Why Cybersecurity Experts Want Open Source Routers

derekmead writes: A coalition of 260 cybersecurity experts is taking advantage of a Federal Communications Commission (FCC) public comment period to push for open source Wi-Fi router firmware.

The cybersecurity experts asked the FCC on Wednesday to require router makers to open-source their firmware, or the basic software that controls its core functionality, as a condition for it being licensed for use in the US. The request comes amid a wider debate on how the FCC should ensure that Wi-Fi routers' wireless signals don't "go outside stated regulatory rules" and cause harmful interference to other devices like cordless phones, radar, and satellite dishes.

TPP...

[pao93]

good luck! check out this provision in the TPP: http://www.international.gc.ca... Prevents governments in TPP countries from demanding access to an enterprise’s software source code.

Re:TPP...

..and given that it will be fast tracked. This is a HUGE fuck you by Obama and the congress. For Obama, aside from the drone program, signing this is his most immoral and certainly anti-democratic act as president.

If anyone ever asks for an egregious case of government corruption in the United States, point them to the TPP. This is literally corporations writing American law-- international law-- in secret.

Re:TPP...

[Trailer+Trash]

good luck!
check out this provision in the TPP:

http://www.international.gc.ca...

Prevents governments in TPP countries from demanding access to an enterprise’s software source code.

LOL. You conservatives crack me up.

We elected President Hope and Change - Obama. He works for *the people*, particularly those who are poor or minority (some exclusions may apply, specifically asians and pacific islanders are, for purposes of this paragraph, not a "minority"), not big corporations or Wall Street fat cats!

Wow, I can't wait to see the look on those corporation people's faces when Obama strikes down this cronyist giveaway! It'll be priceless. He'll send those Republicans back where they came from with nothing to show for it but some spanked bottoms.

Anyway, that's why we elected him. We were tired of big money making laws. See how smart we are?

Re:TPP...

[silas_moeckel]

What your looking for is Head Money Cases, 112 U.S. 580 (1884) that said specifically that treaties do not hold special case above congress outside how they are negotiated and approved.

Re:TPP...

[Lumpy]

Oh no, he has signed many other highly immoral and anti american bills. Remember the fucking republicans all voted for it as well to get it to his desk.

Both sides are scumbags.

Re:TPP...

[TemporalBeing]

What your looking for is Head Money Cases, 112 U.S. 580 (1884) that said specifically that treaties do not hold special case above congress outside how they are negotiated and approved.

Except the Constitution places Treaties just under itself and above all other laws of the land - e.g a Treaty can only be invalid if it violates the Constitution, all other laws are subject to the Treaty on equal footing to the Constitution.

Re:TPP...

[silas_moeckel]

That is not how the supreme court interpreted it. You're correct the wording says that but the supreme court disagreed. The court was clear that treaties do not hold a privileged position over congress specifically allowing for them to pass laws to deny enforcement of, modify or repeal a treaty with nothing more than any other law.

Re:TPP...

[TemporalBeing]

That is not how the supreme court interpreted it. You're correct the wording says that but the supreme court disagreed. The court was clear that treaties do not hold a privileged position over congress specifically allowing for them to pass laws to deny enforcement of, modify or repeal a treaty with nothing more than any other law.

No, they don't hold special position over Congress because Congress has to - and in accordance with the Consitution - approve all Treaties; and only Congress has that power. The SCOTUS ruling, as described, also doesn't mean that - again as per the Constitution - Treaties are not on par with the U.S Code (law) as opposed to their Constitutional place of being between the Constitution and U.S Code. They're not special by any means.

TPP and, and especially the Iran Deal, have a fault in how they are being pursued since SCOTUS has ruled that Congress cannot delegate its authority to other groups. So even though the Iran Deal may be accepted on its face without a specific vote for approval, that would not - per SCOTUS - make it legally binding.

Routers are the lowest hanging fruit

Exposed to the internet, never monitored, never updated, and sits between a computer and the internet, the textbook definition of a man in the middle attack..

