TP-Link Begins Lockdown of Firmware In Response To FCC

An anonymous reader writes: In response to an FCC rule that requires manufacturers to lock down computing devices (routers, PCs, phones) to prevent modification if they have a "modular wireless radio," TP-Link has begun locking down its routers to prevent firmware not signed by TP-Link from being installed. This essentially prevents open source OSs (OpenWRT, for example) from being used on routers. TP-Link may not be a prestige brand, exactly, but the company makes a lot of routers suitable for installing third-party firmware, precisely the sort of thing being locked down makes difficult if not impossible.

WOW

[andydread]

So this is the end of open source firmware on basically any device with a radio

Re:WOW

[mrchaotica]

I am conflicted. The same thing is happening on PC's with secure boot. It is arguable that this raises the bar for security but the down side is the fact that we lose some control over the devices we have.

What's there to be "conflicted" about? In all of these cases, the "security" is "security AGAINST THE OWNER OF THE DEVICE," a.k.a. tyranny. It is unambiguously bad!

Re:WOW

So this is the end of open source firmware on basically any device with a radio

As has already been well discussed, the FCC already specifically clarified that the only thing they have an issue with is the ability to use firmware to change the radio in a way that would go outside of allowable ranges, for example the ability to jack up the transmit power beyond what is legal for such a device.

TP-Link is simply taking the lazy option, which doesn't really shock me considering they named their company "Toilet Paper - Link".

Re:WOW

[The-Ixian]

No, not exactly.

That is one aspect of it, to be sure. But that is only one side.

Another side is that, like an immunization, you are protecting the herd by making your system harder to crack and become a platform for attacks against yourself and others.

There are always trade offs and compromises when it comes to security. It would be great if we could live in a world where people didn't do evil things and everything could be free and open, but that is not the world we live in.

Re: WOW

[bill_mcgonigle]

Another side is that, like an immunization, you are protecting the herd by making your system harder to crack

No, stock firmware on consumer-grade hardware is unambiguously lowest-bidder buggy trash. Open-source replacement firmware is remarkably more secure. Secure bootloading insecure crap is just putting lipstick on the pig.

Besides, the FCC said this wasn't their intent. We thought they were lying, so either they still are or now TPLink is. A shame, since I've been buying their gear lately for OpenWRT deployments, despite their annoying VLAN assignments. I can't see why they'd want to chase away customers, so I'll guess it's the FCC that's still lying.

Open source gives the people too much power for a totalitarian regime to tolerate. Open source crypto is being attacked in parallel - neither can be allowed to exist without a regime change.

Re: WOW

[Gr8Apes]

I can't see why they'd want to chase away customers, so I'll guess it's the FCC that's still lying.

That's an incorrect presumption. It's not that they want to chase away customers, it's that to hit that checkmark to be able to sell hardware, they need to lock down the radio. Easiest cheapest way for them to do so? Lock the entire item down, or source a more expensive separate radio controller. I guess we know which way they went.

Re:WOW

[mysidia]

security against your neighbor modifying the firmware in their wireless device in such a way that it negatively affects the performance of your wireless device

No.... that's just a possible explanation for a reasoning behind the rule, BUT it does a lot more collateral damage, AND it does not actually provide that security.

Your neighbor can still do the simplest possible thing imaginable, which is to attach an amplifier to their wireless device, and boost the signal power over the FCC PEP limits for unlicensed WiFi.

Your neighbor can also run their microwave or cell phone which legitimately uses the frequency and can trash your WiFi performance.

Re:WOW

[Dragonslicer]

No.... that's just a possible explanation for a reasoning behind the rule

No, if I understand correctly, it is the reason for the rule. It isn't a "possible explanation", unless you believe that there's some grand conspiracy behind the rule to shut down DD-WRT and similar projects.

BUT it does a lot more collateral damage

I agree, but the FCC has clearly stated that there was intention to prohibit open source operating systems for routers and that manufacturers are under absolutely no obligation to so.

AND it does not actually provide that security...

Things don't have to be 100% effective to be useful.

