Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers.
http://www.neowin.net/news/cisco-locks-users-out-of-their-routers-requires-invasive-cloud-service
-Mario Eirea
For those of us who have not kept up with every latest feature that Cisco rolls out across all its platforms, can someone explain this new service? Is it like Windows update, where Cisco will auto-update your router s/w and thereby brick it? If I don't register my router with Cisco, what do I lose? I can't update it manually?
-Hank
And what happens when your *cough* "router" isn't actually on the
Internet? How can it be managed and upgraded on a regular old network?
... JG
Long story short, the affected routers (newer "Cisco" [former Linksys] consumer products) received an automatic firmware update which basically disables the device's onboard web UI and forces you to use Cisco's "cloud" management system. The biggest issue with this is that apparently it has some function, possibly for web filtering, which sends network traffic information of some sort to Cisco's service. They also state that regardless of the auto-update setting a device may be updated anyways if Cisco says so.
One article I found says it affects the E2700, E3500, and E4500 models.
If there is no internet connection, you get a very limited page that's apparently only really good to get you back online.
Routers are sometimes used on networks that don't have internet connectivity [by design]. This seems amazingly short-sighted for a company that's been around selling routing gear as long as cisco.
Not to defend Cisco's idiotic decision, but in this case the devices in question are extremely unlikely to be used in such a situation as they are consumer/SOHO products. The vast, overwhelming majority of these will be installed as the primary and/or only piece of network hardware other than the modem. I'd imagine that anyone who knows enough to care about a non-connected situation was never considering these devices in the first place.
Frankly for the Joe Sixpack market I can't argue against the autoupdate idea itself, as outdated consumer routers probably account for a large percentage of the exploitable Linux systems out there, but the "cloud" tie in and privacy issues are clearly not well thought out.
In a message written on Thu, Jul 05, 2012 at 03:51:40PM +0000, Mario Eirea wrote:
Has anyone seen this yet? Looks like Cisco was forcing people to join its Cloud service through an update for it's consumer level routers.
Perhaps going right to the source would be educational:
http://home.cisco.com/en-us/cloud
The short version appears to be Cisco wanted to move to a model
where you could manage your home gateway remotely, and also store
settings that may (in the future) be able to be reused if you
replaced your device. All in all it sounds a lot to me like Meraki's
solution (caveta, I've not used Meraki, just gotten the presentation).
There's probably even a market for this sort of service.
Where they appear to have gone horribly wrong is that several models
of Linksys routers with "auto-update" enabled downloaded this update and
moved to this new management model with no user intervention, notice,
or method of being down graded. Thus folks who didn't want these
features and may not have upgraded to them were caught by surprise, and
have been effectively forced to take the new features due to a lack of
downgrade path.
Technology wise it's pretty non-interesting. Others have been doing
similar things.
From a customer relations point of view it's a total disaster, and
one that should have been entirely predictable.
I was never much of a fan of Linksys pre-Cisco, but post-Cisco it seems
to be in a non-stop downhill slide...
Technical users could always just flash DD-WRT onto the device and replace the Linksys/Cisco firmware; then you have a much more robust system without any big brother stuff.
Keep in mind, that to receive the update, the router has to be connected to
the internet. So routers that are not connected to the internet by design
will be unaffected.
-Grant
Technical users could always just flash DD-WRT onto the device and =
replace the Linksys/Cisco firmware; then you have a much more robust =
system without any big brother stuff.
Or Cisco could just omit the big brother stuff.
This is not a technological failure. In fact, automatic updates of
router firmware are overdue. Good job on that front.
It is the implications of your router dictating to you what sort of
uses might be acceptable and what is not that's troubling, and that
seems to have happened on several levels in this product.
... JG
This is what has me thinking about shorting Cisco stock. When the legal
implications of this hit the FCC <http://www.fcc.gov/>,
EFF<http://www.eff.org>,
or here in Canada the CRTC <http://www.crtc.gc.ca>, the shouts will begin.
This breaks all sorts of regulations about privacy and I'm sure a few other
product sales laws in the different countries where the products are sold.
Interesting times we live in....
cheers
Jeff
dd-wrt or openwrt are your friend on those devices. 8)
Looks like they've modified their privacy policy in the last few days,
but from what I understand it was originally pretty bad, including the
collecting users' history and:
[...] right to shut down the users' account if it finds that they have
used the service for “obscene, pornographic, or offensive purposes, to
infringe another’s rights, including but not limited to any
intellectual property rights, or… to violate, or encourage any conduct
that would violate any applicable law or regulation or give rise to
civil or criminal liability," as well as comply with the orders it
receives by "a third party or court of competent jurisdiction" if the
user has been found violating those terms. [...]
I haven't really kept up on consumer-grade networking; who out there
presents a reasonable challenge to Cisco these days?
I suspect it'll be "Corporations control Internet and our private
life" well before tomorrow. Domestic operators do that for ages with
their branded routers and AFAIK DOCSIS is unimaginable without (part
of) this functionality. I went berzerk when discovered such a checkbox
in my home router, two days later I checked it on again and never
looked back. How often do I check for firmware upgrades for for my
home router? Almost never. Do I backup my config? No. Do I disassemble
binary blob before upgrade. No. And I consider myself above-average
Internet user. It doesn't really matter how do I brick my hardware and
implementing authentication on the vendor site to download the
firmware does a better job with gathering sensitive data honestly.
Automatic updates is pretty much a common feature these days, it's
good to know what it means for a user but is hardly game-breaking.
I see.
Replace "local access" control with "let anyone on the internet reconfigure the thing". Whoever's idea it was should be p*ssed on, keelhauled, drawn and quartered, then burned at the stake.
I see.
Replace "local access" control with "let anyone on the internet reconfigure=
the thing". Whoever's idea it was should be p*ssed on, keelhauled, drawn =
and quartered, then burned at the stake.
It'll get real interesting when Cisco's cloud database is breached and
some weakness in the password encryption is discovered.
... JG
Significantly faster and with far fewer bugs than the Cisco/Linksys as well.
What encryption? Web stuff was probably built by a consultant using an
open source database store 
Jeff
[snip]
Will the users' passwords even matter, if a compromise of the
database allows an intruder to make a system-wide change to end users'
equipment, such as delivering a compromising configuration change, or
a "patched" firmware update that deactivates cloud service and
turns them all into botnet nodes under exclusive control of the
compromiser ?
Hopefully Cisco thought that stuff out, but password encryption
weaknesses at least are easily addressed by forcing all users to reset
pw, and requiring a proof of physical access to the unit.