X

Google fights router hackers with OnHub security

OnHub's real-world experience has helped Google learn to dodge common security flaws. That's welcome news in a world of easily hacked routers.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
tp-link-onhub-for-google-8521-001.jpg
Enlarge Image
tp-link-onhub-for-google-8521-001.jpg

Google's OnHub routers.

Josh Miller/CNET

When Google released OnHub, its sleek home router, last year, CNET reviewer Dong Ngo found it perfectly serviceable, though priced much higher than its competitors. So what does OnHub have that other routers don't?

"Industry-leading security," Chris Millikin, a security engineering manager at Google, wrote in a blog post published Tuesday.

If that's the case, it's welcome news. Routers are notoriously vulnerable to hackers for a variety of reasons. Google has tried to address many of them with its OnHub router, according to Millikin.

Locating local internet providers

"OnHub's security features go beyond those of the typical router," he wrote.

Why is it so scary that routers are easy targets for hacking? Consider that all your home internet traffic flows over your router. That includes plenty of personal information you don't want to hand over to strangers. What's worse is a growing trend of hackers who use routers and other internet-connected devices to create a zombie computer network called a botnet.

Locating local internet providers

Hackers typically take over regular computers to create these zombie networks, which they use for all kinds of cyber misdeeds. On top of that, the internet of things has become a tempting target for hackers who want to create a botnet. That includes routers, according to research published Thursday by cybersecurity firm Symantec.

"If we can keep your home or small network from participating in that, it's a huge win," Millikin said in an interview.

Google introduced OnHub just over a year ago but didn't tout the router as more secure than others. Now, though, Google has enough real-world experience with its routers to start publicly flaunting their security features, Millikin said.

"Now that we've seen it in operation for a year, we're much more confident about how it works and our approach, having responded to a number of vulnerabilities," Millikin said.

That's right, Google found flaws in its routers and then fixed them. Now it's bragging.

It might sound strange to brag about fixing a problem in a product -- shouldn't it be safe when you buy it off the shelf? But security researchers agree it's a good sign when companies issue fixes for their internet-connected products. Problems are nearly inevitable after a product goes to market. If a company hasn't rolled out an update, that's a signal it's not looking hard enough for glitches.

On the other hand, if a company welcomes research that shows its products are flawed, "that is an extremely good sign," said Daniel Miessler, director of advisory services at IOActive and a cybersecurity expert who specializes in finding flaws in internet-connected devices.

To simplify the process of fixing problems, Google designed OnHub to receive updates automatically, instead of requiring users to manually update.

"When updates don't happen automatically, many people don't bother," Millikin wrote in the blog post.

Finding flaws is a complex process with internet-connected devices. They often contain multiple chips made by different companies. What's more, instead of writing software from scratch, coders put in software from a variety of sources. Those are lots of places for bugs that might let hackers in.

If a hacker still finds a way into the router, Google has designed it to reject malicious code the hacker might try to run. For example, OnHub will refuse to boot up if it's been compromised. What's more, the router won't run software unless it comes with a special coded signature from Google.

Finally, Google is sprinkling its big-data magic over OnHub.

The device connect to the Google cloud through your Google account, something Ngo wrote might be a turnoff for users. It turns out, Google is using that feature to watch what's happening across all its routers and figure out if they're all being attacked in a similar way.

"We use anonymized metrics from our fleet of OnHubs to quickly detect and counter potential threats," Millikin wrote in the blog post.

The big snag here is that OnHub is just one brand of router. (Google itself may have a new Wi-Fi router on tap for an announcement next week.)

A Google spokesman said it has a small reach so far, but Google declined to say how many of its pricey routers it has sold to date.

Millikin is optimistic, though. "I think for routers in particular, it's an area that has been neglected for so long that there's some very low-hanging fruit."