Slashdot Mirror

← Back to Stories (view on slashdot.org)

New FCC Rules Could Ban WiFi Router Firmware Modification

Posted by Soulskill on from the because-you-don't-need-to-control-the-things-you-own dept.

An anonymous reader writes: Hackaday reports that the FCC is introducing new rules which ban firmware modifications for the radio systems in WiFi routers and other wireless devices operating in the 5 GHz range. The vast majority of routers are manufactured as System on Chip devices, with the radio module and CPU integrated in a single package. The new rules have the potential to effectively ban the installation of proven Open Source firmware on any WiFi router.

ThinkPenguin, the EFF, FSF, Software Freedom Law Center, Software Freedom Conservancy, OpenWRT, LibreCMC, Qualcomm, and others have created the SaveWiFi campaign, providing instructions on how to submit a formal complaint to the FCC regarding this proposed rule. The comment period is closing on September 8, 2015. Leave a comment for the FCC.

28 of 242 comments (clear)

  1. Build your own router by Anonymous Coward · · Score: 5, Interesting

    You can buy an ALIX or Soekris board with a case and wifi card, then install your favorite router distribution on it such as pfSense

    1. Re:Build your own router by idontgno · · Score: 4, Insightful

      Dammit. No mod points.

      Yes, this is the answer. If commodity Wifi routers become lock boxes, make non-commodity non-firmware Wifi routers. The more you tighten your grip, FCC, the more general-purpose computing systems will slip through your fingers.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    2. Re:Build your own router by RavenLrD20k · · Score: 5, Insightful

      How do you figure? The wireless card would have its own licensed firmware operating the radio and thus be under the restrictions enforced...but the rest of the box would be managed by the general purpose operating system, which the FCC wouldn't be able to regulate under this rule. The GPOS would then manage what network traffic comes off and goes to the wireless card, but not handle the management of the card directly.

    3. Re:Build your own router by Darinbob · · Score: 3, Insightful

      The components themselves are licensed and have passed FCC tests. The system will not be changing any operating parameters; it will keep the same frequencies, channel spacings and separations, power limits, etc. All the end user is doing is specifying how the device is being used.

  2. Re:Apple can't modify Time Machine Firmware? by Wrexs0ul · · Score: 5, Insightful

    I was just thinking that. This is so broad as to be unusable.

    And mature products like DD-WRT are what make consumer-grade routers fly. It's pretty much the only reason I'll buy an ASUS, because the stock firmware doesn't have the feature set needed for latency sensitive hardware.

    --
    --- Need web hosting?
  3. Like Tomato? by CauseBy · · Score: 3, Insightful

    I have a advanced-consumer-level wifi router and I put Tomato on it long ago. Is that what they are talking about? What kind of rule can prevent you from installing software on computers you own? It seems like a violation of something fundamental to me.

    1. Re:Like Tomato? by gstoddart · · Score: 4, Insightful

      As purely a WAG ... my guess is things which radiate are tested and approved according to some form of standard for interference and the like.

      Putting on a new firmware could cause the device to operate outside of those parameters, and would therefore be a non-conforming device.

      It's not saying you can't put software on something you own. It's saying putting something onto a device which broadcasts can make changes you didn't expect.

      As I said, that's purely a WAG, but it seems like the kind of thing within their mandate.

      --
      Lost at C:>. Found at C.
    2. Re:Like Tomato? by The+MAZZTer · · Score: 4, Insightful

      Only the RADIO firmware has to be intact. In theory you can still modify whatever else you want. But the fear here is that companies may take the path of least resistance to meet compliance, which may result in all the router software getting locked down, instead of that specific piece of it.

    3. Re:Like Tomato? by gstoddart · · Score: 4, Informative

      Well, if we're getting into the business of banning things on the basis of what they could be used for, let's start with rocks

      You joke, but from TFA:

      Under the rule proposed by the FCC, devices with radios may be required to prevent modifications to firmware. All devices operating in the 5GHz WiFi spectrum will be forced to implement security features to ensure the radios cannot be modified. While prohibiting the modification of transmitters has been a mainstay of FCC regulation for 80 years

      In other words, this is something they've been doing for a very long time, and they are suddenly saying you can't modify things which impact transmitters. It's kind of the things the FCC has been doing for decades.

