Cisco Pushing 'Cloud Connect' Router Firmware, Allows Web History Tracking

Myrv writes "Reports have started popping up that Cisco is pushing out and automatically (without permission) installing their new Cloud Connect firmware on consumer routers. The new firmware removes the user's ability to login and administer the router locally. You now must configure the router using Cisco's Cloud connect service. If that wasn't bad enough, the fine print for this new service allows Cisco to track your complete internet history. Currently, it appears the only way to disable the Cloud Connect service is to unplug your router from the internet."

Backdoor

[SJHillman]

Does this mean that Cisco routers, by default, have a backdoor enabled that allows the router to phone home for updates and for Cisco to send them back? None of the routers I've ever used (granted, it's been a while since I've used stock firmware) have ever had any sort of "automatic updates", much less one that's turned on by default.

Cisco Routers?

[Nethead]

That's a large field. Is this just the home routers (the old linksys stuff?) I can't see them doing this on enterprise or core routers. The solution is to put it in bridge mode if it's an ADSL router and do your own NAT, etc. with a BSD/Linux box of some type. Run Zeroshell if you want a nice GUI.

Really, this is slashdot. Leave the provider installs and help desks to the punters. If you're reading this there is no reason you should be running what the ILEC initially installed.

Cisco is getting weird. On one side (enterprise) you have to pay through the nose for updates, on the other (home) you can't avoid them.

Before we get our panties all in a bunch, let's wait for some packet sniffs to see what is really going on. Just because the lawyers put it in the EULA, doesn't mean the coders wrote it.

OH BOY!

[slashmydots]

Wooo, a gigantic web-based backdoor with unknown remote login methods and an interception of all internet history tied directly to my company's cisco account with all our personally identifiable information?! WHERE CAN I GET ONE?! And by one, I mean the phone number for the account cancellation department.

By the way, my company actually runs some awful piece of crap from Cyberoam but now I'm slightly happier about that. Thanks, cisco.

Re:wow

[TheGratefulNet]

good comment from a user post:

No persuasian needed. Seriously. The engineer was great and you could TELL he was sincerely apologetic about the issues. I asked him about the whole incident, and he basically hinted at a little war going on within Cisco and the final decision to go ahead with updating people like this was upper management, where the lower pay grades tried hard and fought against the way they did things.

The Engineer simply sent me to a link, the one that is already listed in these threads and gave me instructions on how to revert back to the older firmware with the caveat (and he was apologetic about it - again I could tell he really was sincere) that the old firmware cant be supported. He then proceeded to give me his email address (which I wont give out, sorry) and told me to feel free to contact him with any issues I have. Very cool, very professional, and sincerely apologetic.

I asked if they were being inundated with calls, his simple reply was a sigh and "you have no idea......"

from a user called 'markdr'.

this pretty much sums up the situation, I would guess. the regular guys who write code were not for this but some idiot mgr upstream pushed for it.

I feel sorry for the real engineers there who are forced to do bullshit tasks that they KNOW will piss off their users. I hate this side of software eng. evilness of top level mgrs usually end up winning ;(

Re:Clarifications and Confirmations

[Mashiki]

Well if you work for Cisco Linksys you might want to tell some your lawyers(or drop a strong hint to the middle-management types) to look at this, and quickly before it becomes a major headache. Whoever greenlighted this just violated the privacy act in Canada by automatically tracking web history and pushing this update. I'd hazard a guess in various parts of the EU as well.

Re:FU No Thanks

[torkus]

Let me get this straight. They install an "update" on my router that lets them monitor my internet usage - all without my consent?

I'd say it couldn't possibly be that bad...but the I look to what FB does and shake my head. I like their routers, but there is NO CHANCE whatsoever that I will give a 3rd party my entire house's internet browsing history. You couldn't get me to do that if you gave me a free router AND free internet.

buy soekris hardware instead of cisco hardware

[TheGratefulNet]

get one of these hardware boxes:

http://soekris.com/ [soekris.com]

and run openwall (or whatever you want) on it.

it keeps the money OUT of cisco's hands in both hardware and software. you can trust your hardware (no motivation to do evil spy things on generic pc style hardware) and you can trust your software. no one will force something on you, this way.

my soekris box has been running non-stop (other than moves) for years, literally, 5 years or more. no blown caps, no blown power suplies, no 'china syndrome' electrolytics that are on ALL cisco, netgear, etc style circuit boards) and software that just plain works.

tomato firmware (and similar) are cool, but they require vendor hardware and at this point, I'd just assume NOT give cisco ANY (!) of my money for any hardware of any kind.

Re:Upgrade Instructions for STUPID OWNERS

[UnderCoverPenguin]

So who just plugs in a firewall/router and starts using it out of the box without changing the password and checking over all the settings?

You presume that disabling remote management and automatic updates actually proevents the vendor from remote access to your router.

I did disable automatic updates and remote management. Having just found out about this, I will find out this evening whether they pwned my E3000

Re:Short-term thinking

[captaindomon]

This is right on. The problem Cisco doesn't realize they have is that most of these cheap home routers are maintained by people that also make decisions for purchase on the enterprise side. When Grandma needs to buy a router, she doesn't buy one, she has her nephew (who is so cute and knows so much about computers!) to buy it for her. Her nephew also works in enterprise IT, in many cases. For a perfect example, read the Harvard business cases on Black & Decker, and how they tried to do the same thing and completely destroyed their brand name for professionals.

Re:Upgrade Instructions for STUPID OWNERS

[Gordonjcp]

We (collective we) hoped that we could trust Cisco to be trustworthy as well.

Speak for yourself. It's an American company, what makes you think it's trustworthy?

It's a closed-source binary blob. What makes you think that it's trustworthy at all?

Re:Upgrade Instructions for STUPID OWNERS

[contrapunctus]

I know exactly why Cisco did it, so they could remotely administer routers for "average users". That's not necessarily a terrible thing.

But why do they need browsing history?

Re:Upgrade Instructions for STUPID OWNERS

[Jeng]

Marketing Marketing Marketing

Doesn't matter if it is useful data since Marketing believes that if they have enough data about you that they will be able to create the perfect ad to make you buy a product that you really are not interested in buying.

Re:Government

[Lawrence_Bird]

time for a FOIA request to FBI, NSA,DOJ, etc on their contacts with Cisco on t his topic. When shit comes back redacted, if at all, you'll know whats up for sure.