User-friendly and secure. Hardly anyone would pick either word to describe the vast majority of wireless routers in use today. So naturally I was intrigued a year ago when I had the chance to pre-order a eero, a new WiFi system billed as easy-to-use, designed with security in mind, and able to dramatically extend the range of a wireless network without compromising speed. Here’s a brief review of the eero system I received and installed a week ago.
The standard eero WiFi system comes with three eero devices, each about the width of a square coaster and roughly an inch thick. Every individual eero unit has two built-in WiFi radios that are designed to hand off traffic with the other two units.
This two-radio aspect is important, as most consumer devices that are made and marketed as WiFi range extenders or “repeaters” contain only one radio, and thus end up halving the speed of the repeated WiFi signal.
The makers of eero recommend one device for every 1,000 square feet, and advise placing one device no further than 40 feet from another. Each eero has two ethernet ports in the back, but only one of the eeros needs to be connected directly into your modem with an ethernet cable. That means that a 3-piece eero set has a total of five available ethernet ports, or at least one open ethernet port at each eero location.
Most wireless routers require owners to configure the device by using a hard-wired computer or laptop, opening a browser and navigating to a numeric Internet address to enter some default credentials. From there, you’re on your own. In contrast, the eero system relies on a simple mobile app for setup. The app asks for your name, email address and mobile number, and then sends a text with a one-time passcode.
After you verify the code on your mobile device, the app prompts you to pick a network name (SSID) and password. The device defaults to WPA-2 PSK (AES) for encryption — the strongest security currently available.
Once you’ve assigned each eero a unique location — and as long as the three devices can talk to each other — the network should be set up. The entire process — from placing and plugging in the eeros to setting up the network — took me about five minutes, but most of that was just me walking from one room or floor to the next to adjust the location of the devices.
MY TAKE?
The eero system did indeed noticeably extend the range of my home WiFi network. My most recent router — an ASUS RT-N66U, a.k.a the “Dark Knight” — cost about $150 when I bought it, but it never gave me coverage throughout our three-level home despite multiple experiments with physical placement of the device. In contrast, the eero system extended the range of my network throughout our home and to about a dozen meters outside the house in every direction.
In fact, I’m now writing this column from a folding chair in the front lawn, something I couldn’t do with any router I’ve previously owned. Then again, a wireless network that extends well beyond one’s home may actually be a security minus for those who’d rather not have their network broadcast beyond their front porch or apartment walls.
This is a good time to note one of eero’s best features: The ability to add guests to your wireless network quickly and easily. According to an interview with eero’s co-founder (more on that below), the firewall rules that govern any devices added to a eero guest network prevent individual hosts from directly communicating with any other on the local network. With a few taps on the app, guests are invited to join via a text or email message, and the invite contains the name (SSID) of the guest wireless network and a plaintext password.
There are a few aspects about the eero system that may give pause to some readers — particularly the tinfoil hat types and those who crave more granular control over their wireless router. Control freaks may have a hard time letting go with the eero — in part because it demands a great deal of trust — but also because frankly it’s a little too easy to set up.
There aren’t a lot of configuration options available in the app. eero says it is working on rolling out new features and options, and that it’s so far been focused on getting shipping all of the pre-ordered units so that they work as advertised. This is a WiFi system that I can see selling very nicely to relatively well-off consumers who don’t know or don’t want to know how to configure a wireless router.
To be clear, the eero is not a cheap WiFi system. I paid $299 for my three eeros, and that was at the pre-order rate. The same package now retails for $499. In contrast, your average, 4-port consumer WiFi router sells for about $45-$50 at the local electronics store and will do the job okay for most Internet users.
Another behavior central to the eero that is bound to be a sticking point with some is that it is regularly checking for or downloading new security and bug updates from the cloud. This may be a huge change for consumers accustomed to configuring all of this themselves, but overall I think it’s a positive development if done right.