Re:Routers are the lowest hanging fruit

[Dutch+Gun]

I think consumers are going to need to start demanding that ALL internet-facing devices come with the ability to auto-patch themselves, and this option should default to ON. There's no way you can expect a normal consumer to be able to flash their own devices. Hell, how do they even know if they're vulnerable and *should* flash their device? We've seen what a disaster unpatched servers and PCs have been, and now we're seeing it with unpatched Android devices. Routers are starting to become prime targets for malware, because there's millions of them out there facing the internet, and very few of them ever get patched. IoT devices will simply be next on the list.

Do we really have to make the same damned mistakes with each class of devices we attach to the internet?

This will help!

[micahraleigh]

Government intelligence agencies can help contribute to the code base.

The IRS can then help watch people more and help them form more correct political views.

The FEC can then help the Party making sure helpful people are able to help more!

Re:This will help!

[swb]

What's sad is that in an ideal world, the NSA *would* help and perform security audits to keep citizens, businesses and government safe from malicious actors.

But sadly, their version of help means inserting back doors and compromising security in the name of DEA parallel constructions to jail some hippie for growing pot.

Firmware is not software

[Brannon]

Firmware can be extremely messy, low-level code. It may not even be written in any sort of recognizable programming language. It is frequently the digital equivalent of a set of jumper switches, just a binary blob which is meaningless if you don't have deep knowledge of the hardware it is controlling. Firmware can directly control low-level electronics and an incorrect setting can lead to physical damage to the device and potential harm to nearby humans.

It is dangerously stupid to insist that firmware be open-sourced and to allow developers to modify the firmware on devices.

Re:Firmware is not software

[bradgoodman]

Just because YOU don't understand it, it doesn't mean that there are a LOT of people that do and would. I'm not knowledgeable enough to personally audit open-source encryption software like GPG and OpenSSL, but I'm glad it's open-source so others who are more knowledgeable than me can scrutinize.

Re:Firmware is not software

[Locke2005]

Most routers are running Linux and the firmware is written in C.

Re:Firmware is not software

[JoeyRox]

It's dangerously stupid for people who aren't familiar with firmware to express opinions about why firmware shouldn't be open-sourced.

Re:Firmware is not software

[Ethanol]

"Firmware" has multiple meanings. The thing you're talking about is indeed called "firmware", but it is a minuscule fraction of the firmware on a typical router, which is generally a linux/unix derivative and includes everything from device drivers to configuration UI. And which is usually riddled with security vulnerabilities and other flaws.

Even the minuscule bit you're talking about still needs to be inspectable and repairable, because devices always have bugs -- often already known by the time they're shipped and purchased -- and device manufacturers have (apparently) little to no economic interest in fixing them, and it's the owner of an RF device who is legally responsible for compliance. Unless you honestly expect everyone to throw their routers away and buy new ones every few months, or you simply don't care about security, performance, or FCC compliance, field updates are a necessity.

If an RF-controlling firmware component is nothing but the equivalent of a few jumper switches, then document them thoroughly. If it's functional software (which in fact it pretty-much always is), then publish it, and do so in a form so it can be recompiled to ensure that what's on the device is the same as what was published. Volkswagen has proved beyond any reasonable person's doubt that unverifiable software is not to be trusted.

(Disclosure: co-author/signatory to the FCC letter.)

Re:Firmware is not software

[BronsCon]

and no, it wasn't finally discovered because it was OSS, but buy automated testing that works equally well on closed source

But the fix was able to be independently verified because it is OSS.

Re:Firmware is not software

[Anne+Thwacks]

But, if OpenSSL had been developed by a commercial closed source software company, this kind of testing would have been much more likely to have been conveniently avoided, saving much bad publicity.

FTFY

Re:Firmware is not software

[wierd_w]

Not exactly.

There is the router's OS package, which contains the radio firmware.

