Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Pushing 'Cloud Connect' Router Firmware, Allows Web History Tracking

Posted by Soulskill on from the solution-looking-for-a-problem dept.

Myrv writes "Reports have started popping up that Cisco is pushing out and automatically (without permission) installing their new Cloud Connect firmware on consumer routers. The new firmware removes the user's ability to login and administer the router locally. You now must configure the router using Cisco's Cloud connect service. If that wasn't bad enough, the fine print for this new service allows Cisco to track your complete internet history. Currently, it appears the only way to disable the Cloud Connect service is to unplug your router from the internet."

14 of 351 comments (clear)

  1. wow by v1 · · Score: 4, Insightful

    that's all I can say really. This sounds worse than sony's disabling of features in a firmware update. Only this one you can't just not do. (and deal with the consequences of not being up to date)

    But I bet this one gets sufficient backlash to require them to backpedal. Significantly altering the behavior of a purchased product by remote control, without opt-out. Arguably illegal?

    --
    I work for the Department of Redundancy Department.
    1. Re:wow by torkus · · Score: 5, Insightful

      Not to mention I didn't even click-through an EULA on that router that could get them an idea they have some kind of "right".

      It's MY router, I bought it. and it's not some quasi-goods digital product. This is a physical item. You want to back-door my router and install crippled firmware? I'll sign up with the class action if this is the case.

      I don't want anyone *at all* to be able to update my router from the internet (or WiFi for that matter). In fact, almost every router has remote (i.e. internet) side administration disabled for obvious security reasons. Now they include the word 'cloud' and it's OK?

      Hell, this isn't even cloud architecture anyway. It's just a web-based (pseudo-remote) remote administration tool. You'd think Cisco of all people would understand that.

      Then I see things like this and can't help but smile at the "progress" :
      Re: EA4500: weird login screen; can't login
      Options
      06-26-2012 05:10 PM

      I found a hole... Dynamic DNS password is displayed in plain text

      --
      You can get rich if you own a politician, but you have to be rich to buy one in the first place.
    2. Re:wow by Quakeulf · · Score: 4, Insightful

      No, they will only want in on the data and let this slide.

  2. Government by Anonymous Coward · · Score: 5, Insightful

    Although this is pure speculation, but I have reasonable suspicion as a former employee of Cisco, that this really plays well with law enforcement and other three letter government agencies, having the ability to track all Internet activities. That's all I have to offer on this subject. Be careful.

  3. Upgrade Instructions for STUPID OWNERS by plover · · Score: 4, Insightful

    So who just plugs in a firewall/router and starts using it out of the box without changing the password and checking over all the settings?

    Under the Administration / Management tab, you'll find a radio button clearly marked "Remote Management", and beneath that settings for Remote Upgrade. The day I installed it I discovered remote management was enabled by default, so I immediately set it to disabled. I remember thinking "My god, that's f*ing stupid! Who would ever want to expose router management to the wild side?" Apparently this answers my question.

    Anyway, for anyone here who is outraged that their router has been pwnd by Cisco, SHAME ON YOU for not securing your own damn router yourself before hanging it on the intarwebs!

    --
    John
    1. Re:Upgrade Instructions for STUPID OWNERS by symbolset · · Score: 4, Insightful

      I guess the question to ask yourself is, if a company would do this then what would that checkbox do?

      --
      Help stamp out iliturcy.
    2. Re:Upgrade Instructions for STUPID OWNERS by JDG1980 · · Score: 5, Insightful

      So who just plugs in a firewall/router and starts using it out of the box without changing the password and checking over all the settings?

      Average users.

      Under the Administration / Management tab, you'll find a radio button clearly marked "Remote Management", and beneath that settings for Remote Upgrade. The day I installed it I discovered remote management was enabled by default, so I immediately set it to disabled. I remember thinking "My god, that's f*ing stupid! Who would ever want to expose router management to the wild side?" Apparently this answers my question.

      This should never have been enabled by default. It's terrible security practice: the default settings should be as secure as is reasonably possible, and any loosening of those settings should have to be explicitly approved by the user/administrator. This is especially true on a consumer focused product that many users aren't going to be configuring at all.

    3. Re:Upgrade Instructions for STUPID OWNERS by cant_get_a_good_nick · · Score: 4, Insightful

      ho? Normal people, who don't have computers skills. People who don't know a firewall from Firefox would. It seems you damn them to hell.

      Ok, so you know these things. My uncle, who was a CFO for a Fortune 500 company, doesn't know. Is he stupid? No, he just is as clueless about firewall and remote management as you would be about FASB157 and how you need to restructure your portfolio to comply. Are you saying that he shouldn't be on the Internet?

      I know a bit about cars, I've changed oil, fixed a EGR valve, some very minimal carburetor work, but I couldn't do a tune-up on a modern car to save my life. I don't have the tools, nor the specialty. My wife knows less than I do. I don't know how to set up my fuel injector ratios, should we not drive? No, we trust the people who made our car and those who tune up our car (we're lucky we have a very good mechanic) to fix as needed. In the case of our car, we're literally putting our lives in Baykar's very capable hands.

      We (collective we) hoped that we could trust Cisco to be trustworthy as well. For it to have capable, safe defaults for the vast majority of newbies that don't know better, and the opportunity for experts to customize. This faith in Cisco seems to be misplaced. Apple is selling billions of dollars of hardware because they understand this, that people don't know everything, and they just want things to work.

  4. Re:It's not that hard. by Jeng · · Score: 4, Insightful

    I was in the market for a new router, I now know that my next one will either not be another linksys or it will not be running the stock firmware.

    Since most of those who ask me for tech advice might not be up for re-flashing their router I will not be recommending linksys.

    So now the question is, what to recommend instead?

    --
    Don't know something? Look it up. Still don't know? Then ask.
  5. Re:Clarifications and Confirmations by Waffle+Iron · · Score: 4, Insightful

    Just an FYI ... the Cisco Connect Cloud concept allows people to manage and view their home network from anywhere on the internet so long as their router has a connection to the internet.

    Well, I for one got a router in the first place partly because I specifically don't want anybody or anything to manage or view my home network from anywhere outside said network.

    I've set it up to disable all such silliness, and I want it to stay that way.

  6. Short-term thinking by JDG1980 · · Score: 5, Insightful

    This is typical of the short-term thinking that is all too common among corporations today. They're throwing away their credibility with professional users – you know, the ones who buy the expensive Cisco gear that generates most of their profits – so they can grab a few quick bucks by data-mining the consumer market. How many network administrators are going to hear about this and rule out Cisco for future consideration? Keep in mind that the silent and unprompted nature of the update implies that there already was a back door into the routers, even before this recent change. And I don't think that Cisco can cleanly separate its credibility in the home and enterprise markets, even if this is what they're planning to do.

  7. Re:Carriers? by symbolset · · Score: 5, Insightful

    Let me explain about trust...

    --
    Help stamp out iliturcy.
  8. Re:Upgrade Instructions for Cisco Clients by epyT-R · · Score: 4, Insightful

    Ideally we shouldn't support companies who do this even if their hardware is reflashable.

  9. Re:Verizon has been doing it for ages. by Chuckstar · · Score: 4, Insightful

    This is different for two main reasons:

    1) Verizon is your ISP. They already see all your internet traffic. That's just the way ISPs work. Cisco did not previously have access to any information about your internet traffic (and, btw, considering their stated goals of their cloud system, there does not seem to be a reason for them to have access to it now).

    2) The problem is not automatic updates. It's the dramatic change in your relationship with Cisco and how your router operates that is the problem. Automatic updates, if they were just bug fixes and feature upgrades, sound like a good thing.