¡Órale, Cisco! ¿Eres mi amigo?

About 2 months ago, Cisco pushed to its consumer-grade routers a firmware upgrade that stripped away the ability to log into and configure the routers locally. Instead, consumers thus upgefirmed were treated to a Cloud Connect signup page where they could establish an account that would centralize management of consumers' routers in Cisco's servana.

By the fifth of July, Cisco had backpedaled. "Did we say mandatory? Did we push that firmware? Oopsie. Our bad." They then made it clear that any consumer could opt out and maintain local control of his consumer-grade router by simply following the friendly instructions, which begin "We are sorry to see you downgrading to our Classic software (non-Cloud)…."

Now, via Ars Technica, comes word of the latest fad in centralized management of the people's resources.

…wireless researchers in Germany proposed a way to improve the communications abilities of first responders…: creating an “emergency switch” that lets government employees disable the security mechanisms in the wireless routers people have set up in their own homes. This would allow first responders to use all the routers within range to enhance the capabilities of the mesh networks that allow them to communicate with each other.

…The residents’ wireless traffic would still remain private, in theory…..

This even though bandwidth is already set aside for that purpose.

I, for one, regret that I have but one subnet to allocate for my country. But just to hedge, I'll be printing up a selection of bumper stickers and t-shirts featuring salient slogans:

Think globally

Killswitch locally

Government is Just a Name for the Things

we relinquish to nonaccountable bureaucracies

It Takes a Village

To Distributively Deny a Service

We Don't Need To Show You No Stinking Passwords

since you already have root

Anyhow,  I'm all for it. First Defenders, after all. And The Children.

What could possibly go wrong?

Last 5 posts by David Byron


  1. says

    I wonder how difficult it would be to code something that would detect such tampering with your router, and then force it to power off or otherwise render itself useless.

    It shouldn't be hard to have, say, a power strip which connects to your computer via USB, and which could be flicked off based on a command sent from your computer to that strip. This could power down a router, external hard drives, or even the computer itself if a particular condition is detected.

  2. John David Galt says

    How can anyone have possibly thought they could get away with this? Can anyone possibly not believe that the data on your home (or portable) computer counts as "houses, papers, and effects" in the Bill of Rights?

    If the courts are not willing to give us a right of privacy there, it may be just about that time in the course of human events….

  3. says

    @JDG I'm sure there would be a "guest permissions only" provision in which the flipper of the suitably engineered toggle promises to avert his gaze.

  4. says

    I use a $400 linux box as my router, and then I put an a wifi card that can be put into access point/maser mode. No kill-switch for me unless it's upstream, no free rider, looking into putting in a secondary public SSID.

    Not that I am in a big city area where it would do the most good.

    The answer to buying appliances that have such nonsense in them is to not buy those appliances. It takes a little more thought, or knowing someone like me who knows how to read a manual and is willing to set things up for you. Not for everyone, sure, but if you want to do more than vent a little outrage then you can replace what you don't like with something you can control…

    So far anyway, coming soon is the Microsoft-locked UFI boot loaders for "windows compatible" computers.

    They might as well right? I mean locking the boot loaders worked for Apple and the cell phone manufacturers… Might as well do it for the PC market since the frog is already simmering.

  5. says

    The above is the series of bumper stickers I made up twenty-some years ago whilst living in the Maryland/DC/Virginia area. I never actually made them because twenty-some years ago, before the internet, that wasn't a reasonable priced possibility.

    I call these, the "I would never actually put these on my car while living in "the south" because it would have been vandalized constantly" series…

  6. Yar Kramer says

    @Robert White: My favorite skewering of that subject is "Jesus Saves! The rest of you take full damage."

  7. Grifter says

    @M..: they're easy to make! Crumpets and connects are cheap, and then all you need is a box o' wire!

    To everyone: I understand this idea. On scene, if we do a 12 lead, our only options are to use a dodgy phone modem to transmit, or rely on our judgment, and not everyone can be trusted to be competent. That said, I don't think it's a GOOD idea. This is a situation to something that's only a problem becauseof outdated, cheap tech. But then, Germany's had more than its share of bad ideas.

  8. Shane says

    You guys all missed the point on this one. What happens if it is not a first responder that just kill switched you? OMG I'm late (again) for work. People have this strange heuristic that only allows them to think that things will be used lawfully.

  9. Grifter says


    That's the punchline to a long joke about Satan accusing Jesus of cheating in an essay writing competition!

  10. Adrian Ratnapala says

    Random Encounter Said

    Germany is not subject to the US Constitution. That's how.

