Cisco’s ugly bait and switch


Cisco’s ugly bait and switch

Can a network security vendor that betrays its customers ever be trusted again?

Follow @pvenezia

You may have heard about Cisco’s shenanigans last week, in which an automatic firmware update for several models of the company’s Linksys home wireless routers forced users to create and log into a Cisco cloud service account to manage their router. In addition, some previously available functionality disappeared in the update. I cannot fathom how a company whose reputation is built on its tech savvy could concoct such a disaster of a scheme. And it gets worse.
The terms of service users are required to accept (in order to operate a router they’ve already bought) gives Cisco the right to monitor and track information about your Internet usage. The language also hints that if you download copyrighted files, or obscene or pornographic images, Cisco could potentially brick your router.
[ Also on InfoWorld: Teach your router new tricks with open source alternative DD-WRT. | Get expert networking how-to advice from InfoWorld’s Networking Deep DivePDF special report and Technology: Networking newsletter. ]
A network intrusion
In the intervening days since the discovery of this disgusting display of corporate thuggery,Cisco has backtracked. The company promises to modify the terms of service to remove some of the more egregious language, but as ExtremeTech points out, that doesn’t matter — Cisco can still update those terms at any time. Cisco has also provided a way to downgrade affected devices, but that leaves users without an upgrade path in the future. It’s actions like this that make open source solutions all the more attractive.
The long and the short of this is that everyone loses. Anyone who purchased one of these routers has an essentially orphaned device on their hands. What Cisco sold them for hundreds of dollars is no longer the same device it was prior to this action. The hardware hasn’t changed, but the service, support, and functional environment has been compromised. Given that these routers are still actively for sale, one might think Cisco could be taken to court over some breach of the law.
Imagine if you bought a toaster, and after a few months of normal operation, the manufacturer came to your house and removed internal parts so that it no longer toasted properly. And while they were there, they forced you to agree to let them monitor your kitchen and potentially deactivate the toaster if they didn’t like what they saw. It’s lunacy.
This blatant technical malfeasance needs to be crushed early. The backlash against such corporate actions has to be massive in order to dissuade these scenarios from playing out in other areas. A similar, highly publicized case was VeriSign’s Site Finder debacle back in 2003. As soon as VeriSign turned on Site Finder, the Internet exploded into a rage as mail started bouncing for no reason, applications began failing, and massive amounts of information destined for other places wound up on VeriSign’s doorstep. For instance, if you made a typo in the address of a sensitive email, that message was delivered to VeriSign instead of bouncing back as undeliverable. It was a catastrophe for Internet users and inflicted much to damage to VeriSign’s reputation (which wasn’t great to begin with).
The devil you don’t knowThese cases highlight the lag between regulation and technology. Prior to the past decade or so, the idea of a manufacturer purposefully breaking a product after purchase in order to spy on you and profit from that information was so outlandish, there was no need for concern. We’re now living in a world where it could easily be done clandestinely.
In Cisco’s case, the company opted for a public and amazingly ham-handed reveal, enraging the customers who noticed immediately. Even so, it’s guaranteed that most owners of these routers remain blissfully unaware. The next company to try a similar action may not be so overt.
There are those who might argue that Google and others track your actions too, and you essentially agree to it by using their services. True — Google and other tracking networks can see some sites you visit, but they cannot see everything you do on the Internet. On the other hand, your router sees all: every packet, every protocol, every detail.
The prospect of a large multinational corporation surreptitiously installing spyware on your router is highly disturbing; that this same company produces a vast amount of the network hardware in use throughout corporate infrastructures the world over makes it worse. While I don’t think this consumer-level chicanery will have a significant impact on Cisco’s corporate market, it’s definitely put a dent in the company’s reputation. Trust, once lost, is tough to regain.
The fact is, customers purchased a Cisco security device to protect their computers and information from harm — too bad it couldn’t protect them from Cisco itself.
This story, “Cisco shows true face in ugly bait and switch,” was originally published Read more of Paul Venezia’s The Deep End blog at For the latest business technology news, follow on Twitter.