Cisco and the undesirable consequences of automatic firmware updates
Harmless kerfuffle? Abuse of corporate power? Enablement of Big Brother? No matter what you call it, Cisco’s recent firmware updates to its Linksys home routers is troubling.
According to a story published on ExtremeTech by Joel Hruska, “Cisco’s cloud vision: Mandatory, monetized, and killed at their discretion,” Cisco pushed out a firmware update to some models of its LinkSys routers for homes and small businesses. One effect of the firmware update is to move administration of the routers from a local application to a service on Cisco’s Connect Cloud services.
This means that router owners must now sign up for Connect Cloud in order to manage their routers, but the Cisco terms of service for the cloud service give lots of power to Cisco.
Hrusksa’s story says that Cisco has changed the terms of service after a firestorm of customer complaints. As of July 5, they contain lots of clauses about the type of traffic that you can use on your home network. It also says,
You agree that Cisco may suspend or terminate your access to the Service without notice if (a) Cisco suspects or determines that you have violated this Agreement, (b) Cisco determines that your actions cause Cisco to be in violation of any agreement or policy needed to run the Service or (c) Cisco is required to do so by any court or government authority in any country. You agree that Cisco will not be liable to you or to any third party for any suspension or termination of your access to the Service as a result of any threatened or actual violation of this Agreement.
Cisco may, upon such termination, deactivate or delete your account and any related data, information, and files, and bar any further access to such data, information, and files through use of the Service. Such action may include, among other things, accessing your data and/or discontinuing your use of the Service and any and all rights granted to you in connection with the Service without refund or compensation.
Note that if Cisco kicks you off Connect Cloud, you will not be able to administer your LinkSys router. While you might lose control of your router, Cisco doesn’t care about that issue. How about this section of the Cisco Connect Cloud Supplement to the Cisco Privacy Statement:
Cisco Connect Cloud software is updated from time to time to provide additional features, address technical issues, and generally make your user experience better. We may add to or upgrade the Service to provide you with new features on an ongoing basis. We may also make available new services in the future. New services provided by third parties or service providers will be governed by the privacy policies of the respective third party or service provider. The Service automatically checks for updates to the firmware/software to help keep your network running at a peak performance and provides alerts as to the latest firmware/software. The auto-update feature offers the ability to download the next available version in the background. Cisco Connect Cloud offers the auto-update feature by default, but you can change your auto-update options by changing your settings within Cisco Connect Cloud. By leaving the auto-update feature as a default, however, you will avoid disruption to your home network and overall Internet connectivity. In some cases, in order to provide an optimal experience on your home network, some updates may still be automatically applied, regardless of the auto-update setting.
In other words: You purchased the router, but Cisco may decide to push new software or change its functioning at any time – including installing third-party software without your knowledge or permission, or without giving you’re the opportunity to review those third parties’ privacy policies. And of course, Cisco itself can change its privacy policy at any time.
Remember, we are talking about a network router here – something that sees every packet on a home or small business network. And Cisco is accused of helping the Chinese government build the “Great Firewall of China” to help it spy on its dissidents. What else might it do?
While automatic firmware updates are certainly convenient, the fact that you can’t turn them off is worrying. Personally, I wouldn’t buy a Cisco router. But who else can push firmware updates to your technology without your knowledge or permission? This, sadly, is the future.
A good firewall should generate email alerts, too, at least for critical events.
Cisco firewall