Router Security Mesh Routers Website by     
Michael Horowitz 
Home | Site Index | Router Bugs | Security Checklist | Tests | Resources | Stats | About | Search |
I spoke about Router Security at the O'Reilly Security Conference in New York City on Nov. 1, 2017. See a PDF of the slides

From the beginning routers have been complex devices with more configuration options than anyone could possibly understand, myself included. On the whole, however, I view the complexity as a good thing, as it offers many options for better security. But, these dozens of options are too much for consumers to deal with.

So, when the time came in early 2016 for new mesh routers to appear on the market, hardware vendors took it as an opportunity to make routers more user-friendly by removing 90% of the features. By then, everyone had a smartphone so management of the router was moved from a web interface to a mobile app. But phones have small screens and thus little room for the many features that legacy routers offered. See the Google Wifi page for some critiques of its mobile app.

Some of the relatively new consumer-focused mesh routers that are managed solely with a mobile app are Eero, Google Wifi, Luma, Plume and Ubiquiti AmpliFi. The one exception had been Netgear, their Orbi routers still (as of April 2017) offer a full web interface with the classically large number of features. When the Linksys Velop system was introduced in January 2017 management of the system required a mobile app. In June 2017 they added a web interface, one that is similar to the interface on their WRT and Max-Stream routers. As far as I know, Velop, Orbi and the D-Link Covr are the only mesh router systems with a web interface (technically Cover is not a mesh system).

But, every coin has two sides. The flip side of easy-to-use is inflexible. Consumer focused mesh routers can hardly be tweaked at all. For example, they all have a single guest network. My favorite router, the Pepwave Surf SOHO can create three networks. Some Asus routers can create eight.

Still, this latest generation of routers is generally better than legacy models in a number of ways.

Mobile security, however, seems to be a downside. Configuring a legacy router always required you to enter a password. No more. There doesn't seem to be anything securing access to the mobile apps that control these newer routers. And, hardware vendors still drop the ball on UPnP, enabling it by default, no doubt, to minimize tech support calls. Shame on them.

Another trend with mesh router systems is the constant involvement of the hardware vendor in your network. With most of these systems you must establish an account with the hardware vendor and the mesh router phones home with unknown data. There are two downsides: no one knows exactly what data is being sent to the hardware vendor, and, should they go out of business, the router system is probably useless. Among the systems that require you to establish an account are eero, Google Wifi and Plume. Among the systems that do not require an account are the D-Link Covr and the Netgear Orbi. AmpliFi is in the middle. It only requires an account for remote admin access to the network. AmpliFi does not have its own accounts, it uses either a Google or Facebook account.


Diverging from security, after testing the Wi-Fi performance of a few mesh router systems, Tim Higgins of observed: ... no matter which mesh wireless system you choose, be prepared to experiment with node locations. Unfortunately, only Amplifi provides signal strength information to guide mesh node placement and also provides a clear indication of how nodes are connected. With the others, you're on your own to devise your own methods to determine best node placement. Let's hope vendors improve the situation, because it's clear mesh node placement matters...a lot!

Some mesh systems can be connected via Ethernet, some can not. The official term for the connection between satellite mesh devices and the main device (the one directly connected to an ISP) is "backhaul." In August 2017, Tim Higgins wrote that eero, TP-Link Deco and Google Wifi support Ethernet backhaul, while the Netgear Orbi does not. Netgear has promised support for a while now.

In the same article, Higgins notes that the systems differ in radio design. Both generations of Orbi and eero Generation 2 have three radios; one for 2.4 GHz and two for 5 GHz. Google Wifi and TP-Link Deco have only two radios. Orbi and eero dedicate one radio to the 5 GHz low band (channels 36 - 48) and the other to the high (channels 149 - 165). Orbi always uses the 5 GHz high band radio for backhaul, and nothing but backhaul. In contrast, with eero Gen 2, Wi-Fi devices can connect to any of its three radios. He implies, but does not explicitly say that Google Wifi and TP-Link Deco can use either frequency band for backhaul. With Google Wifi you have no control over this, I don't know about Deco. The article did not include AmpliFi, so I will add that AmpliFi lets you easily chose the wireless frequency band used for backhaul. This is a great feature - when a satellite device is close to the main device, then 5GHz provides better speed but when they are far apart, 2.4GHz provides a stronger connection.

In the same article, Higgins notes that eero Gen 2, TP-Link Deco and Google Wifi can continue to operate if their cloud services are off-line. Eero originally could not do this, but this has changed. Still, for these devices, the cloud service is an essential part of the product, which is not true for Orbi and AmpliFi.


The Eero app has a nice security feature. If you click on the message that says "9 connected devices" (see screen shot) it displays a list of devices that are "Currently on your network". For each device it shows the signal strength and current bandwidth, but not the name of the eero device its connected to (see screen shot). The nice feature is that right under this list is another list, one of devices "Recently on your network". And, since the eero app lets you give friendly names to devices (Bobs new iPad), this makes it easy to look for intruders. Screen shots were taken with the Android app in July 2017.


I have no experience with the Asus Lyra mesh system, but here is some of what I have read.

On the plus side for privacy, no account is needed to setup and configure the system. On the minus side, it includes the same Trend Micro malware protection system, AiProtection, that Asus uses on their single box routers. For more on the privacy issues with this see the bugs page under May 2017, the topic is "Privacy issues with Trend Micro software in Asus routers".

As noted on the WPS page, Lyra supports WPS.

It does not seem to self-update. We can't know for sure as there is no User Guide to look it up in. There is a function in the mobile app to update the firmware: Settings => System => Firmware update. Asus says to use this to manually check for any new firmware versions.

It does not supported wired Ethernet connections for backhaul. There are no USB ports.

According to this FAQ item, remote access to the system just works. I take this to mean that the router maintains a constant connection to Asus which must be functioning as a middleman when an Android/iOS device wants to administer the system from afar.


The AmpliFi mesh router system does not self-update, but it does check for updates on its own. There is a problem with this approach.

I administer two AmpliFi setups, both remote from me. To fix the KRACK flaw, in October 2017, AmpliFi released new firmware, as did many router vendors. So, I went to update each AmpliFi system. The first one reported that it was running firmware version 2.4.2 and that 2.4.3 was available to be installed. Fine.

The second system was also running firmware 2.4.2 but it was ignorant of the newly released firmware. The mobile app has no manual check for update feature, so all I could do was wait until it detected the new firmware on its own. Only then, could I manually update it.


The TP-Link Deco M5 does not self update. According to the User Guide the mobile app tells you when there is an available update and then you have to manually install it by clicking a button. It doesn't say if there is any passive notification for people to never go into the app. In fact, it doesn't say much at all. The User Guide is lame as heck. That its only 18 pages tells you all you need to know; but, 6 of the pages are legal stuff. That leaves 12. Take away the cover page and table of contents and we are down a 10 page pamphlet.

The mobile app requires a TP-Link ID to even get started. It has the mandatory one and only one guest network. It includes Trend Micro antivirus software that we have seen, when used with Asus routers, can spy on you. For more on that see here and here.

This page was last updated: December 3, 2017 12PM CT     
Created: April 26, 2017
Viewed 3,600 times since April 26, 2017
(13/day over 268 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2018