It has become (alarmingly) commonplace for the firmware to be stored in volatile memory inside the radio device-- Such is the case with basically *ALL* Broadcomm radios. There is a binary blob that even on linux, must be harvested from closed source driver packages. This blob is what Brannon is talking about. The FOSS linux driver harvests this firmware (which is extracted on consumer linux boxes using a package called fwcutter)

The FCC is worried that because it is so easy to put a modified blob into the radio's memory, that these devices could be easily switched into a nefarious mode of operation. This behavior would be wholly independent of the router's OS, or even the radio's OS driver-- the radio itself would simply configure itself into the nefarious operating mode, blindly following the configuration supplied by the modified binary blob.

The real solution here is for the FCC to tell broadcomm and pals that they have to make the General Purpose CPU implementation and boot loader in their chipsets logically separate from the radio. That way the radio can be locked down the way the FCC wants-- and the rest of the router can be completely open.

However, broadcomm and pals WONT do that without a serious legal threat being leveled at them, as their current solution is one of practical cost savings. The kind of separation needed to properly secure the radio against tampering of this kind while retaining the ability to clean up the horrid mess that retailers make of the OS and driver stack side (which enable hackers to coopt the router as zombie notes for a wide assortment of purposes) would make the cost per unit for these SoC based systems prohibitive-- at the very least, it would seriously impact profitability.

The real problem here is that the binary blob has no checksum or digital signature check before being accepted by the radio. If you were stupid enough to do so, you could feed it the contents of /dev/urandom and watch the sparks fly.

Simply using a good digital signature on the blob for validation before being accepted by the device radio would go a LOOOOOOOOOOOONG way to fixing this issue without killing projects like openwrt-- You dont need to lock the bootloader to secure the radio.

Re:Firmware is not software

[wierd_w]

These ones match his requirements for certain.

bcm53xx
brcm2708
brcm47xx
brcm63xx

There is a reason why the FSF does not like broadcomm chipsets, and considers them FOSS un-friendly.

The drivers for these chips requires a closed binary blob, that must be harvested from a windows driver. On linux, this process is automated with a bash script which downloads a suitable driver package directly from an OEM's support site, then rips the binary blob out and places it into a special folder in /usr, iirc.(might be /etc.... been awhile.)

The point is that while those SoCs have very well defined CPU implementations, there is voodoo black magic under the hood. The same chip that handles the radio firmware also does the CPU implementation. That radio firmware is physically set up as a section of highly privileged RAM, into which the binary blob gets loaded. The radio then configures itself based on the contents of that blob. The blob's structure is not documented by broadcomm without a seriously large NDA, which is against the functional scope of the GPL, and the FSF. The driver for the 'then-configured' radio is fully FOSS-- but the radio will not operate without the configuration blob-- Literally CANNOT operate without it.

There's a reason why the FSF prefers wifi chips like say-- Ralink's offerings. In those, the radio is hardware controlled, straight up. The radio comes pre-configured, and the interfaces to interact with the radio are public. This means that the hardware can be used with pure FOSS drivers, without the need for a closed binary blob, which complicates licensing.

I realize your question was rhetorical, but it exposed a serious lack of knowledge.

Re:No such thing as a Wi-Fi Router

[fuzzyfuzzyfungus]

The two functions get shoved into one box for consumer purposes(often with a DSL or cable modem as well, maybe even a SIP ATA for some 'triple play' nonsense); but logically speaking there usually is a router, though an anemic one, present inside something you'd call a "Wifi router" with an AP connected internally to it. There isn't quite the same neat logical separation that you'd see with enterprise APs, the AP and the router usually share an OS, lousy HTTP configuration interface, etc. but both functions are included.

Dedicated APs are pretty thin on the ground in cheap-consumer-shit land, even compared to discrete DSL and cable modems.

Another security professional's comment to the FCC

[raymorris]

Below is the text of another comment a career security professional (myself) submitted to the FCC on this issue. Specifically, this is regarding the FCC's proposal to essentially outlaw open routers, by requiring that the firmware be boot-locked.

