Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Pushing 'Cloud Connect' Router Firmware, Allows Web History Tracking

Posted by Soulskill on from the solution-looking-for-a-problem dept.

Myrv writes "Reports have started popping up that Cisco is pushing out and automatically (without permission) installing their new Cloud Connect firmware on consumer routers. The new firmware removes the user's ability to login and administer the router locally. You now must configure the router using Cisco's Cloud connect service. If that wasn't bad enough, the fine print for this new service allows Cisco to track your complete internet history. Currently, it appears the only way to disable the Cloud Connect service is to unplug your router from the internet."

21 of 351 comments (clear)

  1. wow by v1 · · Score: 4, Insightful

    that's all I can say really. This sounds worse than sony's disabling of features in a firmware update. Only this one you can't just not do. (and deal with the consequences of not being up to date)

    But I bet this one gets sufficient backlash to require them to backpedal. Significantly altering the behavior of a purchased product by remote control, without opt-out. Arguably illegal?

    --
    I work for the Department of Redundancy Department.
    1. Re:wow by torkus · · Score: 5, Insightful

      Not to mention I didn't even click-through an EULA on that router that could get them an idea they have some kind of "right".

      It's MY router, I bought it. and it's not some quasi-goods digital product. This is a physical item. You want to back-door my router and install crippled firmware? I'll sign up with the class action if this is the case.

      I don't want anyone *at all* to be able to update my router from the internet (or WiFi for that matter). In fact, almost every router has remote (i.e. internet) side administration disabled for obvious security reasons. Now they include the word 'cloud' and it's OK?

      Hell, this isn't even cloud architecture anyway. It's just a web-based (pseudo-remote) remote administration tool. You'd think Cisco of all people would understand that.

      Then I see things like this and can't help but smile at the "progress" :
      Re: EA4500: weird login screen; can't login
      Options
      06-26-2012 05:10 PM

      I found a hole... Dynamic DNS password is displayed in plain text

      --
      You can get rich if you own a politician, but you have to be rich to buy one in the first place.
    2. Re:wow by Quakeulf · · Score: 4, Insightful

      No, they will only want in on the data and let this slide.

  2. Government by Anonymous Coward · · Score: 5, Insightful

    Although this is pure speculation, but I have reasonable suspicion as a former employee of Cisco, that this really plays well with law enforcement and other three letter government agencies, having the ability to track all Internet activities. That's all I have to offer on this subject. Be careful.

  3. thank you cisco, by alen · · Score: 2, Insightful

    when my linksys dies i won't buy one of your products. i'll probably just buy one of the Apple routers. the cost is about the same as your overpriced crap but they will work better with the icrap i already have at home.

    i've tried the cheapo routers and they seem flaky

  4. Re:Cisco Routers? by TheGratefulNet · · Score: 3, Insightful

    they would not dare do this to enterprise customers. those guys take privacy a wee bit more seriously than home users do. they also have big lawyers and would not hesitate to sue if some unplanned update was forced on them that changed their whole security architecture.

    home users don't have big lawyers and so they are defenseless against big corps.

    I just can't see why cisco thought this would be a good idea. its got FAIL written all over it and will go down in history as a 'sony rootkit' type event. just wow...

    --

    --
    "It is now safe to switch off your computer."
  5. Upgrade Instructions for STUPID OWNERS by plover · · Score: 4, Insightful

    So who just plugs in a firewall/router and starts using it out of the box without changing the password and checking over all the settings?

    Under the Administration / Management tab, you'll find a radio button clearly marked "Remote Management", and beneath that settings for Remote Upgrade. The day I installed it I discovered remote management was enabled by default, so I immediately set it to disabled. I remember thinking "My god, that's f*ing stupid! Who would ever want to expose router management to the wild side?" Apparently this answers my question.

    Anyway, for anyone here who is outraged that their router has been pwnd by Cisco, SHAME ON YOU for not securing your own damn router yourself before hanging it on the intarwebs!

    --
    John
    1. Re:Upgrade Instructions for STUPID OWNERS by symbolset · · Score: 4, Insightful

      I guess the question to ask yourself is, if a company would do this then what would that checkbox do?

      --
      Help stamp out iliturcy.
    2. Re:Upgrade Instructions for STUPID OWNERS by JDG1980 · · Score: 5, Insightful

      So who just plugs in a firewall/router and starts using it out of the box without changing the password and checking over all the settings?

      Average users.

      Under the Administration / Management tab, you'll find a radio button clearly marked "Remote Management", and beneath that settings for Remote Upgrade. The day I installed it I discovered remote management was enabled by default, so I immediately set it to disabled. I remember thinking "My god, that's f*ing stupid! Who would ever want to expose router management to the wild side?" Apparently this answers my question.

      This should never have been enabled by default. It's terrible security practice: the default settings should be as secure as is reasonably possible, and any loosening of those settings should have to be explicitly approved by the user/administrator. This is especially true on a consumer focused product that many users aren't going to be configuring at all.

    3. Re:Upgrade Instructions for STUPID OWNERS by plover · · Score: 3, Insightful

      I know exactly why Cisco did it, so they could remotely administer routers for "average users". That's not necessarily a terrible thing.

