E2700, E3500, E4500 'cloud' routers affected, rollback possible

Router and switch maker Cisco recently pushed an automatic firmware update on some of its routers that forced users to sign up for a new service, and also mandated a less-private "shrink wrap" EULA at the same time, outraged users report. Internet forums lit up about both the firmware update and privacy document, which suggested Cisco could track and share information about users' Internet usage, such as sites visited, data quantities sent and received, and "other information" in the interest of improving service quality.

Users of the E2700, E3500, and E4500 routers that did not specifically opt-out of the automatic upgrades found themselves asked to log in to the newly launched Cisco Cloud Connect service with no notification of the change. Power-cycling the router restored the old login and password, but also crippled the router by removing or changing control of a number of advanced functions, such as port forwarding, DMZ application, and parental controls.

On June 27, On June 27, Cisco's privacy statement in a "shrink-wrap" license with the upgrade was changed to read: "When you use the Service, we may keep track of certain information related to your use of the Service, including but not limited to the status and health of your network and networked products; which apps relating to the Service you are using; which features you are using within the Service infrastructure; network traffic (e.g., megabytes per hour); internet history; how frequently you encounter errors on the Service system and other related information ('Other Information')." This sentence has been removed entirely from the current version of the security policy.

A new clause was added to the privacy policy near the end of the document -- Cisco reserves the right in some circumstances (determined by Cisco) to automatically update its routers, regardless of the auto-update setting.

Cisco Systems reported that the privacy policy for the Cisco Connect Cloud service was a mistake, and has been removed, but the auto-update provision remains. Should users remain with the new service, provisions exist in the EULA to forcibly disable the routers by disconnection from the Connect Cloud service should they be used for illicit purposes, at the sole discretion of Cisco.

Should the routers be used for "obscene, pornographic, or offensive purposes, to infringe another’s rights, including but not limited to any intellectual property rights, or… to violate, or encourage any conduct that would violate any applicable law or regulation or give rise to civil or criminal liability," Cisco reserves the right to "take such action as we deem necessary or are otherwise required to take by a third party or court of competent jurisdiction, in each case in relation to your access or use or misuse of such content or data. Such action may include, without limitation, discontinuing your use of the Service immediately without prior notice to you, and without refund or compensation to you."

An administrator on the Cisco Home Community forum provided information on how to downgrade the routers' firmware, and how to opt-out of future automatic updates. Cisco warns, however, that the 'advanced features' of the routers won't be available if the upgrade is not performed.

By Electronista Staff

Post tools:

TAGS :  

security, peripherals, networking, Cisco