New FCC Rules Could Ban WiFi Router Firmware Modification 242
An anonymous reader writes: Hackaday reports that the FCC is introducing new rules which ban firmware modifications for the radio systems in WiFi routers and other wireless devices operating in the 5 GHz range. The vast majority of routers are manufactured as System on Chip devices, with the radio module and CPU integrated in a single package. The new rules have the potential to effectively ban the installation of proven Open Source firmware on any WiFi router.
ThinkPenguin, the EFF, FSF, Software Freedom Law Center, Software Freedom Conservancy, OpenWRT, LibreCMC, Qualcomm, and others have created the SaveWiFi campaign, providing instructions on how to submit a formal complaint to the FCC regarding this proposed rule. The comment period is closing on September 8, 2015. Leave a comment for the FCC.
ThinkPenguin, the EFF, FSF, Software Freedom Law Center, Software Freedom Conservancy, OpenWRT, LibreCMC, Qualcomm, and others have created the SaveWiFi campaign, providing instructions on how to submit a formal complaint to the FCC regarding this proposed rule. The comment period is closing on September 8, 2015. Leave a comment for the FCC.
Apple can't modify Time Machine Firmware? (Score:2)
Boy, that is going to work well, now, won't it.
Re:Apple can't modify Time Machine Firmware? (Score:5, Insightful)
I was just thinking that. This is so broad as to be unusable.
And mature products like DD-WRT are what make consumer-grade routers fly. It's pretty much the only reason I'll buy an ASUS, because the stock firmware doesn't have the feature set needed for latency sensitive hardware.
Re:Apple can't: Hackers will ! (Score:2)
Guaranteed.
Re:Apple can't modify Time Machine Firmware? (Score:5, Insightful)
Not to mention that DD-WRT is often the only way to make a security upgrade of an older router.
The corner case that the FCC want to address is not worth the risk increase that may leave a lot of devices insecure because they have issues that haven't been discovered today.
My comment to the FCC regarding several security (Score:5, Informative)
I submitted a comment to the FCC outlining several significant security concerns regarding the proposed rule.
Based on 18 years of professional experience in network security, in both the private sector and government, the proposed rule causes significant concern for information security posture. There are three primary reasons. The legitimate goals of the FCC could be achieved in an alternate manner which does not cause the same widespread security vulnerabilities, by instead requiring that output power levels and any other critical parameters be limited to legal levels by a separate chip. This approach would be far superior to effectively banning proper security practice for the ENTIRE operating system and all utilities on the device, as the current proposal does.
1
The proposed rule which requires that manufacturers disallow firmware updates (other than signed manufacturer updates, typically provided for only a very short time), makes it much more difficult to prevent incidents such as the $45 million loss at TJX and the Target breach. In both cases, the victim companies were initially targeted because insecure wifi devices were in use. To reduce future occurrences of such breaches, it is imperative to be able to update devices which use wireless networking. Especially when a vulnerability such as Shellshock is discovered, it is imperative that risks be mitigated immediately.
Updates provided by the manufacturer may at first seem to be a possible solution, but are not actually a viable solution for two reasons. Manufacturers generally do not provide long-term updates, updates for devices more than about one-two years old. In many cases, no updates are offered at all to handle issues after the date of sale. It is not reasonable to anticipate that organizations and families will replace their network gear every year or two - firmware updates are needed, including for devices which are a few years old. Perhaps ESPECIALLY for devices which are a few years old.
Secondly, updates from the manufacturer are not a viable solution for more sensitive government and private organizations due to the response time required. In the first 24 hours after the release of Shellshock, thousands of systems were compromised. For many networks, it is critically important to mitigate the threat during this initial time frame. Manufacturer full updates were not available for several days to several months, as we first discussed the best long term solution and that solution propagated downstream from the authors, to the subsystem maintainers, distribution maintainers, OEM repackagers, and finally out to customers after testing at each level. In the meantime, temporary MITIGATIONS were performed on-site by network engineers and security contractors. These vital mitigations which protected sensitive networks in the interim would be illegal and prevented by manufacturer locks under the proposed rule. In simple terms, the proposal makes it illegal to manufacturer equipment which can be _quickly_ protected against new threats to our cyber security.