Congratulations

[NotInHere]

The FCC didn't claim this would happen, and it still happened. Congrats, FCC!

Re:Congratulations

The FCC are not enforcing this, they are enforcing lockdown of the radio (and for VERY good reasons... channel 14 is bad...).

If OEM's are too lazy to sort out radio and OS (like android) well... more fool them

Re:Congratulations

[pla]

and for VERY good reasons... channel 14 is bad.

What? Best channel on the list, it virtually never sees any contention from countless annoying wifi-enabled phones/tablets/laptops passing by!

Just tell your router you live in Japan (and pray it doesn't have the interface localized), and bam, good to go!

Re:Congratulations

[mrchaotica]

If OEM's are too lazy to sort out radio and OS (like android) well... more fool them

That's not a reasonable position to take, given that our freedom is collateral damage!

Re:Congratulations

[ThatTreeOverThere]

Can US laptops connect to channel 14, though? i.e. a laptop whose WiFi adapter is set to US restrictions

Re:Congratulations

[NotInHere]

The FCC aren't enforcing it, yes, and I agree that it was not their goal. Still the impact of their decision remains the same.

You can run apps on Android devices. That's the single reason why android devices have separation, even though separation costs more in manufacturing. For routers, separation just isn't an option economically.

If the FCC had cared, it would have required separation, or just left the state as it was, but they didn't do either.

Re:Congratulations

[tlhIngan]

The FCC aren't enforcing it, yes, and I agree that it was not their goal. Still the impact of their decision remains the same.

You can run apps on Android devices. That's the single reason why android devices have separation, even though separation costs more in manufacturing. For routers, separation just isn't an option economically.

If the FCC had cared, it would have required separation, or just left the state as it was, but they didn't do either.

No, the FCC should not enforce separation. They should let the manufacturer deal with it however they want.

Some will lock it down completely.
Others will leave it fully open, having locked it down in hardware.
Some will do it by separating their radios and routing firmware.

In fact, #3 is how ALL wireless routers currently work - they have a main routing CPU, and attached to that is the WiFI radios through some interface. So they are separated, just they're usually treated as one unit.

To be honest, what's actually going to happen is router chips will be locked to their region - you buy a North American router, and the hardware bits will show which channels it's allowed to transmit on. This is easy to do, and leaves the opportunity open for fully customizable firmware since hardware is enforcing the channel lockouts.

Re:Congratulations

[jwdb]

What? Best channel on the list, it virtually never sees any contention from countless annoying wifi-enabled phones/tablets/laptops passing by!

Methinks you misunderstand GP, be that accidentally or purposely. Either way, the reason channel 14 is so clear in the US is because it's illegal to use it. That channel overlaps with licensed spectrum users, and by using 14 in the US you'll be interfering with them. Depending on the level of interference you may one day get a visit from the FCC, along with a heavy fine.

There's a reason you have to trick your router to get it to allow you to use 14.

WRTNode

[lazarus]

I don't have first hand experience with it, but if you are an aspiring OpenWRT hacker then you might want to look into WRTNode. Using third party proprietary hardware is always fraught with peril anyway.

Re:WRTNode

[emj]

I don't have first hand experience with it, but if you are an aspiring OpenWRT hacker then you might want to look into WRTNode. Using third party proprietary hardware is always fraught with peril anyway.

There are lots of these but they are often 4x as expensive just like this one. At $40 it's really expensive for what you are getting, if you do not need all those features which you mostly don't.

Except...

Except the FCC has repeatedly stated time and time again they have no intent of hurting third party open source firmware and they're solely focused on the radio component not causing interference. They even recently modified these rules to appease people worried about this:

http://arstechnica.com/information-technology/2015/11/fcc-we-arent-banning-dd-wrt-on-wi-fi-routers/

So I have a sneaking suspicion this support employee has no damn idea what they're actually talking about.

Re:Except...