For starters, the vast majority of consumer grade routers ship with poorly written and insecure software, and often with unnecessary networking features turned on. It’s a fair bet that if you were to buy a regular WiFi router off the shelf at the local electronics store, that software or “firmware” that powers that device is going to be out-of-date and in need of updating straight out of the box.
Worse still, most of these device will remain in this default insecure state for the remainder of their Internet-connected lifespan (which is probably at least several years), because few consumer routers make it easy for consumers to update, or even alert them that the devices need updates. There are so many out-of-date and insecure routers exposed to the Internet now that it’s not uncommon to find criminal botnets made up entirely of hacked home routers.
True, geeks who feel at home tinkering with open-source router firmware can void their warranty by installing something like DD-WRT or Tomato on a normal wireless router, and I have recommended as much for those with the confidence to do so. But I also am careful to note that anyone who updates their router with third-party firmware but fumbles a crucial step can quickly be left with an oversized and otherwise useless paperweight.
INTERVIEW WITH EERO CEO/CO-FOUNDER
I wanted to know more about the security design that went into the eero, and fortunately was in eero’s hometown of San Francisco last week for the RSA Security conference. So I dropped by the company’s headquarters and got to sit down briefly with the company’s CEO and co-founder, Nick Weaver.
“The way we designed the eero system in general is that it’s a distributed system that runs in your home, and the system we use to deliver that experience is also a distributed system,” Weaver explained. “In your home, the system distributes the load of clients, compute, updates, and diagnostics across the units in your home. We also have a cloud with a distributed architecture, and that’s what allows the eero networks to update an configure themselves automatically.”
BK: Where does that distributed cloud architecture live?
NW: Today it’s Amazon, and everything is hosted on AWS. There’s a high frequency [of check-ins] but not a lot of traffic. There is very little information exchanged. Only diagnostic info that explains how the links between the eeros are doing. You can think of it as a network engineer in the sky who helps ensure that your network is configured properly.
BK: How does the eero know the updates being pushed to it are from eero and not from someone else?
NW: Every update is signed by a key, and that key is locked away at [the bank].
BK: Does eero collect any other information about its users?
NW: There is no information collected ever about where you go on the Internet or how your connection is being used. That is not information that’s interesting to us. The other co-founder studied networking and security and contributed quite a bit to the Tor Project. We’ve got all the right tensions in our founding team. Security is really important. And it’s been totally underestimated by all the existing players. As we’re discovering more and more security vulnerabilities, we have to be able to move quickly and deploy quickly. Because if you don’t, you’re doing a disservice to your customers.
Would you buy a eero system? Sound off in the comments below.
Update 12:58 p.m. ET: Corrected the price of the 3-eero unit.
I like the eero system a lot. I am a big Ubiquity fan especially for very long links such as when I am out on my boat on the ocean I can still get access to WiFi for a long distance. However as a pen tester its hard to keep using a product that has so many flaws like Ubiquity has. I would really like to see eero make a long range bridge that could be used like Ubiquity.
I am not sure if I’m comfortable with my Wifi password being sent in plaintext, over an insecure medium, to my guests. Not that I don’t trust my guests (I trust most of them), but one stolen phone or compromised email inbox means that anyone who steals it can just sit in their unmarked van across the street and dowload anything they want off of my network.
You must have skipped the sentence just before this one.
Let me provide that here: “According to an interview with eero’s co-founder (more on that below), the firewall rules that govern any devices added to a eero guest network prevent individual hosts from directly communicating with any other on the local network.”
Guests cannot see or communicate with devices on your network, worst case someone can be a freeloader with your bandwidth.
True. However, if they use it to download or even worse, publish, child porn?
Yes, you will eventually probably be able to get the charges dropped, but in the meantime your name is now associated with child porn.
Right. So you feel safer giving compromised guests the wifi password to your actual network, as opposed to just a firewalled one, because the password handoff is more secure? Give me a break.
zboot,
I was simply reminding Read first then read again that, “Guests cannot see or communicate with devices on your network, worst case someone can be a freeloader with your bandwidth.”, is not as a trivial issue as he was making it sound.
