Stepping In It…
It appears that Belkin stepped into a big pile of public relations crap with the latest firmware update to one of their home router/firewall devices.
The marketing geniuses at Belkin, the consumer networking vendor, have dreamed up a new form of spam – ads served to your desktop, by way of its wireless router.
Uh Clem. a former Belkin wireless router user, was perplexed to find machines on his network redirected to an ad for Belkin’s new parental control system, following a software update. (emphasis added)
Belkin has created a new content filtering system to their routers (censorware) that requires a subscription to their service (the list of blocked sites resides in their central servers, which the router uses to get updates). Someone at Belkin thought it would be just spiffy if the router would automatically route a user’s web request to their ad page which tried to get the user to sign up for the six month “free” trial. The user would be forced to hit an “opt-out” button to stop this from happening in the future (the router will hijack a web request every eight hours until the user either activates the content filtering trial or opts out).
Belkin’s initial reaction was to try to control the damage by responding to the Usenet post. This didn’t go over very well with users, who rightly thought that it was a bunch of marketing spin. Someone (most likely at Belkin) deleted the response, but it was too late since the response was mirrored all over the place. Belkin then created a rather curt and defensive announcement on their website (claiming that only people who cancelled a window during installation without opting-out of the redirect would get redirects; i.e. it’s your fault that we keep hitting you in the face because you never asked us not to). They later changed to a more concilatory one. The current statement says that a firmware upgrade will be available on November, 17th “to allay customers’ worries”.
I don’t own any Belkin networking hardware and I’m not likely to do so in the future, given this little fiasco. A home firewall/router should never redirect a user’s request without the user’s consent, which is what was happening here. Not only is it dishonest and annoying, it could potentially mess up an online transaction (not to mention cause untold trouble for any non-web HTTP traffic over the router; e.x. SOAP/RPC over HTTP). But there’s also a great big gaping security hole in their process (at least as I see it). When the user selects the “opt-out” link on the redirected page, the a flag is set in the router to turn off redirects. This means that an unauthenticated path exists for a request to be sent to the router to change its internal state from outside the secure side of the network. Granted, it’s just a flag, but it makes you wonder what other little backdoors the marketdroids at Belkin have inserted into the firmware.
Link via Slashdot.
Yesterday’s follow-up from Slashdot.