2
Another reason that the proposed rule is problematic is that the manufacturer default firmware, with all available features designed to be as easily accessible as possible, is not appropriate for any environment in which security is a concern. A central tenet of information security, and security in general, is that the attack surface should be as small as possible - services not needed for a particular installation should not be installed and enabled. The only software which definitely cannot be exploited is software which is not installed or not enabled. Therefore, the most secure firmware tends to be that with as many features _removed_ as possible, with only those items required for the current role installed.
Manufacturer firmware does the exact opposite, for ease-of-use by ordinary consumers. All services which might be of use to any customer are installed, enabled, and wide open for
Wording is everything (Score:2)
If it's actually a ban against modifying the firmware does that prohibit outright replacing the firmware altogether?
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3, Informative)
Re:Apple can't modify Time Machine Firmware? (Score:5, Funny)
The article I read
You must be new around here. You'll learn.
Re: (Score:2)
And if the RF is baked in there's still a way around it for those that want to increase the power. I did a search on eBay and first item was a 6W amplifier. A bit further down a 30W... The latter might be good if you want to cook your neighbor.
Re: (Score:2)
Re: (Score:2)
The software logic can be modified via firmware. But the RF side of things must be baked in as I understand it.
No, it's not. Alternative firmwares frequently allow modifying both the transmit power and the channels, which can easily make your device operate illegally. The channels, for instance, are different in, say, the US and Japan; some channels that are legal to use in Japan are illegal in the US. With mfgr firmware, this isn't a problem because they lock that stuff out in the ones they ship to the
Smartphones... (Score:2)
Build your own router (Score:5, Interesting)
You can buy an ALIX or Soekris board with a case and wifi card, then install your favorite router distribution on it such as pfSense
Re:Build your own router (Score:5, Insightful)
Dammit. No mod points.
Yes, this is the answer. If commodity Wifi routers become lock boxes, make non-commodity non-firmware Wifi routers. The more you tighten your grip, FCC, the more general-purpose computing systems will slip through your fingers.
Re:Build your own router (Score:5, Insightful)
How do you figure? The wireless card would have its own licensed firmware operating the radio and thus be under the restrictions enforced...but the rest of the box would be managed by the general purpose operating system, which the FCC wouldn't be able to regulate under this rule. The GPOS would then manage what network traffic comes off and goes to the wireless card, but not handle the management of the card directly.
Re:Build your own router (Score:4, Insightful)
The components themselves are licensed and have passed FCC tests. The system will not be changing any operating parameters; it will keep the same frequencies, channel spacings and separations, power limits, etc. All the end user is doing is specifying how the device is being used.
Like Tomato? (Score:4, Insightful)
I have a advanced-consumer-level wifi router and I put Tomato on it long ago. Is that what they are talking about? What kind of rule can prevent you from installing software on computers you own? It seems like a violation of something fundamental to me.
Re:Like Tomato? (Score:5, Insightful)
As purely a WAG ... my guess is things which radiate are tested and approved according to some form of standard for interference and the like.
Putting on a new firmware could cause the device to operate outside of those parameters, and would therefore be a non-conforming device.
It's not saying you can't put software on something you own. It's saying putting something onto a device which broadcasts can make changes you didn't expect.
As I said, that's purely a WAG, but it seems like the kind of thing within their mandate.
Re: (Score:2)
There are existing rules for this. You can't modify firmware in order to increase radiated power beyond the limit (on commodity devices anyway). Many radios will not even allow this even if you do rewrite the controlling firmware. The problem is that these rules tend to creep and pretty soon they'll think that other parts of firmware should be left alone, after all changing firmware is something evil that only hackers know how to do... It won't help the issue that the router manufacturers will likely ba
Re:Like Tomato? (Score:5, Informative)
You joke, but from TFA:
In other words, this is something they've been doing for a very long time, and they are suddenly saying you can't modify things which impact transmitters. It's kind of the things the FCC has been doing for decades.
So while TFA says "yarg, teh open source and teh tinkering" ... in part it's the FCC reminding people there are long established rules in place for determining what you can do with a transmitting device.
If the Federal Rock Administration had been regulating rocks for 80 years, then your analogy might be bullshit.
But preventing making changes to a transmitting device is something they've been doing for a long time. It's not like they're newly asserting this authority, they're pointing out they've had it for decades.