My preferred way to handle guest access to my wifi is unique passwords that I give to each guest and that automatically expire at a time I specify, with each guest isolated from one another and my devices on the network.
I think what some miss is how easy it is to turn guest access on and off. Mine is off, unless someone I know is in need of it. I don’t leave it on all the time. Why would I? Go into the app and turn it on when needed.
As for security, their site doesn’t need to mention much about security, as long as it isn’t supporting old protocols and is patching known vulnerabilities that other routers have.
The setup on an eero is 2FA. In that you need to create an account (unique username and password no default), 2nd you have to use something you have to set it up (app on the phone that connects over bluetooth). This is beyond your typical home router which comes with the a default username and password that is published and most users will not change, and never updates vulnerabilities. And let’s be honest most users won’t update them either.
I have used Ubiquity, but there are two advantages over those as well. The largest benefit is zero handoff. Ubiquity doesn’t support this at all, if they ever will. 2nd you need a dedicated control server. You can install that on your home PC, but now you have a server service running on your home PC. I don’t consider that friendly.
I pre-ordered a set of three and I won’t go back. I had an Apple AP setup which was working well (1 base station and two express). For all you Apple haters, I actually had a Linksys with DD-WRT setup before that (3 setup as well). So I have a lot of experience with different setups.
With my Apple AP environment, I often had trouble when roaming my house. My device would hold onto a station even when I was standing next to another device. At max I was getting only 13Mbps over wifi, and depending where in my house and when I connected the same spot could be different. At some of the worst spots I would only get 6 or 7 kbps.
Since installing the eero’s, I cap out at my ISP bandwidth and I can’t find a dead zone. That is saying something. On the con side, I am not sure I would pony up $500 for it now. I am glad I got it at $300, it was well worth that. Even after an almost 1 year delay.
They video on their website at 1:36 the guys shorts……
or should i say the lack there of.
My problem with the video? Guy throws away his router..and then the voice over says “Eero is not a router”. so…what is doing the routing now?
‘But we know what plants crave. Brawndo. It’s got electrolytes.’
‘…Okay – what are electrolytes? Do you know?’
‘Yeah. It’s what they use to make Brawndo.’
‘But why do they use them in Bawndo? What do they do?’
‘They’re part of what plants crave.’
‘But why do plants crave them?’
‘Because plants crave Brawndo, and Brawndo has electrolytes.’
Bravo.
The eero seems like a Dash forward, hopefully other companies adept to this change. A more secure world is a better world afcourse. At this stage i’d rather wait a bit before getting this one, curious if the market reacts to a higher standard.
Another inspiring post Brian, my thanks, keep it up.
Good read, but I think it should be “all the right intentions in our founding team” instead of “tensions”. Keep up the good work!
that’s a direct quote, not a typo. I’m guessing Weaver used “tension” to describe the necessary push and pull that occurs when you try to balance usability and security — because there are almost always trade-offs.
What happens if they go out of business?
Firmware updates stop. Your routers lose the capability to readjust for changes as you move furniture around in your house.
Unfortunately, people who have Windows Phones can’t use this product since their app is only available for ios and Android.
Then there’s the privacy issue of having to give them my mobile phone number to set it up. I’d prefer the alternate of using a laptop.
Use a burner phone, obviously. They’re so cheap these days that not having [at least] one is irresponsible if one is truly security-conscious.
I don’t deal with Big Evil, and something like GV is useless for truly protecting one’s privacy. So many things and people who don’t truly need it want a cell phone number, or you need it for something like this where you get an OTP. Old phones are cheap and plentiful and prepaid cards are easy to obtain. Keep your private number private; it’s not difficult.
On topic: yeah, I’ll pass on these routers. There is no way I’ll allow blind updates or any of my info hosted on AWS, nor cede granular control to some “network engineer in the sky.” What a tool this Nicolas guy is.
