The Belkin router fiasco [LWN.net]

It must have seemed like a good idea to some marketing person at Belkin. This company offers a "parental control" feature in it LAN router products which, upon payment of a subscription fee, allow control over which sites can be accessed. It would be nice (from Belkin's point of view) to be sure that all customers are aware of the opportunity to buy this service. So why not just redirect a random web connection every eight hours and have it display an ad for the parental control service rather than the page the user thought they were going to see?

Belkin thought this "feature" was not a particularly big deal. After all, it can be turned off by changing a setting in the router configuration. Or, if the user hits the "no thanks" button, a system owned by Belkin will connect to the router over the net and turn off the feature for them. Unless, of course, the router sits behind a firewall that might look askance at connects to internal routers from the wider Internet.

This sort of episode demonstrates, again, why it is important to have our gadgets powered by free software. Nobody should have to put up with a router hijacking their HTTP connections to display advertisements at them. Few of us want a router whose configuration can be silently changed via a connection from the outside. And many of us would sure like to know what other interesting "features" might have been included with such a product. But, without the source, there is very little to be done. Bad (or malicious) features cannot be fixed, and nobody can audit the code for any other surprises that may be lurking within.

In the absence of source, there is only one feasible way to fix a problem like Belkin's advertising feature: embarrass the manufacturer on the net until they make a fix available. In this case, that approach appears to have worked; Belkin has announced that it will be releasing a firmware update which removes the redirect feature. But we may never know what other features Belkin will have worked into its products. Until our gadgets are powered by free software, we will never really know what our appliances are doing and we will lack the power to fix them.

to post comments

The Belkin router fiasco

Posted Nov 13, 2003 4:35 UTC (Thu) by torsten (guest, #4137) [Link] (1 responses)

Belkin thought this "feature" was not a particularly big deal.

I get tired of this childish innocence. They knew full well what they were doing, they knew they were undermining the trust of their customers in exchange for greater potential profits, and they knew if they were caught with their hand in the cookie jar, they would play dumb and release a firmware upgrade few would use.

This instead of doing the right thing, just making a router that works, and advertising their service in a more appropriate manner.

Blah, perhaps I should start my own hardware company. :)

Just a case of minority opression

Posted Nov 15, 2003 0:51 UTC (Sat) by giraffedata (guest, #1954) [Link]

This is just a case of what we Linux people are quite used to: products built for the majority not being appropriate for the minority.

I really believe this feature is innocuous to 98% of the users of the product. They are interactive users of the web who would see this as pretty much the same thing as an advertising popup.

On the other hand, if you're doing something less ordinary like running an automated process that connects to some http port and does stuff, you might be significantly inconvenienced by getting connected to the wrong http port.

Probably the only thing Belkin didn't count on here, and the only reason it backed down as much as it did, is the bad PR.

The Belkin router fiasco

Posted Nov 13, 2003 5:40 UTC (Thu) by jasone (subscriber, #2423) [Link] (2 responses)

For hardware gadgets, having them run free software isn't sufficient to guarantee that we know what the gadgets are up to. We would need full hardware design specifications for that. Ultimately, we have little choice but to trust the manufacturers to some degree.

The Belkin router fiasco

Posted Nov 13, 2003 9:08 UTC (Thu) by beejaybee (guest, #1581) [Link] (1 responses)

Yeah, I was going to say pretty much the same thing.

How's about not being allowed to sell a gadget without providing (a) a full hardware spec and (b) source code for all the firmware/software contained therein.

Note, I'm not suggesting that the software necessarily should be on "free" license. The gadget producer can retain the copyright to the software if they wish. What it _does_ mean is that users are permitted to compile the source code provided and compare the resulting binary with the code contained in the gadget.

This provides the capability for a user to verify all the functions provided by the gadget _without_ compromising the gadget producer's intellectual property rights.

Naturally I'd prefer a fully open structure; but I'm afraid that ain't going to happen any time soon, & meanwhile devices like routers, DSL modems etc. are required. At least the scheme I propose could be set in place _quickly_ and would allow errant gadget producers to be punished.

It would also end attempts to lock in hardware to software providers; e.g. with the hardware spec for XBox and the source code for the boot ROM, it would be possible to write third-party software to use the XBox for purposes other than that originally intended by the manufacturer. e.g. you could run linux on it, or use it as a firewall.

copyright != software license

Posted Nov 13, 2003 12:03 UTC (Thu) by gallir (guest, #5735) [Link]

Note, I'm not suggesting that the software necessarily should be on "free" license. The gadget producer can retain the copyright to the software if they wish.

Typical confusion, it's quite normal to hear it in a MS o SCO conference, but it's very strange to read it here. All free software (but those in public domain) especially copylefted ones retain copyright of the authors or some other organisation, as the FSF.

Copyright != software license. Copylefted software licenses are based on (and exist because|due to) copyright law. Period.

The Belkin router fiasco

Posted Nov 13, 2003 17:52 UTC (Thu) by zander76 (guest, #6889) [Link]

I find this article hard to read. Open Source or not will not make much of a difference. Do you really believe that the code they release will always be whats running and how many people know enough about embedded systems to compile there own version of the source to ensure that there are no easter eggs hidding.
That is just my oppinion, although open source is great, most companies will have little patches go in before the compile.

Was it documented?

Posted Nov 13, 2003 19:26 UTC (Thu) by NAR (subscriber, #1313) [Link] (1 responses)

Quite interesting "feature", I must say... But if it was explicitly documented (e.g. on the paper box containing the router), I don't see any problem - the device worked according to its specifications. However, I doubt that this "feature" was documented. I think we need regulations to control that these kind of "features" must be documented - or the vendor must pay compensation for the costumers.

If a coffee machine is faulty and causes an electric shock, its manufacturer is liabale for the damage. But if an operating system (which costs 10 times more than the coffee machine) has remotely exploitable holes, the vendor is not liable...

Bye,NAR

Was it documented?

Posted Nov 15, 2003 1:02 UTC (Sat) by giraffedata (guest, #1954) [Link]

I assume the box did not mention this feature.

I'm quite certain existing law would permit a person to get his money back, and possibly incidental damages as well if he didn't like the redirection feature. Though the router doesn't come with detailed specifications, there is such a strong presumption that a router routes to the IP address you tell it to, as opposed to one of its own choosing, any court in the land would find this router does not meet its warranties.

I suppose you might want to change the law to elevate this to a fraudulent deception, so Belkin could be punished, but probably not. Plenty of similar trade deceptions don't get this treatment.

As for Belkin coming in and reconfiguring your router without you knowing, it seems to me that there is already a US anti-hacking criminal law against this.

In any case, I reject the idea that a manufacturer should have to expose its implementation (source code) for something like this. It's enough that they specify the function. In this case, the mention of a few RFCs that describe routing would be enough.

The Belkin router fiasco - if only they were subtle

Posted Nov 17, 2003 17:56 UTC (Mon) by mikeraz (guest, #155) [Link]

Consider the possibilty that companies will do something similar in the future. However, it will be done in a much more subtle way. Instead of a redirect to the vendor's page the product of the future could do the following:

insert their ads in place of ads from a web site
inject their results at the top of a list returned from a search site
slow down connectivity to their competitor's sites

Just three examples of simple, non-obvious exploits that benefit the vendor.