Cisco Pushing Cloud Connect Firmware to Linksys Routers, Enables Web History Tracking

This should be illegal, is a blatant abuse of customer relationships and is horrifying.

Reports of users unable to login to their EA4500 Cisco Routers have have started popping up leading to the emergence of the new firmware that Cisco is automatically pushing out and installing without user permission. Their new Cloud Connect firmware not only removes the user's ability to login and administer the router locally, the fine print goes so far as to give them abundant access to your entire Internet history.

Everything that you do online:

Cloud Connect Terms of Service.

Currently, it appears the only way to disable the Cloud Connect service is to unplug your router from the internet.

Section 4 of the Terms of Sevice!

4. Your Responsibilities as a Cisco Connect Cloud User You are responsible for any data that is sent or received by you and/or any other party in connection with your access to and/or use of the Service used in connection with your account. You agree that Cisco will not be liable to you or any others for any loss or damages due to your use of the Service.

As a condition of your use of the Service, you agree that your use of the Service in accordance with the terms and conditions of this Agreement is permitted under and will comply with the applicable laws of the country where you use the Service. You agree not to use or permit the use of the Service: (i) to invade another's privacy; (ii) for obscene, pornographic, or offensive purposes; (iii) to infringe another's rights, including but not limited to any intellectual property rights; (iv) to upload, email or otherwise transmit or make available any unsolicited or unauthorized advertising, promotional materials, spam, junk mail or any other form of solicitation; (v) to transmit or otherwise make available any code or virus, or perform any activity, that could harm or interfere with any device, software, network or service (including this Service); or (vi) to violate, or encourage any conduct that would violate any applicable law or regulation or give rise to civil or criminal liability.

While we are not responsible for any content or data that you choose to access or otherwise use in connection with the Service, we reserve the right to take such action as we (i) deem necessary or (ii) are otherwise required to take by a third party or court of competent jurisdiction, in each case in relation to your access or use or misuse of such content or data. Such action may include, without limitation, discontinuing your use of the Service immediately without prior notice to you, and without refund or compensation to you. You will indemnify and hold us and Cisco Systems Inc. and its affiliates harmless against any claims, losses or damages arising from any threatened, repudiatory or actual breach by you of the covenants set out in this Section. As part of the Service, You will be required to create a password that will enable You to use the Service. Your email address and password will be used to validate Your identity in order to access the Service. When You choose a password, choose a unique combination of letters and numbers unrelated to Your or someone else’s identity or to any information that is publicly available or that may be needed by us to provide the Service to You or to others. If you share information related to the Service with others or allow others to access the Service using Your email address and password, you have no expectation of privacy or confidentiality in the personal information you may intentionally or unintentionally disclose. Therefore, please avoid giving access to these materials to others. You agree to notify Cisco immediately of any unauthorized use of your account or password, or any other breach of security.

While this is currently only on 4 consumer routers (EA4500, EA3500, EA2700..1 more?) , this is a horrible precedence. There are reports however, that if you call up cisco and complain they will give you a link to the previous (now unsupported) firmware, but to flash it you must disconnect your router from the internet after having downloaded the provided link.

While still connected to the internet, the option to install new firmware is greyed out.

Reddit user who received the update without authorization.

Way too big brother. Way too intrusive, unauthorized and a step towards more draconian corporatacy.

Boycott Cisco now. Buy a new router, never buy Cisco again or even recommend one to friends or family.

If anyone needs assistance re-flashing an already upgraded piece of Cisc, drop me a PM.

Those of us (and we all should be~! running custom firmware such as a tomato variation, or dd-wrt are not affected.




This might only be the beginning... a test run to "Cloud Connect" all of their routers in the future, either way its better safe than sorry. You can take your Cloud and stuff it where the sun don't shine Cisco. Flash to a custom firmware now if you can.

Thanks for this. Will definitely look into it.

flat out hate the newer cisco routers. default guest account w/ Required password. no admin panel means of actually disabling it altogether. recently bought out dlink/linksys [don't recall exactly which] and have since turned their previously reliable products into the same jump through hoops, screwed up, craptastic admin panels as well.

This is a normal process when it comes to industry standard routers.

I hardly know any people who have a huge Cisco router at home, many of them are in the 10-20k price range or above that.