      So while TFA says "yarg, teh open source and teh tinkering" ... in part it's the FCC reminding people there are long established rules in place for determining what you can do with a transmitting device.

      If the Federal Rock Administration had been regulating rocks for 80 years, then your analogy might be bullshit.

      But preventing making changes to a transmitting device is something they've been doing for a long time. It's not like they're newly asserting this authority, they're pointing out they've had it for decades.

      --
      Lost at C:>. Found at C.
    4. Re:Like Tomato? by jimbolauski · · Score: 4, Informative

      The restrictions are only for the 5GHz band. The reason is 5GHz is supposed to use dynamic frequency selection and transmit power control this is to avoid interfering with weather radar and allow more people to play nice together. They just don't want Dorthy to get hit by a tornado because some one is crapping all over that frequency. They are using a cannon to kill a fly when all they have to do is require that any firmware follow DFS and TPC on 5GHz routers.

      --
      Knowledge = Power
      P= W/t
      t=Money
      Money = Work/Knowledge so the less you know the more you make
    5. Re:Like Tomato? by Z00L00K · · Score: 4, Insightful

      The primary reason as I see it for this is that the HW manufacturers want it - they want to sell you a new $200 device to get a security update.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  4. Translation by Anonymous Coward · · Score: 3, Interesting

    We don't want you to be able to overwrite our back doors.

  5. just more rules from Fed.gov by Indy1 · · Score: 5, Funny

    That I'll happily ignore.

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
  6. they don't ban installation of open source by YesIAmAScript · · Score: 3, Informative

    It simply requires the hardware to be designed such that if you install open source, you cannot modify the radio to use frequency bands and powers that it is not supposed to use.

    And this is easy to do. Just put in settings to limit power and lock out bands and make those settings irreversible until a full system reset. Then make the bootloader set those settings before running the installed OS.

    Then the OS can be open source.

    It would be absolutely fantastic if people would be rational about tech news. Tech people/netizens are starting to sound like my grandfather now. Every change is something to be feared. OBAMA IS GOING TO TAKE YOUR GUNS! The people running the FCC are people, just like you. They aren't demons or out to get you. Try to work with other people you haven't met instead of exhibiting xenophobia.

    --
    http://lkml.org/lkml/2005/8/20/95
    1. Re:they don't ban installation of open source by bored_engineer · · Score: 3, Insightful

      I don't think that this does what you think it does. The FCC, in an advisory document, specifically mentions the DD-WRT OS. From Software Security Requirements for U-NII Devices:

      What prevents third parties from loading non-US versions of the software/firmware on the device? Describe in detail how the device is protected from “flashing” and the installation of third-party firmware such as DD-WRT.

      The FCC is trying, with this rule, to prevent any modification to future devices. From the same document:

      An applicant must describe the overall security measures and systems that ensure that:

      • 1. only properly authenticated software is loaded and operating the device; and
      • 2. the device is not easily modified to operate with RF parameters outside of the authorization.

      The description of the software must address the following questions in the operational description for the device and clearly demonstrate how the device meets the security requirement.

      The same document also suggests that there be strong security between the regulated device and the manufacturer's website to verify installed software. How does this not eliminate the use of Tomato or OpenWRT? If you expect to use one of the alternate firmware on future devices, this proposed rule will absolutely affect your ability to do so.

  7. Re:or else what, exactly? by jonsmirl · · Score: 5, Insightful

    No, they want the routers to ship with CPU Trusted mode turned on. Without access to the private key you won't be able to load WRT.

    This a security nightmare since you will now be dependent on router manufacturers for issuing security updates and remotely loading them into your router. We all know how well that has gone in the past.

    I also believe that to date the FCC has received zero actually complaints about someone illegally modify current routers. So in attempting to address this imagined problem the FCC is going to enlarge a gigantic real problem (ie unpatched routers).

  8. Re:or else what, exactly? by bob_super · · Score: 5, Insightful

    We couldn't get the rape, hate crime and murder charges to stick... But you're going down for updating your WiFi!
    Justice Has Been Served !!!!

