Slashdot Mirror
Belkin Routers Route Users to Censorware Ad
The Register has a story today about
Belkin routers redirecting their users' network traffic.
To me, this seems like the logical next step after top-level domain name servers piping ads to your browser. Now the routers themselves hijack the traffic they are supposed to, uh, route -- and you'll love where they send you instead. But it's OK because you can opt out. Incidentally, the Crystal Ball Award goes to Seth Finkelstein, who in 2001 quoted John Gilmore's famous aphorism about the internet, and asked "What if censorship is in the router?"
The device is defective. Make product support give you one that works. While you're at it, send hate mail to the marketing team. I bet the support guy will give you the right email addresses...
Better yet, get the addresses and post them here.
What's next? Will the phone you buy occasionaly redirect your call to a telemarketer? Will your TV remote automatically switch channels to an infomercial? Maybe your car radio could redirect your listening to a clear channel station every
8 hours. These are business models I need to patent...
Don't forget that Friday is Hawaiian shirt day.
Thanks to ad-blocking features in some browsers like opera or mozilla, marketers now need new ways to deliver ads to the public. Ads are required to keep many people in business, and blocking them just forces marketers to use more intrusive tactics such as this. Why do you think internet explorer doesn't block ads by default? Because we should respect advertisers...
If you disagree with me, look at the ad at the top of this very page, even slashdot uses ads to stay in business.
GoatPigSheep, the 3 most important food groups
I'm speechless at how brazen these guys are. I just don't know what to say, other than that I'm now afraid to buy their products. When I buy a product, I want it to work like it's supposed to work, not the way some marketing idiot thinks it should work. This is deceptive, possibly damaging, and certainly in violation of any number of specifications/RFCs. What are they thinking?
Several judges in different countries have already established that copy-protection on CDs was a defect and clients got reimbursed. This router behaviour is just the same.
When will they learn ?
Maybe we deserve this world ?
I recall an old arguement against censorware was just this kind of intrusion.
The next step, of course, is for a hacker to hijack this "feature" and dump all of a routing companys customers to child porn, warez sites, or nigerian scams galore.
Then there is the temptation of the companies themselves, "You can turn this feature off only by submitting a valid e-mail address." Then they sell off these addresses to spammers worldwide for a profit.
This kind of stuff is worse than big brother. At least in 1984 they didn't force commercials down your throat.
Karma Whoring for Fun and Profit.
Assuming I understand this correctly, it could be dangerous. What if the request that got hi-jacked was me transferring money between two accounts?
Sure, they are probably safe because they only hijack HTTP (port 80) and not HTTPS (port 143). Hopefully anything important I'm doing is on port 143.
I will not buy Belkin anymore. This type of behaviour in a product is unacceptable. Advertising is one thing. Hijacking my requests is much more serious.
Yes, it is a big deal.
First, the original poster on Google said that he got it, unannounced, as part of a router firmware upgrade. No warning or explanation.
Second, Belkin sells a product that is supposed to route Internet traffic, including HTTP. At certain, random points, it does not do that. Instead it sends out an advertisement to a user who has made a valid HTTP request. If Sony started selling a CD player that played a commercial for Coke once every 8 hours, would that be "no big deal"?
I'm not spending another cent on Belkin gear until they reverse the upgrade and pledge not to do it again. Otherwise, simple gear like routers will become spam engines.
Yes. Because routers route, period. And when they route, they're supposed to route correctly. Opt-out is bullshit, because it's saying "our product ships broken, until you unbreak it."
This is a defective product. It doesn't route IP packets correctly. Return it for repair, replacement, or [preferrably] refund.
Boy did they blow this one. If they had stuck to something simple like your very first HTTP transaction brought up a configuration/advert screen only once, then there wouldn't even be a story.
What if I had bought this for an isolated network? Would it hang up for an appreciable amount of time trying to contact belkin.com?
Consider that a user is in the midst of filling out a long string of forms. After hitting the submit button, the next HTTP request directs them to this AD instead of the intended web form. Their form chain is broken, and there is potential data loss, as the customer has to start the forms over again. This is a VERY bad precedent to set. If it was the very first page served by the router, that could be different... the first time I tunred on my home router it directed me to a welcome and setup page... which is quite different.
just my $2/100
Actually, Belkin is not getting ad revenue. They're advertising one of their own products (parental control).
Also, I think Belkin, D-Link, et.al. might well listen. The home wireless router market is a cutthroat, commodity place. To me, they're all basically the same box. Why would I buy from a company that routes me to spam, when there are 5 others that don't on the same shelf for the same price?
It's the difference between opt-out and opt-in. If Belkin's routers shipped with this "feature" disabled, who in their right mind would turn it on?
According to a unet link posted earlier in this thread the router gets a request from 'filter.belkin.com' that will enable/disable the 'feature'. So apparently there's a call that you can make over HTTP that will manipulate the router w/out a login. Now that's secure!
Well, guess I won't be using any Belkin routers.