Re:Like Tomato? (Score:5, Insightful)
The primary reason as I see it for this is that the HW manufacturers want it - they want to sell you a new $200 device to get a security update.
Re: (Score:2)
Wild Ass Guess.
Re:Like Tomato? (Score:5, Insightful)
Re: (Score:2)
Yes - that was my reading too. The Radio must operated within its class and originally licensed / tested parameters.
However - the basic software of the router can be modified. Those features that boost signal or change it beyond that allowed is what (will need) to be controlled.
My father is a Ham radio operator. His radio must stay within specs - and so must the Power lines outside. If a power line starts transmitting stray signals he calls the power company and they come to repair their equipment.
Those
Nope.FCC application form: "protected from dd-wrt" (Score:5, Informative)
That would be reasonable, perhaps, but it's not the approach the FCC is taking. The FCC instructions (linked below) require all applicants (manufacturers) to:
Describe in detail how the device is protected
from âoeflashingâ
and the installation of third-party firmware such as DD-WRT.
So indeed the rule they have proposed is to explicitly require that manufacturers prevent the installation of DD-WRT.
https://apps.fcc.gov/kdb/GetAt... [fcc.gov]
Re: (Score:2)
Perhaps it'
Re: (Score:2)
I agree with your assessment, but shouldn't the FCC then be going after the radios, not the rest of the board? If the radio is licensed for channels 1-11, it shouldn't be capable of operating on channel 13 at all (also legal in the EU, btw). That would still allow us to flash the firmware without allowing the illegal operation you're talking about.
Essentially, installing DD-WRT should still not let you enable channel 13 in the US, but it should still be possible to install DD-WRT.
Yeah, a separate chip to limit frequency and power (Score:2)
Indeed. In my long comment I submitted to the FCC, I mentioned that their legitimate purpose could be implemented by a rule requiring a separate chip which limits power and frequency, rather than prohibiting important updates to the OS or utilities.
Re: (Score:2)
Re:Like Tomato? (Score:5, Informative)
Re: (Score:2)
My understanding what that integrators who build custom firmwares for routers (and other devices with radios) DO NOT generally touch the radio firmware, which is usually obtained from the radio chipset manufacturer. It kind of makes sense that one would not want random people messing with the actual radio firmware for various reasons.
The only thing I've seen is when they may obtain a more recent firmware from the radio manufacturer which the router manufacturer has not include in an update.
Re: (Score:2)
but Money = Power so Money = Work/Money, or Money = (Work)^(1/2) so you have to work four times as hard to make twice as much money... ;)
Re: (Score:2)
Since when has common sense ever been fundamental? It's not even common.
Re: (Score:2)
Exactly!
Phones? (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
It's not "firmware updates" that's the problem, it's unauthorized firmware updates, as in not signed by the manufacturer, etc
In the words of the Prophet, "fuck that noise." It's an authorized firmware update. I , the lawful owner of this hardware, authorized it. Pencil-dick bureaucrats and corporate pigopolists have no say in the matter.
Ow my reading comprehension (Score:2, Informative)
Parsing legalese tends to cause me physical pain, but I decided to check the actual text rather than accept the summary.
So, here's the deal, any radio transmitter physically capable of operating in certain controlled bands has some complex and moderately convoluted limits applied to parts of those bands. This is about keeping those bands operating in the ways the FCC has approved. IFF your preferred Open Source software were to include those restrictions in its default behavior list, they'll be fine. If
Re: (Score:2)
Has there been a case where someone doing something illegal got off the hook for violating FCC limits because they were using a custom firmware solution and claimed ignorance?
Is this new law going to help reduce Wi-Fi congestion by a large enough magnitude that it justifies the restrictions of everyone in the market?
Re: (Score:2)
So phones are included? cyanogen/jailbreaking to be criminal now?
Re: (Score:2)
Translation (Score:3, Interesting)
We don't want you to be able to overwrite our back doors.
Umm... FCC SamKnows project uses hacked firmware! (Score:2)
Isn't this delicious irony? The FCC's own "SamKnows" broadband survey project uses Netgear routers with modified firmware so that they can "phone home" the benchmark data collected. This rule would invalidate their own survey project unless they hypocritically exclude it from the rule! "YOU can't modify the firmware of routers you own, but it's okay if WE do it."
(I know about this hacked firmware because I'm a project participant and have one of the hacked routers.)