Also a tool extraordinare: David Litman. Whatta no-life putz you are!
Same with blackberry users as my self. Sometimes we can sideload but not all functions work. I know I can use an ipad or crap old iphone or such but yeah….
I was excited about these devices with the promise of strong coverage and seamless transitioning between them and considered a purchase. But after reading some reviews on Amazon it seems that the “seamless” handoffs are not really happening i.e. your device (may be device dependent) tends to hang on to their original contact point when you move around the house, thus defeating the distributed mesh benefit. Have you noticed anything in this regard?
Also, I’m curious to know if the network latency increases depending on how many devices the “connection” passes through.
What about (probably insecure) IoT devices? Any way to keep them completely separate from our primary devices? (Like Steve Gibson’s “3 dumb routers” config)?
Setup a vlan for those devices
I really like the idea of this. The relatively expensive Apple router is the first one I’ve had at home that lasted more than a year, and has been awesome. (Which makes it much cheaper than the less expensive Netgear crap I’d been replacing annually.) The Ubiquity APs I put in at work last year have been the first I’ve used in the workplace that didn’t just suck.
So would I buy one of these? Possibly, once it matures a bit, depending on how the feature set grows. Would I recommend this to a tech-challenged friend to whom I was willing to offer help but not extensive/frequent support? Absolutely.
Agreed on the Apple AirPort. I have two Extremes, located on either ends of my house, connected via Ethernet. Granted, they’re not a “mesh” network per se, but they do work together really nicely, including coordinating channel selection, coverage, and “handing off” devices from one AirPort to the other.
My two AirPorts do a really nice job of covering my ~3000 square foot, 3 level house, plus I get decent coverage outside as well. Granted that two AirPorts, at $400 total, aren’t that much cheaper than the eero, but they are certainly a known quantity and I’ve been really pleased with their performance. Plus they look cool. In an Apple sort of way. 🙂
A Ubiquity UniFi LR AP for <$100 (with a strong password) is hard to beat, in my opinion.
No way I am buying a $500 WiFi range extender that requires a smartphone to set up and sends passwords by SMS, thank you very much.
“billed as easy-to-use” or “built”? )
“Billed” as in the company is representing them as an easy to use device.
“Billed” – as in the company is saying they are easy to use.
Sounds good. How does it compare to LUMA? http://support.getluma.com/hc/en-us
Thanks for sharing this – looks about what I need for my house. Love the content filtering and other kid-friendly (unfriendly?) options.
Other than it’s actually shipping? Last I checked the Luma has the perpetual “Coming Soon” / “Pre-order” sign on their front door.
Thank you for all the great articles!
There is a little typo in the sentence below.
Another behavior central to the eero that is bound to be a sticking point with some is that it is is regularly checking for or downloading new security and bug updates from the cloud.
The two radios is a good idea but unless they’re doing 5ghz and 2.4, there’s still likely channel overlap if they are close together. But it sounds like a nice solution.
I’m more comfortable with a ddwrt or tomato setup and hardwired nodes. I don’t trust automatic updates for new devices so much.
A similar product that I have been using and really like is open mesh. http://www.openmesh.com
1. If your internet is currently “off” because your provider is lousy; do you still have full control over the device, or is the device setup and features controlled by a link to the cloud?
2. So no web page configuration, only App configuration?
Too expensive for a home wifi router. I’m happy with my Linksys/Cisco smart wifi gigabit router that is also mobile app controlled and easy to activate or deactivate guest wifi.
The main thing is that I keep remote access turned off which is probably the biggest security issue. I was hesitant as I wanted to be able to reboot it remotely if my wife or kids needed the router rebooted in case of power surge, etc, hosing it up but that situation has not arisen. Worst case scenario, they can unplug it and plug it back in if I can’t talk my wife through how to do it from the app I have installed on her smartphone.