Or network cables, or any other product on my network. As a network admin, you have to trust at least that the components you install on your network. Besides, unsolicited http is exactly the same as unsolicited smtp. Regardless of whether its penis pills or newtork services, I don't want it. This is worse however, as it not only sends unwanted packets, but destroys valuable data, which may or may not be vital to the operation of the network, or my company, or my job. Sorry Belkin, you lost my trust.
Waiting for ad.doubleclick.net...
I found this quote from Eric Deming in response to the original newsgroup posting quite interesting...
[quote]
By the way, this procedure (disabling the nagware in the router web-config) might have to be done if your router is behind a firewall. Reason: filter.belkin.com sends a response to the Router to set the flag. [/quote]
So Belkin deliberately left a configuration on the router to be modifiable by someone without proper authorization (the owner of the router or the network admin)? Absolute genius. Destroy your company's reputation 100% in one easy step: the backdoor(s) will piss of the geeks, and the nagware-advertising will piss off Joe Sixpack.
"Jesus saves, but everyone else in a 10 foot radius takes full damage from the fireball."
The sad thing is, marketting didn't create this feature. Some coder/engineer needed to add it...
It's a ROUTER. By design, it's supposed to deliver traffic to it's intended destination, to the best of it's ability, 100% of the time. Not route a request to some other place- that's not it's design (well, in the case of Belkin's routers, unlike everyone else's, that is...).
Unlike popups, etc., this is redirecting randomly selected packets going to port 80 (and probably the HTTPS port as well...) to thier server. Take a wild guess how many different things that just broke (SOAP, XML RPC, etc.). Like someone said, I hope nothing mission critical for you is on the inside of this stupid router- because it's BROKEN by design (And "configuring" the Router doesn't include turning frigging adverts off, either...).
It's got to be one of the stupidest things I've heard of in a long time done for the sake of marketing.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Bottom line, thanks to Slashdot I'm not buying my routers from Belkin (not that I'm a telecom person, but still I'd be careful if I ever had to).
This is their wireless router -- it's made for home use, not for telecomm use.
And don't just not buy routers from Belkin. Don't buy anything. No routers, no cables, no USB hubs, no keyboards, nothing. Belkin makes a great deal of stuff -- boycot all of it. There's not a single product they make that they don't have competition for.
And let them know about it too. Email them (look here for the appropriate regional sales address) and tell them that you will no longer purchase their products until they apologize for doing this, put out a patch to fix it, and promise to never do anything along these lines again. Yes, I've already sent my email.
I've got a decent number of Belkin products... they're decently made, and often available for a good price. But there's no way I'll purchase anything from them at this point if I can't actually rely on the product to do it's intended purpose. And that's what this boils down to -- you have a router that doesn't route properly.
Does anyone know the specific part numbers of the compromised routers? Is this a firmware issue, or a hardware issue? Basically how can I know if I'm affected, and should demand my money back.
I would absolutely flip out if my router dared to do this!
I'd return it as defective, which it is (in this case by design).
I request that it route packets to and from a given IP address, and instead it routes them to/from another. That meets my definition of a defective router.
It's official. Most of you are morons.
It's annoying enough to know that when you're sitting at a computer using a browser to surf the Web, a couple requests a day will get hijacked to the spam site.
But what about automated HTTP requests? You might be running some script to wget the latest greatest kernel source and instead it downloads a piece of spam. The hijacked HTTP request might come in the middle of a Gentoo build, or as you mirror a Web site and have a page replaced with an advertisement. You could be tunneling some other protocol over HTTP, and then who knows what this would do.
Very stupid and annoying of Belkin. If they wanted to make their parental control thing so easy to use, just include a CD that says "Put this CD into any computer on your network to enable parental control on your new Belkin router!" Newbies can figure that out. I don't want my own router launching some kind of spoofing attack on me three times a day just so I can view more spam.
What I love is Belkin's claim that they did this because having somebody visit a page violated their "ease of use" requirement. What a joke! As if people can't type in a URL after reading a leaflet included in the box? Are they aware that people type URLs all the time without trouble? They could even install a desktop shortcut to make it even simpler.
Then their letter goes on to explain how to disable the feature in the router (so you don't have to wait to be randomly redirected to the ad), and the instructions are quite vague: navigate to 192.168.2.1, find the setting which says something like (they don't give exact wording or where to find it, just vague directions), and turn it off. Where's the "ease of use" in that? Are they suggesting that this should only be turned off by advanced users and that naive users should simply sign up for their services?
Why can't they just admit that they wanted to prominently promote their subscription-based service? It's not like it isn't obvious what they're up to or anything.
This brings up an interesting point, though I don't know if the parent intended to make this point or just a joke/analogy out of it.
Since the router doesn't descriminate over whith HTTP request it overrides, what happens if it intersects a privacy-sensative transaction?
For example, if someone goes to pay thier bills online, enter thier biling info, click "submit"... then suddenly get an ad... what ramifications might that have?
That's a little more worrysome than getting an ad instead of some random page I might be trying to visit...