Working for a huge IT company ( Around 120.000 employees world wide ) I can assure you that there are interfaces that allow 3rd parties to access your equipment through their very own ports and services.

I admit that pushing a firmware onto your routers would be a step further, especially when it comes to consumer grade network interfaces, but it wouldn't really come as a huge surprise to me if they did.

But if you are worried about that, here's a short read that will make you re-consider your priorities:

Be aware that harddisks are quite intelligent beasts those days. They transparently remap defective blocks. This means that the disk can keep an albeit corrupted (maybe slightly) but inaccessible and unerasable copy of some of your data. Modern disks are said to have about 100% transparent remapping capacity. You can have a look at recent discussions on Slashdot. I hereby speculate that harddisks can use the spare remapping area to secretly make copies of your data. Rising totalitarianism makes this almost a certitude. It is quite straightforward to implement some sim‐ ple filtering schemes that would copy potentially interesting data. Better, a harddisk can probably detect that a given file is being wiped, and silently make a copy of it, while wiping the original as instructed. Recovering such data is probably easily done with secret IDE/SCSI com‐ mands. My guess is that there are agreements between harddisk manufac‐ turers and government agencies. Well-funded mafia hackers should then be able to find those secret commands too. Don't trust your harddisk. Encrypt all your data. Of course this shifts the trust to the computing system, the CPU, and so on. I guess there are also "traps" in the CPU and, in fact, in every sufficiently advanced mass-marketed chip. Wealthy nations can find those. Therefore these are mainly used for criminal investigation and "control of public dissent". People should better think of their computing devices as facilities lended by the DHS.

I promise you there's a backdoor implemented from vendor side into each and every major component of your PC allowing for quick access for government agencies or police investigations. Of course that's mainly for high profile targets, not to check out the average joe ... but you get the picture.

reply to post by 12m8keall2c


Just get any router with more than 4 MiB ROM storage and put a Linux firmware on it ...

Originally posted by 12m8keall2c
flat out hate the newer cisco routers. default guest account w/ Required password. no admin panel means of actually disabling it altogether. recently bought out dlink/linksys [don't recall exactly which] and have since turned their previously reliable products into the same jump through hoops, screwed up, craptastic admin panels as well.

I agree wholehearted. They also enable Remote Management and Automatic Updates by default. Least one should do is to disable these.

I run a linux powered WRT54GL with custom firmware (overclocked CPU to 240 mhz hah) and used to recommend those blue little beasts to anyone serious about security and performance.

No longer.

To say they've gone downhill is an understatement, they are jumping off cliffs by my reckoning.

reply to post by H1ght3chHippie


Seems it's referring more to the home/home office/small business routers like that which you would find at Staples, Office Depot, BestBuy, etc ... not business-class or enterprise-level equipment.

While it may ultimately prove to be the 'way of the future', I'm still not really keen on the whole cloud computing/storage dealio ... too much, many security aspects that are far from 'ironed out' just yet. imo

So, if I have this straight, the router isn't exactly backdoored, but has a program (much like a root kit) that establishes a connection with Cisco's data centre when it's switched on.
Now, if CloudConnect is based in the US, it's technically subject to last year's Patriot Act revision that allows warrantless access to whatever data the router's sending to the data centre. Either that, or Cisco can provide access to the router itself on request.

Originally posted by H1ght3chHippie
This is a normal process when it comes to industry standard routers.

No, it is not. I am a Network Engineer. Cisco does not push anything remotely to our Cisco routers, nor does Avaya (previously Nortel Networks), Juniper, or 3com.

Perhaps consumer BS, but industry standard routers not on your life. Or mine, as the person responsible for 30,000+ IP phones and e911 systems.

Backdoors? Sure, hardware companies (3 letter agencies as well) have them, there's even algorithms built in where if you know them, the year month and serial number, you can get a Root password in. But standard to UPGRADE YOUR FIRMWARE!? No. Did I mention that yet? No.

I hardly know any people who have a huge Cisco router at home, many of them are in the 10-20k price range or above that.

10-20k? I've been involved with the beta program for the past year and now have been rolling out these lately: Vsp9000s

Let's just say 10-20k won't get you a Single Blade, let alone the chassis or modules needed to fill it.

Working for a huge IT company ( Around 120.000 employees world wide ) I can assure you that there are interfaces that allow 3rd parties to access your equipment through their very own ports and services.

