circle, it defaults to showing real time bandwidth usage. If you click on "Real-time" you can see bandwidth for different time periods. The option for 1 day, for example, can serve two purposes. The software is stupid enough to show all devices that ever connected, even those that did not connect in the last day. Its count of Devices at the top, is of every device that ever connected. But, looking at the bandwidth, can tell you the devices that connected in the last day. This could help find devices that don't belong on the network.

Oct. 6, 2017: Release notes history most recent entry is for 9460.40.5. The software on the routers however is 9765.65.2. What changed in this release is none of your business. When was the router firmware updated? Again, none of your business. Nothing in the public forum about the new software release. A Google search (ironic, eh?) turned up Release notes for 9765.65.2 which are disgraceful. Full text: "General stability and performance improvements" Not even a release date, just a release month: September.

On Sept. 12, 2017, the release notes history in the app showed that 9460.40.5 was the last installed firmware version. At the same time, the Wifi points feature in the app said their software was up to date and running version 9460.40.8.

So, what is new in version 9460.40.8? The only way to find out is to do a Google search. I do so on Sept. 12, 2017 and find nothing. But, I do find release notes for the previous version 9460.40.7. This is shameful. Judging by this thread it looks as if Google pushed some bad software and quickly fixed it. Clearly, they feel no obligation to tell you anything.

The release notes in the app for the June 2017 firmware version 9460.40.5 are different than the release notes Google published on their website. The app omits a feature.

The leftmost tab in the app has messages from Google to you. It often says "Everything looks good and 3 Wifi points are online". But there is no date/time so this message could be old.

It seems to run an Internet speed test on its own every two days. This does not seem to be configurable. It does not tell you what time of day the test was run, only the date. It keeps a history of speed test results for the last 60 days and reports the average download and upload speeds presumably for the last 60 days. If something changes regarding your Internet connection, you can not reset the averages. The history has proved useful in detecting a problem that might well have been silent. The network of a friend had tested at 110Mbps down for a couple months, then started testing at about 30Mbps. Many people would not notice this, but the app did.

The network history shows you real time data usage. Someone does not know the definition of the word history.

There is no Help -> About to see what version of the app you are using. You have to go to the third tab, Network and General, App and support details. Even then, the app does not have a simple version number like all other software in the world. On Sept. 12, 2017 it said it was "jetstream-BV10119_RC0003". There is not date for the app either. On Android, the Play Store reports the same version number and tells us that it was released Aug. 14, 2017.

Google OnHub Routers

Jan. 3, 2017. NOTE: The below was written before Google released their second generation routers, Google Wifi. When Google Wifi was released, the software for the OnHub routers was upgraded to match that of the Wifi routers. Also, I have no first hand experience with Google OnHub routers. Interestingly, my initial security opinion of the OnHub routers was that they were a poor choice for reasons noted below. Now, however, I think Google Wifi routers are a good security choice for non-techies (see above).

Google's OnHub routers are part of a recent wave of consumer friendly routers. These devices do away with many features in an effort to keep things simple for non-techies. In and of itself, this does not make a router less secure, instead it is assorted design choices Google made.

For example, a Google OnHub router can only be configured by someone with a Google account. This means that Google not only knows who you are, but also where you are (based on both the public IP address of the router and nearby Wi-Fi networks). For the most privacy, create a new Google account that is used solely for administering the router and nothing else. Still, you have to assume that Google can get into the router at any time, so these devices are not for anyone who cares about their privacy.

Initially, the OnHub routers did not support Guest networks. This is no longer true.

Other missing features are parental control and content filtering. It also doesn't support VPNs, but it's not clear from the reviews I read whether that only means that it has no VPN server or whether it also means that the router does not offer VPN pass-through.
Update Jan. 3, 2017: Functioning as a VPN server is the sort of techie feature that the recent wave of consumer oriented mesh router systems (Eero, Luma) omit. However, the OnHub does allow for VPN pass-through access, that is, LAN side devices can function as a VPN client.

As you would expect, the routers default to using Google's DNS servers which gives them an audit trail of every visited website. You can, however, change the DNS servers and I suggest doing so on the theory that Google knows enough about us already.

A fairly rare feature these routers do offer is that ability to self-update their firmware. While, on the one hand this is great for insuring users get the latest bug fixes, there can also be a down side to it depending on how the feature is implemented. I have not read a review with details on how this works.

In response to privacy concerns with their routers, Google describes the data collected and how to opt out here: OnHub, the Google On app and your privacy.


The WireCutter offers a detailed review in their article on the best Wi-Fi router. They say

There is only one Ethernet LAN port.

The routers do nothing to enable Google Cloud Print for printers on the LAN that do not support it natively. Printing from a Chromebook pretty much requires the Google Cloud Print service.

As for Wi-Fi performance, Dan Seifert of TheVerge found the Wi-Fi range much better than an Asus RT-AC66U router. And Joe Wilcox said "The usable wireless range far exceeds the Apple AirPort Extreme router that OnHub replaces in my home". On the other hand, SmallNetBuilder and The WireCutter were not impressed with the Wi-Fi performance. YMMV.

This page was last updated: October 23, 2017 12AM CT     
Created: November 15, 2015
Viewed 13,313 times since November 15, 2015
(19/day over 708 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2017