Based on 18 years of professional experience in network security, in both the private sector and government, the proposed rule causes significant concern for information security posture. There are three primary reasons. The legitimate goals of the FCC could be achieved in an alternate manner which does not cause the same widespread security vulnerabilities, by instead requiring that output power levels and any other critical parameters be limited to legal levels by a separate chip. This approach would be far superior to effectively banning proper security practice for the ENTIRE operating system and all utilities on the device, as the current proposal does.

1

The proposed rule which requires that manufacturers disallow firmware updates (other than signed manufacturer updates, typically provided for only a very short time), makes it much more difficult to prevent incidents such as the $45 million loss at TJX and the Target breach. In both cases, the victim companies were initially targeted because insecure wifi devices were in use. To reduce future occurrences of such breaches, it is imperative to be able to update devices which use wireless networking. Especially when a vulnerability such as Shellshock is discovered, it is imperative that risks be mitigated immediately.

Updates provided by the manufacturer may at first seem to be a possible solution, but are not actually a viable solution for two reasons. Manufacturers generally do not provide long-term updates, updates for devices more than about one-two years old. In many cases, no updates are offered at all to handle issues after the date of sale. It is not reasonable to anticipate that organizations and families will replace their network gear every year or two - firmware updates are needed, including for devices which are a few years old. Perhaps ESPECIALLY for devices which are a few years old.

Secondly, updates from the manufacturer are not a viable solution for more sensitive government and private organizations due to the response time required. In the first 24 hours after the release of Shellshock, thousands of systems were compromised. For many networks, it is critically important to mitigate the threat during this initial time frame. Manufacturer full updates were not available for several days to several months, as we first discussed the best long term solution and that solution propagated downstream from the authors, to the subsystem maintainers, distribution maintainers, OEM repackagers, and finally out to customers after testing at each level. In the meantime, temporary MITIGATIONS were performed on-site by network engineers and security contractors. These vital mitigations which protected sensitive networks in the interim would be illegal and prevented by manufacturer locks under the proposed rule. In simple terms, the proposal makes it illegal to manufacturer equipment which can be _quickly_ protected against new threats to our cyber security.

2

Another reason that the proposed rule is problematic is that the manufacturer default firmware, with all available features designed to be as easily accessible as possible, is not appropriate for any environment in which security is a concern. A central tenet of information security, and security in general, is that the attack surface should be as small as possible - services not needed for a particular installation should not be installed and enabled. The only software which definitely cannot be exploited is software which is not installed or not enabled. Therefore, the most secure firmware tends to be that with as many features _removed_ as possible, with only those items required for the current role installe

Misleading title

[roman_mir]

How about this for a title: FCC is trying to strip more of your individual freedoms away, EFF objects.

Re:Misleading title

[PPH]

How about this: FAA acquires weather radio design from morons, FCC attempts to cover their ass.

Ban isp from forcing you to rent there hardware

[Joe_Dragon]

Ban isp from forcing you to rent there hardware / make them give you a true bridge mode / pure Ethernet handoff

You can see the long-term picture.

[VValdo]

It happens like this:

(1) Companies write TPP and other laws to indemnify themselves and resist modifications to their buggy routers.

(2) FCC makes the problem worse by effectively requiring DRM on routers.

(3) incidence of serious hacks skyrockets as people are unable to update their routers and other network-enabled devices.

(4) legislators react to spike in online crime/tragedies not by undoing (1)-(3) but with "get tough" anti-"hacking" laws that chill research and throw people in jail for minor transgressions, research, clock-building, vulnerability disclosure, security tools, or a anything not understood that politicians and aggressive prosecutors could perceive as "hacking".

(5) The problem gets MUCH MUCH worse as a result. Bright minds are tossed into jail, open research is chilled, and online crime continues to skyrocket.

(6) GOTO 4.

The TPP connection may be deeper

The TPP effectively takes control of the www. If we follow the adage of "the Internet treats censorship as damage and routes around it," then we can see that what will most likely develop is a network that is outside of the www. The easiest way to implement such a network in the U.S. is with Wi-Fi-type devices, but if those devices are locked down, not just legally, but physically, then this task becomes yet harder, especially with the ridiculously low power limitations placed on consumer controlled devices.

