ESR On Why the FCC Shouldn't Lock Down Device Firmware

An anonymous reader writes: We've discussed some proposed FCC rules that could restrict modification of wireless routers in such a way that open source firmware would become banned. Eric S. Raymond has published the comment he sent to the FCC about this. He argues, "The present state of router and wireless-access-point firmware is nothing short of a disaster with grave national-security implications. ... The effect of locking down router and WiFi firmware as these rules contemplate would be to lock irreparably in place the bugs and security vulnerabilities we now have. To those like myself who know or can guess the true extent of those vulnerabilities, this is a terrifying possibility. I believe there is only one way to avoid a debacle: mandated device upgradeability and mandated open-source licensing for device firmware so that the security and reliability problems can be swarmed over by all the volunteer hands we can recruit. This is an approach proven to work by the Internet ubiquity and high reliability of the Linux operating system."

Re:Why not just lock down the radio portion?

If they're going to mandate locking down, lock down the WiFi radio, as that's the part that uses the radio waves. The WiFi radio can be a "black box" with it own firmware, much like on cellular phones, where the cellular radio is a similar black box.

This keeps the FCC happy, because people won't be able to violate FCC rules, and it keeps users happy because they can keep running custom software. The WiFi firmware isn't typically something you want to mess with anyway.

How else could they ensure that the NSA's backdoors continue to function?

Re:Why not just lock down the radio portion?

[_xeno_]

If they're going to mandate locking down, lock down the WiFi radio, as that's the part that uses the radio waves. The WiFi radio can be a "black box" with it own firmware, much like on cellular phones, where the cellular radio is a similar black box.

As I understand it, that is what the FCC wants to mandate. The problem is that in order to keep costs down, a lot of the wifi hardware in the routers doesn't have separate radio firmware, everything is controlled by a single system-on-chip, sort of like those old "winmodems" that didn't contain any firmware and instead offloaded everything to the CPU via their Windows driver.

So the FCC's rules locking down the radio firmware turn out to mean that manufacturers would have to lock down the entire software stack, not because that's what the FCC really wants, but because in order to save costs the radio firmware is instead done as part of the "main" firmware.