[internerdj]

Frankly, the easiest way to comply is just to lock everything down. It doesn't really matter how much the FCC bends over backwards to accommodate third party open source firmware. The ruling made it harder to make a business case for letting the end user change the firmware. Someone was bound to comply this way, probably a lot of someones.

Re:Except...

[davecb]

If they lock it down, they become legally and financially resposnible for compliance-critical bugs like the glibc DNS one.

Re:Except...

[The-Ixian]

As far as I am aware, TP-Link is the hardware behind a lot of different brands including, if I am not mistaken, Google and Apple branded routers.

People would have to do some research before buying and I doubt that anyone but a die-hard open source fan will ever 1) do the research and 2) base the purchase decision on this issue

Re:Except...

[somenickname]

I wonder if this is the reason TP-Link has been moving away from Atheros based wireless gear. If you look at reviews on Amazon, TP-Link has been incrementing version numbers on some of their products and replacing the Atheros chip with chips that require binary blob firmware. As far as I know, Atheros is the only chipset that doesn't require a binary blob firmware and it's trivial to hack the kernel module so, dumping it for other chipsets might make sense (at least from their perspective) from a compliance standpoint.

Re:Except...

People who want to install open firmware aren't going to randomly purchase a router and hope it's compatible. They're going to go to the DD-WRT site and purchase a router from the compatibility list. I don't see a problem.

Re:Don't these routers have external memory?

[silas_moeckel]

Does you no good if the bootloader on the soc wont run anything not signed.

Oh well

[siuengr]

Glad I already returned my TP-Link and bought an Asus. I had the C9 Archer and it was terribly unstable. I guess TP-Link will be falling into obscurity again.

Shame, I liked TP-Link

If it can't run OpenWRT without soldering, it's not useful for me. Same goes for any other router that doesn't run a variant of OpenWRT, RouterOS or IOS-*.

Guess I'll be shadowing the OpenWRT forum for my next purchase.

Re:Shame, I liked TP-Link

[bobbied]

Exactly.. That Netgear WRT1900ACs is a sweet system. Nice CPU, two radios, Managed switch, Lots of flash, enough RAM, USB2 & 3 and even an eSATA connection. PLUS the manufacturer is running OpenWRT as their default firmware and are supporting the development by releasing the source code. Now with the "s" variant out, the plain WRT1900AC is available for just over $100. Hard to beat that. Heck, just using it for the managed switch part is almost cost effective for a 5 port switch, but add the routing, file sharing, USB ports and it's a fine multipurpose tool.

TP-Link Sales Decline

TP-Link is about to see their sales decline. Their cheap shit was eagerly consumed by DIY types putting openWRT on it and frankly you could do some interesting things with it. But, this makes them into just another cheap-shit proprietary Chinese junk network equipment vendor.

I'll pass, thanks.

P.S. Isn't it great how well the FCC listened to all those comments that they solicited? Don;t you feel like your voice matters? That you're part of the system? That your government works for you and takes your concerns into consideration?

This isn't very new for TP-Link

[operator_error]

The last few routers I've bought for family and friends have been TP-Link, and of course I immediately flash them all with OpenWRT. The last two routers I bought had firmware from October that was locked down, just like TFA makes note of. I wasn't pleased with the google effort and time required to get to where I wanted to go.

As I recall, first I had to find a sort of neutral flashing dd-wrt firmware from early last year, that was possible to be flashed by TP-Link's firmware. Then, since TP-Link's October's firmware was useless, I had to flash the router with a much older version of their firmware, making the unit an April TP-Link router. Once I got that far, I was able to flash to OpenWRT as planned.

I'm happy with the units price and performance under OpenWRT, however I will look to other vendors from now on. Of course I must also blame the FCC, which sort of hurts because lately the FCC has been making a lot of good calls for its actual constituents, (while ignoring its paid-for lobbyists).

Re:This isn't very new for TP-Link

[d4fseeker]

What other vedors? TP-Link is just following the EU and US rules, all other vendors will follow suit very soon. I'm more worried about the phrasing in the EU-equivalent to the FCC rule which, if interpreted correctly, forbids the device from being USED with modified firmware.

