Slashdot Mirror
Why Cybersecurity Experts Want Open Source Routers (vice.com)
derekmead writes: A coalition of 260 cybersecurity experts is taking advantage of a Federal Communications Commission (FCC) public comment period to push for open source Wi-Fi router firmware.
The cybersecurity experts asked the FCC on Wednesday to require router makers to open-source their firmware, or the basic software that controls its core functionality, as a condition for it being licensed for use in the US. The request comes amid a wider debate on how the FCC should ensure that Wi-Fi routers' wireless signals don't "go outside stated regulatory rules" and cause harmful interference to other devices like cordless phones, radar, and satellite dishes.
The cybersecurity experts asked the FCC on Wednesday to require router makers to open-source their firmware, or the basic software that controls its core functionality, as a condition for it being licensed for use in the US. The request comes amid a wider debate on how the FCC should ensure that Wi-Fi routers' wireless signals don't "go outside stated regulatory rules" and cause harmful interference to other devices like cordless phones, radar, and satellite dishes.
Exposed to the internet, never monitored, never updated, and sits between a computer and the internet, the textbook definition of a man in the middle attack..
Just because YOU don't understand it, it doesn't mean that there are a LOT of people that do and would. I'm not knowledgeable enough to personally audit open-source encryption software like GPG and OpenSSL, but I'm glad it's open-source so others who are more knowledgeable than me can scrutinize.
How about this for a title: FCC is trying to strip more of your individual freedoms away, EFF objects.
You can't handle the truth.
"Firmware" has multiple meanings. The thing you're talking about is indeed called "firmware", but it is a minuscule fraction of the firmware on a typical router, which is generally a linux/unix derivative and includes everything from device drivers to configuration UI. And which is usually riddled with security vulnerabilities and other flaws.
Even the minuscule bit you're talking about still needs to be inspectable and repairable, because devices always have bugs -- often already known by the time they're shipped and purchased -- and device manufacturers have (apparently) little to no economic interest in fixing them, and it's the owner of an RF device who is legally responsible for compliance. Unless you honestly expect everyone to throw their routers away and buy new ones every few months, or you simply don't care about security, performance, or FCC compliance, field updates are a necessity.
If an RF-controlling firmware component is nothing but the equivalent of a few jumper switches, then document them thoroughly. If it's functional software (which in fact it pretty-much always is), then publish it, and do so in a form so it can be recompiled to ensure that what's on the device is the same as what was published. Volkswagen has proved beyond any reasonable person's doubt that unverifiable software is not to be trusted.
(Disclosure: co-author/signatory to the FCC letter.)
and no, it wasn't finally discovered because it was OSS, but buy automated testing that works equally well on closed source
But the fix was able to be independently verified because it is OSS.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
..and given that it will be fast tracked. This is a HUGE fuck you by Obama and the congress. For Obama, aside from the drone program, signing this is his most immoral and certainly anti-democratic act as president.
If anyone ever asks for an egregious case of government corruption in the United States, point them to the TPP. This is literally corporations writing American law-- international law-- in secret.
What's sad is that in an ideal world, the NSA *would* help and perform security audits to keep citizens, businesses and government safe from malicious actors.
But sadly, their version of help means inserting back doors and compromising security in the name of DEA parallel constructions to jail some hippie for growing pot.
Oh no, he has signed many other highly immoral and anti american bills. Remember the fucking republicans all voted for it as well to get it to his desk.
Both sides are scumbags.
Do not look at laser with remaining good eye.
In a good deal of the consumer crap devices I have looked under the hood of, the device runs a crippled version of openwrt.
In such cases, the router and AP functionality comes about entirely through software, since the core OS treats both the wired interface and the wireless interface as discrete network interface cards. The wired interface is usually the one that is more interesting, as the multiple ports are treated as VIFs.
Considering the pricing point of between 50 and 100$ for most consumer grade PoS devices out there, there's a pretty good featureset under there if you can just get past the ABYSMAL driver and config script stack that the manufacturers often push on the poor things.
Often times, the "stock" firmware for these devices use drivers that have been hacked up seven ways to sunday so that they expose certain behaviors-- and have config scripts that do loopy loops to try and get the system into a state that the device maker wants it to be in. (Things like having the root password be set via script every bootup, because the stock firmware does not have a JFFS partition to store actual root credentials, and instead stores the user-defined password in the NVRAM so it can be easily reset with the reset button. On bootup, the script grabs the value from NVRAM and sets the root password. Nevermind the DUMBSHITNESS of exposing the root user this way, since it runs all the services under root.) Looking at it, it is the script equivalent of a Rube-Goldberg contraption.
OpenWRT (the REAL deal, not the hacked up dog and pony show that netgear and pals puts under the hood of their devices) boots in a fraction of the time (Stock firmwares often take over a full 2 minutes to fully finish the init script!! Open WRT becomes fully functional in typically under 30 seconds.) allows PROPER device administration (like, allowing you to set up proper service user and group accounts on the router to segregate process access requirements, set up and use jails, give you your choice of what routing and wifi supplicant package to use, what HTTP daemon to use-- if any-- etc.)
Consumer grade crap can become quite useful with a firmware update. Just that you have to treat it like what it actually is--- a small, general purpose computing platform-- and set it and configure it appropriately.