ESR On Why the FCC Shouldn't Lock Down Device Firmware

An anonymous reader writes: We've discussed some proposed FCC rules that could restrict modification of wireless routers in such a way that open source firmware would become banned. Eric S. Raymond has published the comment he sent to the FCC about this. He argues, "The present state of router and wireless-access-point firmware is nothing short of a disaster with grave national-security implications. ... The effect of locking down router and WiFi firmware as these rules contemplate would be to lock irreparably in place the bugs and security vulnerabilities we now have. To those like myself who know or can guess the true extent of those vulnerabilities, this is a terrifying possibility. I believe there is only one way to avoid a debacle: mandated device upgradeability and mandated open-source licensing for device firmware so that the security and reliability problems can be swarmed over by all the volunteer hands we can recruit. This is an approach proven to work by the Internet ubiquity and high reliability of the Linux operating system."

Why not just lock down the radio portion?

[ZorinLynx]

If they're going to mandate locking down, lock down the WiFi radio, as that's the part that uses the radio waves. The WiFi radio can be a "black box" with it own firmware, much like on cellular phones, where the cellular radio is a similar black box.

This keeps the FCC happy, because people won't be able to violate FCC rules, and it keeps users happy because they can keep running custom software. The WiFi firmware isn't typically something you want to mess with anyway.

Open Source should go all the way

Assuming that the routers require signed firmware images (or will in the near future), the law should require that everything needed to load new images into the router by the user should be made available (including any signing keys). Of course there should be safeguards in place to prevent malefactors from using the same information...maybe physical presence should be required for firmware re-loads?

what does that even mean?

[NostalgiaForInfinity]

Any computer with a WiFi card can become a "router" and have the ability to exceed FCC power requirements. Furthermore, the violations of FCC policy possible with standard router hardware are pretty limited and innocuous, no matter what you do with the firmware; I can't imagine that they have ever even detected this in the wild.

Anybody who seriously wants to boost power will just stick a hardware amplifier on their router. A 2W amplifier will cost you about $25, and an 8W amplifier about $60.

LOTs of missing information

[davecb]

The problem seems to be that some few airport weather radars are interfered with by existing home routers on the same frequency. They supposedly fail to detect the channel is busy doing safety-critical radar stuff, and sit there creating interference.

However, we can't confirm that. We don't know the brand of router, the specific frequency in question, the number of airports that have the radars or the prevalence of the problem: we just got a proposed mandate that the vendor “describe in detail how the device is protected from flashing and the installation of third-party firmware such as DD-WRT.”

Make it a choice

[c]

Give them the choice; perpetual security updates or open source. You want to keep your stuff closed source, you make sure it stays secure. You don't want to maintain it indefinitely, you open source it. You're welcome to migrate between those options at your convenience, but those are the only acceptable states.

Won't happen, of course, but it's got better odds than "force everyone to open source".

Follow the Money

I want to know who is really lobbying for this and why. I suspect the cell phone carriers who, desparetely clinging to their cell data plan cash cows, are trying to make sure wifi falls into line when their next generation of 'G' comes out and stomps all over it. Wifi access is becoming more and more widespread, to the point I think the carriers are worried about its (mostly free) usage as an alternative to (wildly overpriced) cellular data causing people to abandon cellular companies outright in favor of wifi-only devices. I live in a rural area in the middle of all the green on a map of Pennsylvania and the only place I don't have some sort of wifi coverage is during my 20 mile commute to work.