    True indeed! But astonishingly, it is subject to to the German Grundgesetz, which says among other things:

    (1) Das Briefgeheimnis sowie das Post- und Fernmeldegeheimnis sind unverletzlich.
    [(1) The privacy of correspondence, posts and telecommunica-
    tions shall be inviolable.]

  11. Joe Pullen says

    @wgering @M – a long ethernet cable is not the answer to the real issue.

    One thing that always amazes me is how many people do not change the password for the admin login on their router at home. It's basically the same as keeping the house key under the front doormat.

  12. Joe Pullen says

    Ciscotration (n.): The use of centralized cloud management of router configurations which renders the users router security impotent for an indefinite period.

  13. Grifter says

    @M: The Xbox wifi adapters are pretty cheap, you can pick one up for less than 40 bucks 'round here, plus I think technically you could use non-branded ones which are probably cheaper. That's what Mrs. Grifter uses in the bedroom for her Xbox until I am authorized to start a new project (all our phone outlets are actually Cat5 that goes through a crawlspace out to a phone box I'll never use…). An adapter's probably cheaper even than a roll of cable, crimpers, and connectors (apologies for the typo in my earlier post…it wasn't meant to be Crumpets…stupid phone keyboard with its autocorrect)

  14. says

    @Grifter: Thank you! I actually had no idea that such a thing existed. I'll try to find one on Amazon and buy it via Popehat. I am surgically attached to the 'Mass Effect' series, so that's going to make everything waaaaaay less annoying.

  15. wgering says

    @M: I hope you just need a hookup to get the DLC. The multiplayer in ME3 was kinda bollocks. Shadow Broker was great though.

    @Joe Pullen: so where in the pipeline is the killswitch? I'm jacked directly into my modem, so wouldn't I not be affected by something in the firmware of the router I don't use?

  16. James Pollock says

    wgering, it depends on the setup you actually have (which almost definitely does not include a modem if you have broadband Internet). Most people have a router, some have a bridge. Many also have a consumer appliance that combines a router, firewall, wireless access point, 4 or 5 port Ethernet switch, and NAT/DHCP server. If that's what you have, then they can copy (but not necessarily read) all of the traffic you send and receive on the Internet, degrading your service by up to 66% in the process. If you ONLY have an Ethernet bridge (commonly called a "broadband modem" even though it's not a modem), then they probably won't be interested, as it's the wireless access they want.

  17. Grifter says

    Weird. I will assume I did something weird and wrong with a tag or something.

    I was just replying to James Pollock that I believe it is properly called a "network bridge and modem", so calling it a "cable modem" is perfectly appropriate, and an "ethernet bridge" usually is strictly for ethernet systems, not for bridging to an entirely different type, and not for signal conversion (coax to ethernet and vice versa).

  18. James Pollock says

    A "modem" is a device that converts digital signals to analog ones and vice versa, but broadband Internet signaling is all digital. So, while yes, you can call the device that connects your local network to your cable service's broadband Internet service a "cable modem", and many people who should know better do exactly that, it still isn't actually a modem.
    An "Ethernet bridge" (note that Ethernet is a proper noun, and thus capitalized) is a bridge that connects something that is Ethernet to something else, which may be Ethernet or may be something that is not Ethernet. The terminology gets complex fairly quickly; for example a bridge that joins an Ethernet network to an 802.11 wireless network is called a "wireless access point".) There ARE bridges that connect different kinds of Ethernet to each other, but they're usually called "switches", which is confusing for people who study the early history of the Internet, because "switch" used to mean "router" but now means something entirely different. Some relics of the old terminology still exist as archaic but preserved terms like "packet-switching".
    If the device simply retransmits signals it receives without making any kind of signal conversion, it's a repeater. If signal conversion is performed, such as changing the timing or the media type, it's a bridge.

  19. emc2 says

    Jesus Saves!
    Gretzky gets the rebound and scores!

    So who is this via Ars Technica? Another new blogger? (Because it seems TC bashing never gets old.)

  20. Grifter says

    @James Pollock:

    Per Wikipedia:

    "Cable modems use a range of frequencies originally intended to carry RF television channels, and can coexist on the same single cable alongside standard RF channel signals. Multiple cable modems attached to a single cable can use the same frequency band, using a low-level media access protocol to allow them to work together within the same channel. Typically, 'up' and 'down' signals are kept separate using frequency division multiple access."

    I think you're focusing on digital cable, vs. analog cable…'round these parts, analog is still prevalent, which would make the device a modem, yes?