      My complaint is with technical people, such as the fine folks lurking here on slashdot, accepting any security device's defaults without checking them over. It's not like it requires arcane knowledge to look at the configuration screens; it just takes a mouse. You don't have to find a bunch of settings in a README.TXT file from some random website to know what you're looking for, or pull up a wiki page to explain what you're seeing. It's a button on a GUI screen that's clearly screaming out "LET SOMEONE ELSE RANDOMLY MESS AROUND WITH YOUR SECURITY", and these supposedly technical people left it checked. I clearly have no sympathy for them.

      --
      John
    4. Re:Upgrade Instructions for STUPID OWNERS by cant_get_a_good_nick · · Score: 4, Insightful

      ho? Normal people, who don't have computers skills. People who don't know a firewall from Firefox would. It seems you damn them to hell.

      Ok, so you know these things. My uncle, who was a CFO for a Fortune 500 company, doesn't know. Is he stupid? No, he just is as clueless about firewall and remote management as you would be about FASB157 and how you need to restructure your portfolio to comply. Are you saying that he shouldn't be on the Internet?

      I know a bit about cars, I've changed oil, fixed a EGR valve, some very minimal carburetor work, but I couldn't do a tune-up on a modern car to save my life. I don't have the tools, nor the specialty. My wife knows less than I do. I don't know how to set up my fuel injector ratios, should we not drive? No, we trust the people who made our car and those who tune up our car (we're lucky we have a very good mechanic) to fix as needed. In the case of our car, we're literally putting our lives in Baykar's very capable hands.

      We (collective we) hoped that we could trust Cisco to be trustworthy as well. For it to have capable, safe defaults for the vast majority of newbies that don't know better, and the opportunity for experts to customize. This faith in Cisco seems to be misplaced. Apple is selling billions of dollars of hardware because they understand this, that people don't know everything, and they just want things to work.

    5. Re:Upgrade Instructions for STUPID OWNERS by epyT-R · · Score: 3, Insightful

      Just because you don't know how to retool a lock doesn't mean you should hand the keys over to the state.

  6. Re:It's not that hard. by Jeng · · Score: 4, Insightful

    I was in the market for a new router, I now know that my next one will either not be another linksys or it will not be running the stock firmware.

    Since most of those who ask me for tech advice might not be up for re-flashing their router I will not be recommending linksys.

    So now the question is, what to recommend instead?

    --
    Don't know something? Look it up. Still don't know? Then ask.
  7. Re:Clarifications and Confirmations by Waffle+Iron · · Score: 4, Insightful

    Just an FYI ... the Cisco Connect Cloud concept allows people to manage and view their home network from anywhere on the internet so long as their router has a connection to the internet.

    Well, I for one got a router in the first place partly because I specifically don't want anybody or anything to manage or view my home network from anywhere outside said network.

    I've set it up to disable all such silliness, and I want it to stay that way.

  8. Short-term thinking by JDG1980 · · Score: 5, Insightful

    This is typical of the short-term thinking that is all too common among corporations today. They're throwing away their credibility with professional users – you know, the ones who buy the expensive Cisco gear that generates most of their profits – so they can grab a few quick bucks by data-mining the consumer market. How many network administrators are going to hear about this and rule out Cisco for future consideration? Keep in mind that the silent and unprompted nature of the update implies that there already was a back door into the routers, even before this recent change. And I don't think that Cisco can cleanly separate its credibility in the home and enterprise markets, even if this is what they're planning to do.

  9. Re:Carriers? by symbolset · · Score: 5, Insightful

    Let me explain about trust...

    --
    Help stamp out iliturcy.
  10. Re:Carriers? by Anonymous Coward · · Score: 2, Insightful

    its called a test bed, if their scheme is successful, they push it to other devices. 4 years after all products are on the automatic scheme, they charge for upgrade subscriptions.

  11. Re:SMOOTHWALL EXPRESS by contrapunctus · · Score: 3, Insightful

    I'm gonna guess that a router uses less electricity.

  12. Re:Upgrade Instructions for Cisco Clients by epyT-R · · Score: 4, Insightful

    Ideally we shouldn't support companies who do this even if their hardware is reflashable.

  13. Re:Verizon has been doing it for ages. by Chuckstar · · Score: 4, Insightful

    This is different for two main reasons:

    1) Verizon is your ISP. They already see all your internet traffic. That's just the way ISPs work. Cisco did not previously have access to any information about your internet traffic (and, btw, considering their stated goals of their cloud system, there does not seem to be a reason for them to have access to it now).

    2) The problem is not automatic updates. It's the dramatic change in your relationship with Cisco and how your router operates that is the problem. Automatic updates, if they were just bug fixes and feature upgrades, sound like a good thing.

  14. Re:FU No Thanks by Patch86 · · Score: 3, Insightful

    A) This only happens automatically if you have the option for automatic firmware updating checked in your router's config. You lose your geek card & status if you left this option on. Not that I'm saying the average home user (who almost certainly wouldn't know how/why to change this option) deserves to have his/her data snooped, but as a techie, you should know better.

    As a techie, I don't have my router using automatic updates (actually, I'm fairly sure my router doesn't have an automatic updates setting, but all the same).

    But as the "techie friend/relative", I always tell my friends and family to keep automatic updates turned on. They certainly wouldn't update these things themselves (mostly they barely know how to access their router's admin page), and I'm not going to be doing it for every single one of them. And an un-updated router is an insecure router.

    And they don't deserve to be spied on and have their privacy invaded just because they're not very good at network management.