Re: (Score:3)
Re: (Score:2)
I was already trying, but their stupid form is heavily scripted in a moronic way and won't allow pasting anything into the fields: if you paste anything - and I have a browser extension that lets me paste frequently used text - then it erroneously claims that the field is empty and won't allow you to proceed. Some Web coders need to be taken out back and shot in the head.
Re: (Score:2)
just paste, hit a key, then delete so that keystrokes are registered.
Re: (Score:2)
First thing I tried. Didn't work as expected.
Re: (Score:2)
and then edited
My guess is that they've got some onkey* event handler checking to see if you typed something in the blank, instead of using oninput which also fires for pasting.
This affects almost everybody (Score:2)
I use different firmware on my router, seeing as it's also has 2.4 and 5Ghz WiFi incorporated this would block my abilities to upgrade. This may be a duh statement but only after thinking a bit more on the subject, did I feel the pain.
just more rules from Fed.gov (Score:5, Funny)
That I'll happily ignore.
Re: (Score:2)
And if you can't get firmware upgrades from any legitmate source because that sort of thing is illegal now, what then?
Re: (Score:2)
Remember, when firmware mods are criminalized, only criminals will have firmware mods. Or however that phrase goes.
What a great opportunity for vendors to bake in spyware, adware, who knows what. Nah, they'd never do that, right?
Re: (Score:2)
That I'll happily ignore.
Exactly...if we spent all of our time trying to comply with every Federal regulation and law, we'd never have time to set foot outside our own homes.
This is just another batch of far-reaching laws that will be totally ignored...until they need to screw over someone in particular that they can't get by any other means. Then suddenly, "Oh look, you've violated Firmware Integrity Law #25342.11z, that'll be $10,000 and 5 years in jail."
Just remember (Score:3)
At least this has something to do with electromagnetic spectrum, but only tangentially: They're still claiming the ability to rule over hardware and software, as opposed to merely effects that are detectable over the air.
they don't ban installation of open source (Score:3, Informative)
It simply requires the hardware to be designed such that if you install open source, you cannot modify the radio to use frequency bands and powers that it is not supposed to use.
And this is easy to do. Just put in settings to limit power and lock out bands and make those settings irreversible until a full system reset. Then make the bootloader set those settings before running the installed OS.
Then the OS can be open source.
It would be absolutely fantastic if people would be rational about tech news. Tech people/netizens are starting to sound like my grandfather now. Every change is something to be feared. OBAMA IS GOING TO TAKE YOUR GUNS! The people running the FCC are people, just like you. They aren't demons or out to get you. Try to work with other people you haven't met instead of exhibiting xenophobia.
Re: (Score:2)
Re: (Score:2)
OBAMA IS GOING TO TAKE YOUR GUNS!
Just you wait! /s
It'll happen soon!
Any day now!
Re: (Score:2)
Don't forget the FCC doesn't set the rules for the rest of the world's Wi-Fi. Many of the designs are sold overseas and the OS is what locks out improper use of the radio by region. Take 802.11G channels for instance -- USA allows channels 1 - 11. Most of the rest of the world allows channels 1-13. The USA technically allows channels 12 and 13 on low-power devices, but all Wi-Fi routers in the US restrict those just to be sure they don't overlap Channel 14 -- b/c interfering with CH 14 is strictly fo
No, you don't have to add a bios chip (Score:3)
You're wrong.
The parameters can be set by the bootloader and a digitally signed. There is no need to make 3 different chips for 3 different units. Just put the parameters in a payload with the target serial number then digitally sign it.
Then in secure code (either in ROM or loaded from flash by a ROM and checked before running) you load those parameters into the radio before proceeding.
This would add no cost (or trivial at best). All you need is an unchangeable unique ID. Everything else can be in the exist
Re:they don't ban installation of open source (Score:4, Insightful)
I don't think that this does what you think it does. The FCC, in an advisory document, specifically mentions the DD-WRT OS. From Software Security Requirements for U-NII Devices: [fcc.gov]
What prevents third parties from loading non-US versions of the software/firmware on the device? Describe in detail how the device is protected from “flashing” and the installation of third-party firmware such as DD-WRT.