  21. parkrrrr says

    Looking at the second issue from another direction: what kind of idiot would trust that kind of important communications to an untrusted network that just happens to be nearby? Granted, most wireless routers are going to be connected directly to the Internet, but they have no guarantees that the ones they've connected to weren't specifically set up to do something nefarious with their traffic. I hope it's at least encrypted, but even if it is there are things an untrusted network could do. For example, it'd be fairly simple for a black hat to automatically trigger a DDOS of whatever IP the foreign traffic is bound for.

  22. a_random_guy says

    Not gonna happen. Please note in the article: "A team of wireless researchers in Germany proposed… …s the team led by PhD student Kamill Panitzek". This is a "what if" paper by a bunch of students, not any sort of serious proposal.

    Also, Germany takes its privacy laws very seriously, and taking over people's routers would open their computer networks to intrusion. Not gonna happen…

  23. wgering says

    @James Pollock: I did mean Ethernet bridge, but I slip up occasionally and call it a cable modem. My fault for being imprecise. Point is, my local net is all wired.

    Question though: if this were implemented, would the network admin be able to see the traffic of the people using the security override to access the network? I feel like I'd be okay with letting EMTs piggyback on my wireless network if there was transparency/accountability and I could see exactly what they were using it for.

  24. James Pollock says

    "Question though: if this were implemented, would the network admin be able to see the traffic of the people using the security override to access the network?"
    Since this is not based on capabilities currently built into consumer routers, it's hard to tell exactly how it could/would work. My guess is that the local admin would be able to see the traffic (that is, they'd know they were being accessed, and how many packets were being transmitted through their networks) but the actual traffic would be encrypted, probably using asymmetric encryption to create a connection and exchange a symmetric encryption session key (similar to SSL.) The question would be how to inform the consumer devices when to allow traffic… would the public keys of the agencies authorized to seize bandwidth be preloaded onto the router's firmware, periodically fetched from some Internet site, or not cached at all (requiring verification each time a request was made. There are positives and negatives associated with each variation.
    Alternatively, the government could declare by fiat that all wireless devices MUST provide a non-encrypted non-authenticated method of access to be legally operated (the way that all phones have to be able to dial 911 (or its local equivalent)).

  25. says

    All the more reason to run open source firmware like DD-WRT, which naturally does not include such central management, as a matter of principle. Anyone who controls your router can read all your insecure traffic, usually including important passwords. And basic password policy says, those shouldn't be in the hands of anyone but you.

    I can see the benefit of allowing a customer support tech to help configure your router – but such allowances should be time-limited and with the explicit permission of the customer, and they should be able to audit the changes made.

  26. James Pollock says

    2 things:
    First, open source doesn't do anything "as a matter of principle". If required to provide such a feature, the open-source community would build it in. What you won't get is this new feature by surprise.
    Second, passwords are rarely transmitted in unencrypted form. VERY few protocols provide for this (TELNET and FTP are the only two that come to mind). Windows transmits passwords in encrypted form (admittedly, one of those forms is easy to break, but unless you're running Windows 98, you've no reason to use the old NTLM.)
    Your ISP can already tap all your INTERNET traffic, which is much more likely to contain sensitive information.

  27. says

    +James Pollock: Actually it isn't an "Ethernet Bridge" either because the cable side isn't running Ethernet. Typically its running something called something like DOCSIS so the device is technically a "Gateway" not a "Bridge".

    Fun Fact: the reason that some streaming services (cable on demand) and the cable company provided "voice over IP" (or however they want to sell it to you) generally "works better" than the VoIP you get from, say, Vonage is because the voice data and movie streaming also comes via DOCSIS. It therefore doesn't have to go through the up and down converters to make it "IP-ish". DOCSIS is very efficent for a network you control absolutely (e.g. a network that is nothing like Ethernet).

  28. says

    By the way, the point of the emergency override is/was to open the WIFI side of the wireless routers, not the ethernet side per. se.

    Of course once someone else has the real keys to _your_ stuff, it isn't so much yours any more.

    (See TPM, and Microsoft and/or Apple DRM initiatives intended to turn your computer into a set-top box controlled by "media" companies. Remember, if you didn't pay for it all, you are the product not the customer, so all that free security is to protect their stuff from you…)

  29. James Pollock says

    Robert, I suggest you consult an article or two that explains the OSI model of network communications. A bridge operates on layer two, connecting two networks (usually, though not always, of dissimilar media) but uses the same networking protocols. A gateway operates on layers 1 through 7 and involves changing EVERYTHING about the network communication from the type of media, the signaling methods used, and the meaning of those signals. (Some old reference materials use the term "gateway" in its archaic sense, where "gateway" means "router". This meaning is preserved in the IP configuration of "default gateway", which is the address of the router that connects the local network to the routed internetwork.