Re:Open Source != Freely Modifable

[Coren22]

http://www.afar.net/tutorials/...

How do you implement the rules listed there for antenna gain?

If your equipment is used in a fixed point-to-point link, there are two exceptions to the maximum EIRP rule above:

In the 5.8 GHz band the rule is less restrictive. The maximum EIRP allowed is 53 dBm (30 dBm plus 23 dBi of antenna gain).
In the 2.4 GHz band you can increase the antenna gain to get an EIRP above 36 dBm but for every 3dBi increase of antenna gain you must reduce the transmit power by 1 dBm. The table below shows the combinations of allowed transmit power / antenna gain and the resulting EIRP.

            Transmit Power
(dBm)
      Antenna Gain
(dBi)
EIRP
          (dBm)
30 6 36
29 9 38
28 12 40
27 15 42
26 18 44
25 21 46
24 24 48
23 27 50
22 30 52

I don't see any way for the wifi router to tell the gain of the antenna you attach to it and automatically drop the signal strength.

The responsibility for staying within these power limits falls on the operator (or, if professionally installed, on the installer).

So if that is the case, why is this firmware lockdown even on the table, even with locked down firmware, you are responsible for staying within the power limits.

I'm a HW engineer, I understand firmware fine.

[Brannon]

You, however, seem to be confused about what firmware is because you are comparing it to "complicated software". And this has been my experience with software engineers--it is impossible to convince them that there is knowledge in this world which is not directly mappable to some sort of software.

There are parts of firmware that are just not understandable unless you have deep knowledge the specific hardware device sitting in front of you, in some cases down to the circuit level (or below, even). It is unreasonable to insist that hardware vendors document their devices down to that level and it is dangerous to allow random idiots to muck about with that firmware.

Re:I'm a HW engineer, I understand firmware fine.

[bradgoodman]

(I am an embedded systems engineer - so I understand it quite well). What might not be evident is that the people that build these routers (often/usually) don't design all the chips in them. i.e. they're made by other companies. The datasheets are available to others. People do this like crazy all the time. There was just an article the other day on how people modified the firmware in a WiFi router radio component to create a WiFi jammer.

Re:No such thing as a Wi-Fi Router

[wierd_w]

In a good deal of the consumer crap devices I have looked under the hood of, the device runs a crippled version of openwrt.

In such cases, the router and AP functionality comes about entirely through software, since the core OS treats both the wired interface and the wireless interface as discrete network interface cards. The wired interface is usually the one that is more interesting, as the multiple ports are treated as VIFs.

Considering the pricing point of between 50 and 100$ for most consumer grade PoS devices out there, there's a pretty good featureset under there if you can just get past the ABYSMAL driver and config script stack that the manufacturers often push on the poor things.

Often times, the "stock" firmware for these devices use drivers that have been hacked up seven ways to sunday so that they expose certain behaviors-- and have config scripts that do loopy loops to try and get the system into a state that the device maker wants it to be in. (Things like having the root password be set via script every bootup, because the stock firmware does not have a JFFS partition to store actual root credentials, and instead stores the user-defined password in the NVRAM so it can be easily reset with the reset button. On bootup, the script grabs the value from NVRAM and sets the root password. Nevermind the DUMBSHITNESS of exposing the root user this way, since it runs all the services under root.) Looking at it, it is the script equivalent of a Rube-Goldberg contraption.

OpenWRT (the REAL deal, not the hacked up dog and pony show that netgear and pals puts under the hood of their devices) boots in a fraction of the time (Stock firmwares often take over a full 2 minutes to fully finish the init script!! Open WRT becomes fully functional in typically under 30 seconds.) allows PROPER device administration (like, allowing you to set up proper service user and group accounts on the router to segregate process access requirements, set up and use jails, give you your choice of what routing and wifi supplicant package to use, what HTTP daemon to use-- if any-- etc.)

Consumer grade crap can become quite useful with a firmware update. Just that you have to treat it like what it actually is--- a small, general purpose computing platform-- and set it and configure it appropriately.