How It Works - more
One of CUJO's base protection mechanisms is to block remote access to all devices behind by the CUJO firewall. In this respect, CUJO is just like your router's NAT firewall, which also blocks all inbound traffic by default. But since CUJO sits in front of your router, you now get an additional layer of protection. Conversely, if you want to enable an inbound service, you need to both forward a port in your router's firewall and configure CUJO appropriately.
I tested this by enabling remote access on my PC, then enabling port forwarding on my router to pass external Remote Desktop Protocol (port 3389) traffic to my PC. My first attempt to access my PC was blocked and I saw the warning below, meaning that CUJO blocked the remote access as designed.
Remote Access Protection
I then selected UNBLOCK on the CUJO app, and after a few attempts to remotely access my PC, it worked. CUJO engineering told me that there can be a delay of up to 30 seconds after selecting unblock since CUJO needs to coordinate with CUJO cloud to make this happen.
A common network device is an IP camera, which often has remote access enabled so you can remotely view it. Moreover, that IP camera may just have simple user name and password protection, which can be breached through a simple brute force attack. A brute force attack is where an attacker either manually or with a simple program keeps trying to login with combinations of user names and passwords.
Once the hacker succeeds in guessing the user name and password (which can be really easy if the user name and password was left at default settings), the hacker can now view the camera feed. The video below discusses vulnerabilities and CUJO's protection capabilities for IP cameras.
Another vulnerable network device is a network printer. This video shows how a hacker can install a program to capture print jobs from your printer and send them off your network. If your printer is compromised, documents you send to your printer can also be sent to the hacker's network, where they can print and view your document without you ever knowing it!
CUJO remote access protection protects your printer from remote access and subsequently having a print capture program installed. Further, CUJO device profiling will block your printer from talking to devices outside your network and block your printer from sending your documents outside your network.
CUJO applies network malware protection by blocking access to / from known bad IP addresses and domains. See CUJO's malware video here. I inadvertently experienced CUJO's anti-malware protection in action while casually surfing Yahoo. CUJO detected, blocked and alerted me via its app of multiple attempts to access the site shown below, which it considers a malware site.
Access is a new feature that allows restricting access to websites by device. This feature is available in the latest version of the app, but it is labeled beta, so still in development and being tweaked.
New CUJO menu with Access feature
The CUJO Access feature is a basic parental control / internet filter that filters website access by device. While this is a step forward, CUJO doesn't support user profiles like Circle with Disney and many other parental control products. So you can't assign devices to users and set appropriate filtering profiles at that level.
Devices are automatically discovered by CUJO when they connect to your network, so you select the device(s) to restrict from the list of discovered devices. The devices are listed by a network name that CUJO thinks matches the device, such as "Windows PC" or "Apple" device. To make devices easier to manage, you can rename them to something more intuitive, such as "Bob's PC," "Mom's iPhone," etc..
CUJO Access has 12 different website categories including News, Religion, Others, Shopping, Social, Streaming, Gaming, Rated R, Web Mail, Advertising, Adult, and Entertainment. The app has a brief description of each category, but no age ratings. Some of the category descriptions are shown in the screenshot below.
Access control categories
Other features in the app include a whitelist function to permit websites you don't want blocked, plus the ability to view the names of websites that have been blocked by device over the past 24 hours.
A basic feature supported by many routers that CUJO lacks is internet access scheduling. So there is no option to control when or how long a device can access the Internet. CUJO said this feature will be added as Access moves out of Beta.
To test Access, I created a profile to block access to all categories for one of my network devices. I got inconsistent results, where I could access some sites, but not others. The sites I couldn't access sometimes timed out, and other times presented CUJO's orange block page. In my opinion, the Access feature appears to need more work, so is appropriately labeled beta.
So, does CUJO make your network safer than just your current router? It depends on the router you have. Some routers, like ASUS' ROG Rapture GT-AC5300 and TP-Link's Deco Wi-Fi mesh system have Trend Micro IPS and malware protection built in. Luma's Wi-Fi mesh system also has the ability to detect when your network's devices are up to no good and also provides basic internet access schedules, which CUJO doesn't (yet) support. And none of these alternatives are charging a subscription fee for these services (at least not yet).
CUJO is now available at Best Buy in addition to Amazon and its own webstore. But Amazon and Best Buy sell only the $249 bundle of device and "free" subscription. So CUJO is trying to raise its ASP to boost revenue. You can only buy the device ($99) and monthly ($8.99) or yearly ($59) subscription, direct from CUJO.
But assuming CUJO to be as good or better than these other options, the more relevant question is whether CUJO will be here for the long term. Distributed / mesh Wi-Fi system newbies like eero, Luma and their ilk gave established consumer networking giants like NETGEAR and Linksys a wake-up call and are being reduced to single digit market share as a result.
Bitdefender is supposed to be shipping its upgraded Box sometime this year. Bullguard's Dojo has just started to ship and Domotz' Fingbox isn't far behind. And don't forget Circle with Disney, which supports more user-friendly user profiles. The real challenge, however, is likely to come from Comcast and other service providers who are already busily hawking physical home security systems to their customers. With the right partner, network home security is just a minor step and could be integrated right into the set-top box. This article by CE Pro's Julie Jacobson shows how home security players are eyeing this market.
CUJO continues to work on improving the product. In addition to the beta Access feature, CUJO is also working on version 2.2 of the CUJO app that may be available by the end of this month. The company shared that it is working on machine learning algorithms that can detect "Zero-day" phishing threats, but has no firm timeframe for rolling out that capability. CUJO said it is also working to integrate their software into an unnamed partner's router firmware.
The bottom line is that CUJO continues to evolve and today provides more protection from both inbound threats and surreptitious outbound traffic from compromised devices than it did nine months ago. The key question, if you decide to plunk down your $249, is whether CUJO will be around long enough to return enough of that investment.