My Router Has a Really Creepy Way of Telling Me About Software Updates

A few days ago, I went to Espruino Forums to discuss my JavaScript Powered Rock Tumbler project, when instead of getting the familiar forum interface, I got a “500 Internal Server Error” message:

You have probably seen this message in the past

Without thinking too much, I hit the Refresh button (F5), and got into the forum. It loaded successfully this time, but a second later I was presented with a suspicious popup message:

This seemed very strange? Why does the Espruino site offer me to upgrade my wireless router?

My initial thought was that the site was hacked and had some malicious code that tries to convince innocent users to download and install malware on their computer, disguising as a router upgrade. I even contacted Gordon, the soul behind Espruino, sharing my suspicions with him.

Only later, when I looked at the full URL, I realized that I was redirected to a local IP address, 192.168.1.1, which is the true IP of my router. I logged into my router’s management interface, and it indeed had a software update:

So it seems like the update message was legit after all.

Why This is Bad?

Users tend to ignore software updates. In case of a network router, they usually don’t even know there is an available update, unless they actively check for one. I guess that the person who designed this feature thought this would be a good way to make the users aware of the update and nag them to install the updates.

However, this design has several inherent flaws. First, the message may be displayed at an inappropriate time. Perhaps I am recording a screen cast (or sharing my screen during a webinar), and suddenly this message appears?

Second, there is a good chance that the user who sees the message is not even the administrator of the network, and doesn’t have the credentials for the router’s admin interface. Imagine your grandma getting this message while she is browsing numpy.org…

But most importantly — this kind of notification is an excellent way to teach your users exactly what they should not do, follow instructions to download software updates (or software that “repair” and “clean” the computer) from popups that appear in random sites on the internet.

I also got this message when I went to numpy.org, while working on my Data Visualization in Python post

This is Creeeepy!

On top of all, the fact that the router takes liberties in inspecting and modifying my internet traffic is creepy. This sure makes me wonder what else the router may do with my traffic. I couldn’t even find a way to disable this intrusive mechanism in the router administration interface.

So far, I have seen the popup message only on HTTP sites. Hopefully insecure HTTP will be a thing of the past soon, though sometimes even banks still use insecure HTTP for their landing pages.

Parts of the Router’s firmware are open source and can be downloaded from tp-link’s website. I downloaded these files and tried to look if I could find the code that is responsible for this message, but after two hours of digging into it, I couldn’t find a trace. Perhaps this part of the router software is not open source. At least I learned my router seems to run a Node.js server 🤓

How This Could Be Done Differently?

First of all, instead of assuming I am interested in getting these software update notifications on random website, they could have just asked when I set up the router. This would at least help avoid the unpleasant surprise and confusion I had with the Espruino site.

Second, instead of notifying by intercepting my network traffic, they could have ask for my email address during the router’s setup process and send me an email notifying me about the new version.

This router is an LTE router, which means it has a SIM card and it can send and receive text messages (SMS). So they could have also asked me for my phone number and then the router would text me whenever there is an update. The admin interface already includes an option to send texts, and I bet this kind of mechanism would be much easier to implement in comparison with intercepting the traffic (unless they already have another reason to do so?)

The Road to bad UX is Paved With Good Intentions

I am pretty sure the person who designed this feature had good intentions and thought it would be a good way to help push software updates to users more efficiently. However, I find this implementation creepy and also a bit scary.

Which lessons can we learn from this?

First, don’t surprise your users — popping up messages in unexpected places is not a good idea.

Second, don’t be too intrusive. Giving your users the feeling you are intercepting all their traffic isn’t a good way to build trust in your products.

Finally, avoid unintentionally teaching your users unsafe behaviors. You want to educate your users for safe browsing, not for installing software from popups that appear in random sites.

Let’s build products that users love!