I admit that pushing a firmware onto your routers would be a step further, especially when it comes to consumer grade network interfaces, but it wouldn't really come as a huge surprise to me if they did.

Access is one thing my friend, completely flashing the firmware (think Embedded Operating System) is another.

But if you are worried about that, here's a short read that will make you re-consider your priorities:

Believe me, my priorities are in the right place: looking out for those who do not have the knowledge I do and helping them if I can.

I promise you there's a backdoor implemented from vendor side into each and every major component of your PC allowing for quick access for government agencies or police investigations. Of course that's mainly for high profile targets, not to check out the average joe ... but you get the picture.

You are missing the point. It's not about targeted inference any longer, if they want info from you they will get it. Now it is analysis of the herd, mass trends and information that is gold... that's if used responsibly.

If they will do this to their Customers, not as an opt-in but as a difficult to opt-out with scary words like "unsupported" to the average Joe if they try to opt-out, or not even telling them to begin with. I do not consider them responsible.

Originally posted by XeroOne
So, if I have this straight, the router isn't exactly backdoored, but has a program (much like a root kit) that establishes a connection with Cisco's data centre when it's switched on.
Now, if CloudConnect is based in the US, it's technically subject to last year's Patriot Act revision that allows warrantless access to whatever data the router's sending to the data centre. Either that, or Cisco can provide access to the router itself on request.

Scary eh? Not too mention possible Bandwidth implications.... but like I said earlier, to be honest it's not about the 3 letter agencies here, its about harvesting information. Those agencies will have your info ten ways from sunday if they want it (and they already do have it believe me).... Private companies on the other hand? They are drooling for the info that FREE sites like Facebook and Google collect and monetize, that's why they offer services for FREE.

But to sell you hardware, then try to claim sovereignty to all data and info passing through it!?

The nerve of these people... this is the start of a new war against the consumer..

Originally posted by seaez
Now it is analysis of the herd, mass trends and information that is gold

Information - The highest valued commodity in the world nowadays.

not just intel, credit, purchasing, etc and the like.

Social, habits, "likes", "dislikes", "friends", "foes" and the list goes on and on.

hence why I'm not too keen on the whole cloud dealio.

Hell ... they don't even have to bother looking for it anymore, people give it to them freely on a daily basis - all they need.

Originally posted by seaez
Scary eh? Not too mention possible Bandwidth implications.... but like I said earlier, to be honest it's not about the 3 letter agencies here, its about harvesting information. Those agencies will have your info ten ways from sunday if they want it (and they already do have it believe me).... Private companies on the other hand? They are drooling for the info that FREE sites like Facebook and Google collect and monetize, that's why they offer services for FREE.

But to sell you hardware, then try to claim sovereignty to all data and info passing through it!?

The nerve of these people... this is the start of a new war against the consumer..

And that's not the only scary thing. It's funny how Cisco drops the word 'secure' into its marketing stuff isn't it? The router is a very complex beast, and in network security it's something to watch very closely. If anyone broke into a router, the network behind it gets practically raped. Even with a half-decent auditing procedure in place, we could potentially be talking about a month before it's discovered the perimeter firewall's been disabled. My money's on this happening sooner or later.

Originally posted by XeroOne

Originally posted by seaez
Scary eh? Not too mention possible Bandwidth implications.... but like I said earlier, to be honest it's not about the 3 letter agencies here, its about harvesting information. Those agencies will have your info ten ways from sunday if they want it (and they already do have it believe me).... Private companies on the other hand? They are drooling for the info that FREE sites like Facebook and Google collect and monetize, that's why they offer services for FREE.

But to sell you hardware, then try to claim sovereignty to all data and info passing through it!?

The nerve of these people... this is the start of a new war against the consumer..

And that's not the only scary thing. It's funny how Cisco drops the word 'secure' into its marketing stuff isn't it? The router is a very complex beast, and in network security it's something to watch very closely. If anyone broke into a router, the network behind it gets practically raped. Even with a half-decent auditing procedure in place, we could potentially be talking about a month before it's discovered the perimeter firewall's been disabled. My money's on this happening sooner or later.

Too true, persistent threats like Ghostnet, fake cisco hardware with potential backdoors - maybe Cisco was thinking if someones already gathering info from their namebrand, they should get in on the bandwagon. I'd torch the bandwagon if I could - just to name a few...