The FCC is trying, with this rule, to prevent any modification to future devices. From the same document:
An applicant must describe the overall security measures and systems that ensure that:
The description of the software must address the following questions in the operational description for the device and clearly demonstrate how the device meets the security requirement.
The same document also suggests that there be strong security between the regulated device and the manufacturer's website to verify installed software. How does this not eliminate the use of Tomato or OpenWRT? If you expect to use one of the alternate firmware on future devices, this proposed rule will absolutely affect your ability to do so.
Re: (Score:2)
With the amount of fearmongering that goes on in the media, it would be great if people would be rational about ALL news. With that said, I can't help but think that in some cases the reason that the proposed regulation isn't as bad as people fear is because the fearful raise some reasonable objections and the government scales back the scope of the new regulations. Therefore, a little paranoia (and more importantly, voicing you
Re: (Score:3)
It simply requires the hardware to be designed such that if you install open source, you cannot modify the radio to use frequency bands and powers that it is not supposed to use. And this is easy to do. Just put in settings to limit power and lock out bands and make those settings irreversible until a full system reset. Then make the bootloader set those settings before running the installed OS. Then the OS can be open source.
From the FCC docs:
An applicant must describe the overall security measures and systems that ensure that:
Add that all up, and the easiest, cheapest way for device manufacturers to comply would be by implementing a cryptographically signed firmware image, and checks at boot time to make sure the image has the correct signature. Even che
Good luck enforcing that, FCC (Score:2)
Re: (Score:2, Informative)
Actually, no.
Almost every embedded SoC - from the most expensive Altera down to Atmel's pinhead-sized ATTiny-13 BGA package - comes with security fuses for exactly this purpose. By writing 1 to fuse bits in the code, upon upload it can be made to physically destroy the debug interface, the flash memory's writeability, and/or a few other things used by the in-house hackers (engineers) to develop a product before rendering it "final" when it's shipped out to the hostile world. Yes, our beloved hobbyist micros
Re: (Score:3)
At worst, hardware manufacturers will make the WiFi portion of the device untouchable from the rest of the firmware, or perhaps requiring signed binary firmware for the WiFi transmitter.
It would be a nice compromise position, but the one of the FCC Documents, [fcc.gov] in describing the reporting requirements, specifically asks how the device prevents loading "third-party firmware, such as DD-WRT."
Licencing, and the new "SDR" (Score:2)
I don't think the FCC is arguing that they don't want people's own distribution running along side a WiFi device, but rather, a
Stop the panic! The headline is click bait. (Score:2)
The FCC regs linked in the summary above:
Re: (Score:2)
Read again. The rules in your own quote require that "the device is not easily modified to operate with RF parameters outside of the authorization". That doesn't prohibit modifying the device with such parameters, this prohibits having devices that are even able to be modified, and a device that is merely able to be modified, period, is able to be modified with such parameters.
Furthermore, #1 says they must ensure that only properly authenticated software is loaded. It doesn't say "they have to ensure pr
Re: (Score:2)
That actual term is "properly authenticated software". That doesn't mean the firmware can't be modified. It means a method must exist that authenticate the firmware executed on the device. You are implying that it means no modification is allowed, but the FCC purposely waved their
So...now what? (Score:2)
So...is the FCC's Firmware Compliance Strike Team is going to kick down my door, shoot my dog, and audit my router's firmware?
Ha ha, the joke is on them- I don't even have a dog!
This is a real threat (Score:5, Informative)
The PDF explicitly mentions DD-WRT as an example of what should not be permitted:
Third-Party Access
Control
1. Explain if any third parties have the capability to operate a US sold device on any
other regulatory domain, frequencies, or in any manner that is in violation of the
certification.
2. What prevents third parties from loading non-US versions of the
software/firmware on the device? Describe in detail how the device is protected
from “flashing” and the installation of third-party firmware such as DD-WRT.
Wrote a comment.
Re: (Score:3)
Gah! I posted so I can't mod you up! This is reeeaallly important!
It's the second attachment [fcc.gov] in the FCC link in the summary. Page 2.
What prevents third parties from loading non-US versions of the software/firmware on the device? Describe in detail how the device is protected
from “flashing” and the installation of third-party firmware such as DD-WRT.
I work for a fortune 500 company and we use DD-WRT on the routers in our labs. They will definitely hear from me!