  9. Consumer Private Key by Immerial · · Score: 4, Interesting

    I wish someone would make this stuff to have a consumer private key... say like a USB drive that is plugged in the router when you get it. Once you set it up, you pull the USB key. Anytime that the router needs to be updated, you insert your USB key, do you updates, and then pull it when you are done. Ta-dah! Private key to keep it from being compromised and owner has control. You could also add some consumer dummy protection: once it is setup, require the key to be pulled to operate (keeps people from being lazy and leaving the router unlocked), prompt people for the key only when updating.

    1. Re:Consumer Private Key by MobyDisk · · Score: 3, Funny

      To update the firmware, you should be required to insert a Windows '95 floppy boot disk containing firmware.bin and flash.com, then press the reset button.

      Seriously though: wouldn't a simple switch be sufficient?

  10. Re:Apple can't modify Time Machine Firmware? by DrVxD · · Score: 4, Funny

    The article I read

    You must be new around here. You'll learn.

    --
    Not everything that can be measured matters; Not everything that matters can be measured.
  11. This is a real threat by Wiseleo · · Score: 5, Informative

    The PDF explicitly mentions DD-WRT as an example of what should not be permitted:

    Third-Party Access
    Control
    1. Explain if any third parties have the capability to operate a US sold device on any
    other regulatory domain, frequencies, or in any manner that is in violation of the
    certification.
    2. What prevents third parties from loading non-US versions of the
    software/firmware on the device? Describe in detail how the device is protected
    from “flashing” and the installation of third-party firmware such as DD-WRT.

    Wrote a comment.

    --
    Leonid S. Knyshov
    Find me on Quora :)
  12. Re:Apple can't modify Time Machine Firmware? by Z00L00K · · Score: 4, Insightful

    Not to mention that DD-WRT is often the only way to make a security upgrade of an older router.

    The corner case that the FCC want to address is not worth the risk increase that may leave a lot of devices insecure because they have issues that haven't been discovered today.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  13. NSA enabled... permanently by erapert · · Score: 3, Insightful

    If this is enacted then that means only router manufacturers would be able/allowed to modify router firmware, right? That means that any security flaws or backdoors will be permanently in place with nothing the end-user can do about it.

    Gee-whiz, cui bono?

    Stallman was 100% right.

  14. Nope.FCC application form: "protected from dd-wrt" by raymorris · · Score: 5, Informative

    That would be reasonable, perhaps, but it's not the approach the FCC is taking. The FCC instructions (linked below) require all applicants (manufacturers) to:

          Describe in detail how the device is protected
    from âoeflashingâ
          and the installation of third-party firmware such as DD-WRT.

    So indeed the rule they have proposed is to explicitly require that manufacturers prevent the installation of DD-WRT.

    https://apps.fcc.gov/kdb/GetAt...

  15. Re:Apple can't modify Time Machine Firmware? by Gr8Apes · · Score: 3, Informative

    The restriction seems to the RF portion only: "and would affect the operating parameters of frequency range, modulation type or maximum output power". So if the firmware doesn't effect any of those 3 items, you're not subject to this.

    --
    The cesspool just got a check and balance.
  16. My comment to the FCC regarding several security by raymorris · · Score: 5, Informative

    I submitted a comment to the FCC outlining several significant security concerns regarding the proposed rule.

    Based on 18 years of professional experience in network security, in both the private sector and government, the proposed rule causes significant concern for information security posture. There are three primary reasons. The legitimate goals of the FCC could be achieved in an alternate manner which does not cause the same widespread security vulnerabilities, by instead requiring that output power levels and any other critical parameters be limited to legal levels by a separate chip. This approach would be far superior to effectively banning proper security practice for the ENTIRE operating system and all utilities on the device, as the current proposal does.

    1

    The proposed rule which requires that manufacturers disallow firmware updates (other than signed manufacturer updates, typically provided for only a very short time), makes it much more difficult to prevent incidents such as the $45 million loss at TJX and the Target breach. In both cases, the victim companies were initially targeted because insecure wifi devices were in use. To reduce future occurrences of such breaches, it is imperative to be able to update devices which use wireless networking. Especially when a vulnerability such as Shellshock is discovered, it is imperative that risks be mitigated immediately.