Embarassing error by the FCC

[davecb]

Regrettably, they seem to have mistaken channel-based hardware with cryptographically-signed (linux, bsd) databases of allowed channels for something completely different, completely programmable "software defined radios".

The latter are an unsolved problem for the FCC: the former are the chip designers and the Linux networking team working hard to make it easy for the FCC... and being treated badly.

Re:Don't these routers have external memory?

[Andy+Dodd]

In nearly every SoC currently available now, the chain is:
IROM (or similar) bootloader baked into the SoC. This verifies the signature of uboot, and jumps to it for execution
Uboot then takes over, verifies the next step in the chain (if configured to do so), then jumps to it if it verifies.

Note: The IROM signature checks prevent you from replacing uboot with something that does not enforce signature verification.

Re:Don't these routers have external memory?

[Andy+Dodd]

Most modern SoCs have the ability to verify u-boot prior to execution. Either the public key, or a hash of it (The little documentation I could find on TI's architecture was that to avoid storing 2048 bits in efuses, they stored a 128-bit hash of the 2048-bit key in efuses. The chip would verify the key (while in flash, could not be changed due to fixed hash), then use that key to verify uboot. TI had extensions to uboot to support hardware accelerated verification of the next stage in the boot chain.

Note: My bit counts might be off. Might be 1024/256, 4096/256, or ???

How wlll the FCC deal with the glibc DNS bug?

[davecb]

The FCC's rule change makes the manufacturers responsible for compliance, not the owner/operator. How, then, will the vendors deal with the updates required by the glibc bug, http://linux.slashdot.org/stor...

The vendors of anything that can't be reflashed by their users are now responsible to the FCC for any compliance-critical errors in their devices. A DNS hack can can allow anyone to change to an illegal channel or use an illegal power level.

Similarly, the vendors are at risk of being named in class-action suits for anyone whose router gets hacked through their negligence. Especially in the US, where suing people seems to be the national hobby (;-))

Do you suppose some tiny Taiwanese firm can afford to do a recall like an auto manufacturer, and fix all their locked-down devices? Or be haulded into a US court without going broke? I suspect not...

Locking down your products for the US market because "it's easy" may turn out to be a company-killing error.

--dave

Re:How wlll the FCC deal with the glibc DNS bug?

[jandrese]

For what it is worth, very few consumer routers use glibc because it's too fat. Your point still stands that once a product is out of it's usually narrow service window then it will become impossible to fix. Worse, the vendor supplied firmware is often of poor quality (limited feature set, insufficient NAT table, buggy, and sometimes even with remote security exploits) and the best way around that was to install OpenWRT or similar.

not as bad as it seems.

[nimbius]

tplink still makes quite a number of decent standalone wireless access points with injector capability. ive never used their AIO devices, but instead ive built a network at the office with a central gentoo router connected to a switch, and the AP's locked to vlans with an IDS sniffing the network. FWIW if you need alternatives, pc engines Geode based alix routers are great (AND include AES offload at the cpu level for true random number generator acceleration.)

Re:Don't these routers have external memory?

[AmiMoJo]

Isn't this a GPL violation? If any of the software they use is GPL v3 then they can't tivoize it in this way.

Re:Don't these routers have external memory?

[JonathanP.Bennett]

This is a very good point. The question is, is any of the stock firmware covered by GPLv3? Linux kernel is GPLv2, which does not have the tivoization clause.

No external antenna, one ethernet port

[SuperBanana]

With only a PCB-trace antenna and one ethernet port, that is nearly useless.

A drop in the bucket.

[westlake]

TP-Link is about to see their sales decline. Their cheap shit was eagerly consumed by DIY types putting openWRT on it and frankly you could do some interesting things with it.

The TP-Link router is a mass market consumer product that retails for $20 and up when purchased from outlets like Amazon.com.

The DIY market is microscopic and always has been.

Re:In other news, TPLink sales implode

[Microlith]

You don't have to compile the thing. They produce a large number of pre-built images ready to go for a large number of routers.