Slashdot Mirror
New FCC Rules Could Ban WiFi Router Firmware Modification
An anonymous reader writes: Hackaday reports that the FCC is introducing new rules which ban firmware modifications for the radio systems in WiFi routers and other wireless devices operating in the 5 GHz range. The vast majority of routers are manufactured as System on Chip devices, with the radio module and CPU integrated in a single package. The new rules have the potential to effectively ban the installation of proven Open Source firmware on any WiFi router.
ThinkPenguin, the EFF, FSF, Software Freedom Law Center, Software Freedom Conservancy, OpenWRT, LibreCMC, Qualcomm, and others have created the SaveWiFi campaign, providing instructions on how to submit a formal complaint to the FCC regarding this proposed rule. The comment period is closing on September 8, 2015. Leave a comment for the FCC.
ThinkPenguin, the EFF, FSF, Software Freedom Law Center, Software Freedom Conservancy, OpenWRT, LibreCMC, Qualcomm, and others have created the SaveWiFi campaign, providing instructions on how to submit a formal complaint to the FCC regarding this proposed rule. The comment period is closing on September 8, 2015. Leave a comment for the FCC.
I was just thinking that. This is so broad as to be unusable.
And mature products like DD-WRT are what make consumer-grade routers fly. It's pretty much the only reason I'll buy an ASUS, because the stock firmware doesn't have the feature set needed for latency sensitive hardware.
--- Need web hosting?
I have a advanced-consumer-level wifi router and I put Tomato on it long ago. Is that what they are talking about? What kind of rule can prevent you from installing software on computers you own? It seems like a violation of something fundamental to me.
No, they want the routers to ship with CPU Trusted mode turned on. Without access to the private key you won't be able to load WRT.
This a security nightmare since you will now be dependent on router manufacturers for issuing security updates and remotely loading them into your router. We all know how well that has gone in the past.
I also believe that to date the FCC has received zero actually complaints about someone illegally modify current routers. So in attempting to address this imagined problem the FCC is going to enlarge a gigantic real problem (ie unpatched routers).
Dammit. No mod points.
Yes, this is the answer. If commodity Wifi routers become lock boxes, make non-commodity non-firmware Wifi routers. The more you tighten your grip, FCC, the more general-purpose computing systems will slip through your fingers.
Welcome to the Panopticon. Used to be a prison, now it's your home.
We couldn't get the rape, hate crime and murder charges to stick... But you're going down for updating your WiFi!
Justice Has Been Served !!!!
Not to mention that DD-WRT is often the only way to make a security upgrade of an older router.
The corner case that the FCC want to address is not worth the risk increase that may leave a lot of devices insecure because they have issues that haven't been discovered today.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
How do you figure? The wireless card would have its own licensed firmware operating the radio and thus be under the restrictions enforced...but the rest of the box would be managed by the general purpose operating system, which the FCC wouldn't be able to regulate under this rule. The GPOS would then manage what network traffic comes off and goes to the wireless card, but not handle the management of the card directly.
If this is enacted then that means only router manufacturers would be able/allowed to modify router firmware, right? That means that any security flaws or backdoors will be permanently in place with nothing the end-user can do about it.
Gee-whiz, cui bono?
Stallman was 100% right.
I don't think that this does what you think it does. The FCC, in an advisory document, specifically mentions the DD-WRT OS. From Software Security Requirements for U-NII Devices:
What prevents third parties from loading non-US versions of the software/firmware on the device? Describe in detail how the device is protected from “flashing” and the installation of third-party firmware such as DD-WRT.
The FCC is trying, with this rule, to prevent any modification to future devices. From the same document:
An applicant must describe the overall security measures and systems that ensure that:
The description of the software must address the following questions in the operational description for the device and clearly demonstrate how the device meets the security requirement.
The same document also suggests that there be strong security between the regulated device and the manufacturer's website to verify installed software. How does this not eliminate the use of Tomato or OpenWRT? If you expect to use one of the alternate firmware on future devices, this proposed rule will absolutely affect your ability to do so.
The components themselves are licensed and have passed FCC tests. The system will not be changing any operating parameters; it will keep the same frequencies, channel spacings and separations, power limits, etc. All the end user is doing is specifying how the device is being used.
I also believe that to date the FCC has received zero actually complaints about someone illegally modify current routers. So in attempting to address this imagined problem the FCC is going to enlarge a gigantic real problem (ie unpatched routers).
There's the clue to "follow the money." If this isn't a real problem, it's likely legislation that's been written by some big company whose profit model is threatened by open source. Look for the sponsors to be Cisco or Belkin, someone who would benefit by selling you replacement hardware if their old hardware gets hacked.
And that suggests a potential cure.
If this is to go forward, it needs to come with a big safety, hacking, and consumer safety clause, something like "Due to the restrictive nature of this rule, the vendors of devices subject to these restrictions must offer a free 20 year warranty repair or replacement of any device found to have a flaw in either the hardware or the software included with the device, including any flaws that expose the device to unauthorized access or use. This replacement must include free shipping of the replacement part, free return shipping of the failing device, and free on-site installation of the replacement device. If repairs can be made via software update, the manufacturer may opt to update all affected machines remotely. All such repairs must be completed within one month of the FCC being made aware of the flaw. This free service must be extended for 20 years from the date of the device registration with the FCC. Any company who dissolves or reorganizes before the 20 year span expires will automatically transfer the liability for free replacements to the majority acquirer of their assets. Non-compliance with this law will result in fines to the manufacturers and distributors of these devices equal to twice the retail purchase price at the date of the sale of the first device multiplied by the quantity of devices manufactured, with the fines to be disbursed equally to customers who physically present the device to an authorized FCC representative, and the FCC."
If they still want this law when it includes a poison pill like this, then we'll all be cheering for bugs to be found every month so we can get another "router check" from them.
John