    Updates provided by the manufacturer may at first seem to be a possible solution, but are not actually a viable solution for two reasons. Manufacturers generally do not provide long-term updates, updates for devices more than about one-two years old. In many cases, no updates are offered at all to handle issues after the date of sale. It is not reasonable to anticipate that organizations and families will replace their network gear every year or two - firmware updates are needed, including for devices which are a few years old. Perhaps ESPECIALLY for devices which are a few years old.

    Secondly, updates from the manufacturer are not a viable solution for more sensitive government and private organizations due to the response time required. In the first 24 hours after the release of Shellshock, thousands of systems were compromised. For many networks, it is critically important to mitigate the threat during this initial time frame. Manufacturer full updates were not available for several days to several months, as we first discussed the best long term solution and that solution propagated downstream from the authors, to the subsystem maintainers, distribution maintainers, OEM repackagers, and finally out to customers after testing at each level. In the meantime, temporary MITIGATIONS were performed on-site by network engineers and security contractors. These vital mitigations which protected sensitive networks in the interim would be illegal and prevented by manufacturer locks under the proposed rule. In simple terms, the proposal makes it illegal to manufacturer equipment which can be _quickly_ protected against new threats to our cyber security.

    2

    Another reason that the proposed rule is problematic is that the manufacturer default firmware, with all available features designed to be as easily accessible as possible, is not appropriate for any environment in which security is a concern. A central tenet of information security, and security in general, is that the attack surface should be as small as possible - services not needed for a particular installation should not be installed and enabled. The only software which definitely cannot be exploited is software which is not installed or not enabled. Therefore, the most secure firmware tends to be that with as many features _removed_ as possible, with only those items required for the current role installed.

    Manufacturer firmware does the exact opposite, for ease-of-use by ordinary consumers. All services which might be of use to any customer are installed, enabled, and wide open for

  17. Re:or else what, exactly? by plover · · Score: 5, Insightful

    I also believe that to date the FCC has received zero actually complaints about someone illegally modify current routers. So in attempting to address this imagined problem the FCC is going to enlarge a gigantic real problem (ie unpatched routers).

    There's the clue to "follow the money." If this isn't a real problem, it's likely legislation that's been written by some big company whose profit model is threatened by open source. Look for the sponsors to be Cisco or Belkin, someone who would benefit by selling you replacement hardware if their old hardware gets hacked.

    And that suggests a potential cure.

    If this is to go forward, it needs to come with a big safety, hacking, and consumer safety clause, something like "Due to the restrictive nature of this rule, the vendors of devices subject to these restrictions must offer a free 20 year warranty repair or replacement of any device found to have a flaw in either the hardware or the software included with the device, including any flaws that expose the device to unauthorized access or use. This replacement must include free shipping of the replacement part, free return shipping of the failing device, and free on-site installation of the replacement device. If repairs can be made via software update, the manufacturer may opt to update all affected machines remotely. All such repairs must be completed within one month of the FCC being made aware of the flaw. This free service must be extended for 20 years from the date of the device registration with the FCC. Any company who dissolves or reorganizes before the 20 year span expires will automatically transfer the liability for free replacements to the majority acquirer of their assets. Non-compliance with this law will result in fines to the manufacturers and distributors of these devices equal to twice the retail purchase price at the date of the sale of the first device multiplied by the quantity of devices manufactured, with the fines to be disbursed equally to customers who physically present the device to an authorized FCC representative, and the FCC."

    If they still want this law when it includes a poison pill like this, then we'll all be cheering for bugs to be found every month so we can get another "router check" from them.

    --
    John
  18. FCC helping sister agency (NSA) by David+G+Jr · · Score: 3, Interesting

    With NSA hijacking shipments of routers and installing "special" firmware on them wouldn't it be smart of them to have a fellow agency make a law that would stop you from undoing all their hard work. The NSA didn't go to all the trouble of hijacking that truck so you could install clean firmware. I'm surprised this hasn't been brought up in the comments yet. http://yro.slashdot.org/story/... http://tech.slashdot.org/story...