TP-Link Begins Lockdown of Firmware In Response To FCC

An anonymous reader writes: In response to an FCC rule that requires manufacturers to lock down computing devices (routers, PCs, phones) to prevent modification if they have a "modular wireless radio," TP-Link has begun locking down its routers to prevent firmware not signed by TP-Link from being installed. This essentially prevents open source OSs (OpenWRT, for example) from being used on routers. TP-Link may not be a prestige brand, exactly, but the company makes a lot of routers suitable for installing third-party firmware, precisely the sort of thing being locked down makes difficult if not impossible.

WOW

[andydread]

So this is the end of open source firmware on basically any device with a radio

Re:WOW

[mrchaotica]

I am conflicted. The same thing is happening on PC's with secure boot. It is arguable that this raises the bar for security but the down side is the fact that we lose some control over the devices we have.

What's there to be "conflicted" about? In all of these cases, the "security" is "security AGAINST THE OWNER OF THE DEVICE," a.k.a. tyranny. It is unambiguously bad!

Re:WOW

So this is the end of open source firmware on basically any device with a radio

As has already been well discussed, the FCC already specifically clarified that the only thing they have an issue with is the ability to use firmware to change the radio in a way that would go outside of allowable ranges, for example the ability to jack up the transmit power beyond what is legal for such a device.

TP-Link is simply taking the lazy option, which doesn't really shock me considering they named their company "Toilet Paper - Link".

Re: WOW

[bill_mcgonigle]

Another side is that, like an immunization, you are protecting the herd by making your system harder to crack

No, stock firmware on consumer-grade hardware is unambiguously lowest-bidder buggy trash. Open-source replacement firmware is remarkably more secure. Secure bootloading insecure crap is just putting lipstick on the pig.

Besides, the FCC said this wasn't their intent. We thought they were lying, so either they still are or now TPLink is. A shame, since I've been buying their gear lately for OpenWRT deployments, despite their annoying VLAN assignments. I can't see why they'd want to chase away customers, so I'll guess it's the FCC that's still lying.

Open source gives the people too much power for a totalitarian regime to tolerate. Open source crypto is being attacked in parallel - neither can be allowed to exist without a regime change.

Re: WOW

[Gr8Apes]

I can't see why they'd want to chase away customers, so I'll guess it's the FCC that's still lying.

That's an incorrect presumption. It's not that they want to chase away customers, it's that to hit that checkmark to be able to sell hardware, they need to lock down the radio. Easiest cheapest way for them to do so? Lock the entire item down, or source a more expensive separate radio controller. I guess we know which way they went.

WRTNode

[lazarus]

I don't have first hand experience with it, but if you are an aspiring OpenWRT hacker then you might want to look into WRTNode. Using third party proprietary hardware is always fraught with peril anyway.

Except...

Except the FCC has repeatedly stated time and time again they have no intent of hurting third party open source firmware and they're solely focused on the radio component not causing interference. They even recently modified these rules to appease people worried about this:

http://arstechnica.com/information-technology/2015/11/fcc-we-arent-banning-dd-wrt-on-wi-fi-routers/

So I have a sneaking suspicion this support employee has no damn idea what they're actually talking about.

Re:Except...

[internerdj]

Frankly, the easiest way to comply is just to lock everything down. It doesn't really matter how much the FCC bends over backwards to accommodate third party open source firmware. The ruling made it harder to make a business case for letting the end user change the firmware. Someone was bound to comply this way, probably a lot of someones.

Oh well

[siuengr]

Glad I already returned my TP-Link and bought an Asus. I had the C9 Archer and it was terribly unstable. I guess TP-Link will be falling into obscurity again.

This isn't very new for TP-Link

[operator_error]

The last few routers I've bought for family and friends have been TP-Link, and of course I immediately flash them all with OpenWRT. The last two routers I bought had firmware from October that was locked down, just like TFA makes note of. I wasn't pleased with the google effort and time required to get to where I wanted to go.

As I recall, first I had to find a sort of neutral flashing dd-wrt firmware from early last year, that was possible to be flashed by TP-Link's firmware. Then, since TP-Link's October's firmware was useless, I had to flash the router with a much older version of their firmware, making the unit an April TP-Link router. Once I got that far, I was able to flash to OpenWRT as planned.

I'm happy with the units price and performance under OpenWRT, however I will look to other vendors from now on. Of course I must also blame the FCC, which sort of hurts because lately the FCC has been making a lot of good calls for its actual constituents, (while ignoring its paid-for lobbyists).

How wlll the FCC deal with the glibc DNS bug?

[davecb]

The FCC's rule change makes the manufacturers responsible for compliance, not the owner/operator. How, then, will the vendors deal with the updates required by the glibc bug, http://linux.slashdot.org/stor...

The vendors of anything that can't be reflashed by their users are now responsible to the FCC for any compliance-critical errors in their devices. A DNS hack can can allow anyone to change to an illegal channel or use an illegal power level.

Similarly, the vendors are at risk of being named in class-action suits for anyone whose router gets hacked through their negligence. Especially in the US, where suing people seems to be the national hobby (;-))

Do you suppose some tiny Taiwanese firm can afford to do a recall like an auto manufacturer, and fix all their locked-down devices? Or be haulded into a US court without going broke? I suspect not...

Locking down your products for the US market because "it's easy" may turn out to be a company-killing error.

--dave

Re:Don't these routers have external memory?

[AmiMoJo]

Isn't this a GPL violation? If any of the software they use is GPL v3 then they can't tivoize it in this way.

Re:Don't these routers have external memory?

[JonathanP.Bennett]

This is a very good point. The question is, is any of the stock firmware covered by GPLv3? Linux kernel is GPLv2, which does not have the tivoization clause.

Re:Congratulations

[NotInHere]

The FCC aren't enforcing it, yes, and I agree that it was not their goal. Still the impact of their decision remains the same.

You can run apps on Android devices. That's the single reason why android devices have separation, even though separation costs more in manufacturing. For routers, separation just isn't an option economically.

If the FCC had cared, it would have required separation, or just left the state as it was, but they didn't do either.