What I’m really waiting for is consumer level cloud based machine learning/applied mathematics next gen anti-malware products. In the commercial space, these are products like Cylance (pronounced ‘silence’). I consult for breach response in the merchant credit card space and I’ve already seen this product pick up inert/sleeping POS malware that Bit9/Carbon Black missed. Pretty impressive and supposedly picks up over 90% of malware versus signature based anti-malware picking up far less than 50%.
The price point is the only sticking point for me. It might be something I look into when I eventually, but for the time being, the cost makes this a non-starter.
RE: The price point is the only sticking point for me.
I have AT&T Uverse but am only using AT&T U-verse Internet Max Plus which now includes “High Speed Internet Equipment Fee $7.00″ A user asked ” Is there a way to purchase a gateway and avoid this fee?” Uverse replied “Currently, if you sign up now, all equipment is being leased. The equipment fee not only covers the cost of the equipment, but provides a warranty with it, so that if you have any issues, we will get it fixed.” So now we are back in the “good old days” of my squandered youth when everyone had to lease a landline phone from Ma Bell. A call to the Help Desk resulted in being told that I could return the box to an AT&T store. Uverse wants $84 per year to lease the wi-fi box. Does anyone know if the Uverse box, a Motorola NVG589 can be replaced by an eero or some other high quality device? The Motorola box has “AT&T uverse” molded into the plastic cover so I am thinking the box may have some unique characteristic that is required by Uverse.
We have data caps, our system sucks, our plant sucks, the people in the call centers suck.
Get Cable.
Last I checked when I had uverse a few years back, they were using a non standard proprietary login method that REQUIRED one of their devices attached.
So check and see if that’s still the case.
However, even if that’s true, there’s a possibility that you can get a used device on ebay and return your current one to AT&T, to get the lease payment stopped. If you do that, be sure to get a receipt for returned hardware, and a call to AT&T may be needed for them to reconfigure the setup on their end to match your replacement device.
The AT&T U-verse RG is (at least up to the point when I cancelled) an integrated DSLAM modem and wifi AP, not separate pieces. I had to rent the whole thing, even if I had no intention of using their Wifi. If you have one “box” for your uverse, chances are you are stuck with it. If you have one modem box that has an Ethernet gateway, and a wifi box connected over an Ethernet connection, then swapping your own in should be simple.
The NVG589 isn’t just a router, it’s a modem/router/wifi gateway. For you to use a standard router with it, you have to get a VDSL2 modem to interface the router with AT&T’s weird little fiber-to-the-neighborhood system.
In my experience the more crap shoveled into an ISP device the less reliable it is. They’re always exceedingly cheap because large ISPs have entire engineering departments devoted to telling suppliers how to shave nickles and dimes off the cost of their equipment.
This was an interesting article although not as good as some I’ve read here. Your statement “downloading new security and bug updates from the cloud” is kind of lazy. I assume EERO told you that. What does “cloud” mean in this case? Is it one EERO server in SF? Is it a bunch of servers that are geographically separated? EERO’s cloud setup will have a lot to do with the security of these devices.
I like to know about updates before they are applied. I don’t think this makes me a control freak. I’m not interested in reading the source code but I think that it’s completely reasonable to want to know what an update does before you apply it.
Finally, your article title touts the security of these devices but the EERO web site only mentions security once and that is in reference to the automatic updates. Any half-way decent device will do automatic updates now. Their major focus seems to be eliminating dead spots in your house. This is not a bad goal it just doesn’t have much to do with security at least in a positive way – which you mentioned.
Keith, I’m going to assume you didn’t read the entire article, such as the part where the CEO explains that they use Amazon’s EC2 servers.
Brian,
I didn’t mean to offend. I did read it and then I read their website and came back here to browse before posting. Since I’m at work there was some time between each of those steps. I forgot that part and commented on a pet peeve. I’ve been in IT for a long time and I hate the word cloud. Thanks for asking for more detail on it.