=Smidge=
Sleazy tactics like this aren't going to end. Theres only one solution. We need to sit around and think up every sleazy, disgusting, wrong, and dishonorable tactic someone could use to pervert the internet and it's standards to make a buck. We take that list, and patent it.
1. Client initiates a connection to www.my-private-site.org on HTTP port.
2. Client is silently redirected to Belkin's site.
3. Unknowing client sends the HTTP request, a POST request which contains some sensitive information.
4. Belkin has now hijacked a connection and received sensitive information that was not intended to go to Belkin.
Logically the thing to do is prosecute Belkin under federal wiretapping and computer crime laws.
This one is a bit more grey than something like versign's site finder. IMHO i think that adds should only part of a product or service if the terms of that service explictly states that there will be ads. At this point we have a choice of using that service or not. So we have a choice of seeing those advertisments.
This goes wrong when advertisments are part of a public space. Like sitefinder or billboards. If we are in that public space, we have no control over wether or not we will see the ads.
As for the belkin routers. In this issue they are not breaking any rules unless they do not inform the consumer that this "feature" is in thier products. A consumer does not have to purchase belkin routers.
In America we are imprisoned by our fear of them.
You can blame the marketing department all you want (please do), but at some point it was a geek (maybe someone who reads /.) who actually programmed this functionality. Their boss is probably somewhat of a techie, too. The testers who checked this functionality and the folks who created the web page also have some tech skills and savvy. Did they all think this was right?
The point is that geeks are to blame for this. The marketroids may come up with some stupid ideas, but who actually implements them?
I understand (completely) the self-presevation necessary in today's economy and the unwillingness to say, "No!" to something like this. I hope there were technical objections at Belkin. I hope there were testers jumping up and down and screaming about RFCs and proper routing and a failure rate of 3 per day per unit shipped, but I doubt it.
The next time your boss comes to you with one of these half-baked, assinine ideas, I hope you tell him that you object, as a Geek.
---
Q: Why do marketing guys wear ties? A: To keep the foreskin from flapping up!
You have just guaranteed that I will never buy one of your products. Furthermore I'll make sure I tell anyone I know who is interested in consumer gear of your utterly slimy behaviour along with my recommendation to give you a wide bearth.
In summary you have bought a "router" that has its internal configuration updated by an external event.
That is, I (or anybody on the inside of my net, not just an administrator) can click on a link delivered from outside my area of control and that link SETS A FLAG IN MY ROUTER....???!
So now I have my router with its optional firewall support watching the data transport and reconfiguring itself in response.
This is such a bad idea it is unspeakable.
What if the first guy to see the web page and who isn't the rightful administrator, accepts?
How long until a nice buffer-overrun attack lets a malicious server reporgram my router?
How much of the CPU in the router is wasted looking at each HTTP request in search of this flag setting?
Belkin is "stealing" cycles and security from their customers.
Not smart.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Hi Christine,
Thank you for your kind and timely response.
Please forgive my additional questions, they are technical in nature. I'm sure you're getting a lot of communication on this subject lately.
I understand that the HTTP redirection is not really spam or spyware, it is more of a configuration page. I have applications that regularly download via HTTP:
1. Operating system updates (e.g., Windows Update)
2. Real-time data (e.g., stock quotes)
3. Critical data (e.g., drug interaction updates)
How does your product ensure that one of these HTTP connections (i.e. one not coming from a browser operated by an administrator) does not return the parental controls option page instead of the actual data requested?
The product is now open to receive configuration settings from a remote site (the external website is able to disable the 8 hour reminder). What authentication mechanisms are in place to ensure that the reconfiguration of the router by the remote site is, in fact, authorized? Note that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance requires 512 bit encryption on data transfers. Can I continue to recommend this product in a HIPAA environment?
Thanks again,
Marsh Ray
cc: kmc
Christine Lee wrote:
> >
>
> -----Original Message-----
>From: Marsh Ray [mailto:marsh@mysteray.com]
>Sent: Friday, November 07, 2003 4:21 PM
>To: sales@belkin.com
>Subject: Routers
>
>Dear Sir or Madam,
>
>I heard the wildest rumor today, and am seeking some clarification. Is
>it really true that Belkin routers will misroute http connections to
>advertisement sites?
>
>I have always held your products in high regard and am having a hard
>time beliving this.
>
>Regards,
>
>Marsh Ray
>Belkin customer since 1997
>
Um, what other internet is there? Everything travels over the same commercial routers, and who's to say that those aren't belkin routers? Also, what about small businesses who outsource their technical needs?
This proves the adage:
It is better to be silent and thought a fool than to speak and confirm it.
You are right in one regard, but the original poster also has a point, perhaps inadvertently.
While telesurgery is done over leased lines, and not the common internet (thank GOD! just like you say), the traffic flowing over those lines is still off-the-shelf TCP/IP. That TCP/IP is driven by ordinary equipment.
Also, IIRC, the contingency plan is not a technical one, but rather a surgical team on standby ready to "cleanly abort" the op if connectivity fails.
So I believe the original poster does have a point, although he/she doesn't seem to have been aware of it.