Scary world out there, and like most things: the more you know, the more you realize you don't know.

IDS systems are one way to mitigate threats, but not foolproof. Only true security online, is pulling the plug and not being online. But.. while this is the risk / tradeoff for rewards of having untold information at your fingertips (if you know where to find it), endless entertainment and instant communication, companies such as Cisco should be helping us fight the good fight, not starting their own campaign for dominion over the information.

If you are not part of the solution, you are part of the problem or some jazz like that.

reply to post by seaez


Maybe I didn't express myself precisely enough. I said the access options to these devices are a common thing, pushing new firmware on it without giving you a heads up would indeed be unheard of up to now, but I also said I wouldn't be surprised if they started using these access points for this purpose now. I can imagine support contracts that would shift most of the administration of network components to vendors or even 3rd party support companies.

In case of a router the network admin of the company who bought the routers would limit his interactions with the router to things like setting up routes and IP ranges all that daily occurring admin stuff, while the vendor guarantees the service and uptime of the machine, with things like firmware falling into their responsibility.

Companies are doing the same with file storage too, hosting it in clouds of 3rd parties etc .. they don't really have an influence what the cloud provider is doing in terms of operating system or drivers used in order to provide the cloud, so yes, I think the trend will also go into that direction with routers and other networking components. The advantage for the companies is saving big bucks, and the advantage for the Elite is that everything is centralized and directly accessible.

And for the home user ? Let's face the reality, 90% of DSL home users are too frickin' stupid to set up any router, unless it comes pre-configured with a nice gui and a good manual. And the majority of them are happy to get it working to the point where they have access to the interwebz and leave it at that. Since you are obviously well versed in networking technology, I certainly don't need to tell you that an nmap scan of random ip ranges on dsl IP's, looking for web-open admin panels with default passwords will provide shocking results, so why not let Cisco take care of improving their security.

If someone, like you and me for example, doesn't like the idea of having someone messing around with your precious setup you can always use a linux router firmware of your taste and do as you like.

reply to post by 12m8keall2c


I explained in detail in my above post why I think it may not be *that* bad of an idea to have vendors have access to security relevant functions in home user products.

I agree wholeheartedly though with being anti-cloud. I can imagine a time in the far future ( when I put my pink sun glasses on ) when things like greed and mistrust and corporate exploitation and even money will be a thing of the past, and THEN I would support the idea of putting the entire knowledge of the human race into a huge cloud, where everything is accessible for everyone at anytime. But until then there's no way in hell I would entrust strangers with hosting my personal or even corporate data.

ETA: Seriously, if you don't already do so, start using Linux and create your own router firmware. There's tons of flavours to choose from and you will never have to worry about #ty admin panels ever again because you can simply make them yourself. They're basically html pages with cgi or ajax scripts that you can also write yourself.

I certainly don't need to tell you that an nmap scan of random ip ranges on dsl IP's, looking for web-open admin panels with default passwords will provide shocking results, so why not let Cisco take care of improving their security.

Fair point, but the admin interface for a router shouldn't even be accessible from outside the network, let alone from Cisco's web site or whatever. Even the default settings on most routers normally provide some level of security, and the general inability to disable those settings from outside the network has provided a little bit of protection. For example, even having a crappy firewall set to 'Internal/Home Network' instead of 'DMZ' would make a huge difference.

By the way, I have played with the micro versions of DD-WRT, which is all my 'enterprise' class router supports, as inadvertently bought a version with only 2MB Flash. I'll replace that when I get round to it, though.

reply to post by XeroOne



Yeah 4 MiB is the minimum to flash it with a current distro. But I also played with the idea of using a netbook sooner or later as worthy alternative to a router. That way you can set up a full BSD or Linux install on it, and route all your traffic through it, while having a cute small screen for just routing / firewall / IDS purposes. Still looking for a netbook with at least 2 100Mbit, yet better 1GBbit ethernet cards and thus two network ports as well. WLAN is not an option for me, I'm too paranoid ( Plus I think it messes the inner workings of your cells up but that's stuff for a whole new discussion .. ). While I'm typing this I'm tunneling my traffic through one software firewall and two hardware routers / firewalls with a snort IDS in the background lol

I have a 5 year old, basic 5 port Linksys router and have not received any update notifications, optional or otherwise.
The last time I upgraded the firmware, I did so here.

OpenWrt