I am interested in the same as Tea and Toast asked. Do you know how this compares to Luma? Thanks!
It may well work as advertised and be a decent system, but it is going to be a hard sell at the price those of us in the real world will have to pay…
Nothing like adding more electronics to the landfills. I don’t understand why people keep buying all these “cloud” devices that lack a local configuration interface. If the manufacturer ever goes out of business your “cloud” configured trash ends up in a landfill.
The world would have been a better place had these devices never been created.
Cool story. I will stick with OpenWRT.
Actually, at least with ASUS routers, uploading an invalid flash to the router doesn’t turn it into a useless paperweight. You simply put the router into firmware recovery mode, which is explained in the manual, and then upload another firmware to it.
Firmware recovery mode lives in the CFE, kind of like the BIOS/UEFI for routers, and uploading a firmware doesn’t overwrite the CFE. A firmware is basically the OS. You can upgrade an OS and the BIOS/UEFI shouldn’t change.
On the unlikely event you can’t get it back, ASUS does cover hardware failures, even if a third party firmware was on the device.
Good read. I like the fact that it’s a no-brainer to set up. However, I would think the no-brainer factor appeals mostly to the average person with little or no concern for security, nevermind tech cred… and these are the people buying the $60 gear. So who is this device being marketed to? I would suggest that it’s not someone with the money and interest in a reliable, highly configurable router.
You know what feature would really offer security? A wifi AP that can track devices broadcasting solicit messages (which every wifi device does in order to figure out where joinable APs are) and then aggregate the data. With 3 devices spread across your home it should be able to get a pretty good idea of where each user is, or at least a good guess at proximity. Set up a time window you don’t expect any visitors (say 11pm to 7am) and you can now use the perp’s own smartphone as a tattletale, alerting you to unwanted presence on your property. You also have a digital fingerprint of him (his smartphone’s wifi MAC and a list of the APs he frequents) to go after him should you need to find/prosecute him. Now That’s wifi security I am willing to pay extra for.
Read this with interest. Thanks for this informative and useful product news. I use an apple extreme 6th gen router, wired (home-run cat6) to a 2nd Apple extreme 6th gen device, that is set to bridge-mode and functions as an access point at other end of my house. Security is wpa2 with guest on 1 p/w and 2.4 and 5ghz radios xmitting with a 2nd p/w. This rig IS expensive ($400) but I believe the excellent range, speed and security To be well worth the spend. Plus, admin (airport utility) is easy and application of periodic Apple firmware updates is automated. I like to think I am safe but would be interested to know of any apple extreme router firmware or optioning issues I ought to be considering.
I’m not a shill for Checkpoint, but if you want an easy to setup UTM appliance that has excellent security and features, you can’t beat their Safe@Office series. The only hard part is blocking web facing administrative access, and changing your administrative ID and password from the factory setting; and your WPA2 wi-fi logon information. After that, everything is auto configures for any application or service you install on the network/server/PC.
The only disadvantage to that is sometimes these same applications or services cause insecure situations, that haven’t yet reached the firmware update. A simple GRC test of the firewall and leak test can confirm whether this condition happens with a new situation. Usually the firmware keeps up with all common applications and services, and locks the security down while enabling full functionality. I’ve never found a competitor yet, that has the same thing at all, let alone the very reasonable yearly fees for streaming security services.
You get a full monthly IDS system report that is very readable and informative in your email in-box. I’ve used this many times to put forward credible complaints to the appropriate LEO agencies or ISPs concerning problems, and once confronted with this data, it is an excellent way to fight attempted breaches of your network(s).
There again, I’m not getting paid to brag about them, but I recommend them to all my SOHO clients. They are getting enterprise quality equipment and services for the price that even a private residence with no small business can afford.
What does this have to do with mesh networks in wifi? Nothing, other that it is another way to gain an easy to configure gateway, that can give you peace of mind, and another rivet in the armor of a well blended defense.