Re: (Score:3)
5GHz frequencies you are allowed to TX is very complicated, just check the table on https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Many routers and devices ship by default with support for many different country configurations. The end user can then configure which country it is for. This may not be so common with home based devices but we definitely ship products that can be configured for the wrong country by the customer.
Separate the functions of routing and wireless (Score:2)
Would this have any impact on SDR? (Score:2)
I have been curious about SDR (Software Defined Radio) for a few weeks now, but haven't had time to really look into it. Would this rule have any impact on SDR?
NSA enabled... permanently (Score:3, Insightful)
Gee-whiz, cui bono?
Stallman was 100% right.
Don't use a Wifi Router FFS! (Score:2)
The people who write RF management code are not security experts.
People who write router code may be.
But the composition of the two into one box is guaranteed to lead to unintended consequences.
Get APs to put on your wired network and a router to connect to the outside world. Putting both in one box has been an ongoing security disaster for a decade.
I thought radio firmwares aren't usually altered (Score:2)
As far as I understand, integrators who build custom firmwares for wifi routers do not alter the actual radio firmware, which they usually obtain from the manufacturer and integrate into their builds.
There is good reason why you would not want random people hacking the radio firmware.
Extended comment period (Score:2)
The comment period is actually open until sometime in October, but promptly entering your comments is more likely to be effective (call now before you forget). The FCC has responded to mass commenting before on the net neutrality issue - it's time to do it again before the FCC lays us all open to having wireless devices with massive security failures that we can't fix ourselves.
FCC helping sister agency (NSA) (Score:3, Interesting)
Linksys made a modder version (Score:3)
Some certainly don't care for it.
On the other hand, the "wrt" in dd-wrt and openwrt refers to the WRT-54 line of routers from Linksys. It was the first one that had widely available third-party firmware.
When Linksys changed their internal architecture to use less expensive parts, they also starting selling a special modder version which retained dd-wrt compatible internals. So that's one example of _catering_ to people who choose open firmware.
On a related note in a different industry, Roomba did the same.
Comment system down for a whole WEEK (Score:3)
I noticed when I put in my comments that the deadline has been extended by about a month, but still, I put a comment in before the FCC took their system down for a WEEK for a software upgrade. That in itself ought to be an indication of how wrong-headed this regulation is - even the FCC can't write software that doesn't fail and require modification in the field. This regulation will effectively freeze development of wireless routers and other wireless devices that are key to Internet security and ensure that these devices are full of unfixable software defects that when discovered, make these products immediately and irreversably worthless. Not that any of these routers and devices are actually unfixable or irreversably damaged, but they are effectively so, because manufacturers often take no obligation to repair broken software in products that have expired warranties. Unfortunately, it's the nature of these software defects that the entire manufactured base of product become 100% defective all at once upon the discovery of a critical software security defect - that's world's away from the kind of random, slowly developing defects that result in poorly manufactured hardware. For example, all of my twenty or so personally owned routers would have needed to have been thrown away and replaced when "Heartbleed" was uncovered, and again when "Shellshock" was uncovered, except that they were all running open software for which fixes were provided by the open source community. If I had to rely on the kindness of profit-seeking router manufacturers, they'd all be in the garbage bin, so that I could "shell-out" for new routers. Others have written that millions of devices will never be fixed because of effectively abandoned support of these devices: http://www.technologyreview.co... [technologyreview.com] ..or have exposed long-standing vulnerabilties left unfixed: https://www.mocana.com/blog/20... [mocana.com]
This one-week downtime is unfortunate, because the news may be forgotten by this community by the time the FCC restores the ability to provide comments online. Someone needs to ping slashdot back in a week when the FCC restores service, or else this ill-considered proposal may become part of established regulation.
Re: (Score:2)
I imagine a similar revolt will take place after the new rules take effect.
Actually as hard as it may seem, the Net Neutrality act (FCC) made it easier to root, not to unlock a phone.
Unlocking a phone is now pretty much a gimme, I use a Trac phone and just read of the deal they made with the FCC, and a new software update to make unlocking possible.
Re:or else what, exactly? (Score:5, Insightful)
No, they want the routers to ship with CPU Trusted mode turned on. Without access to the private key you won't be able to load WRT.
This a security nightmare since you will now be dependent on router manufacturers for issuing security updates and remotely loading them into your router. We all know how well that has gone in the past.
I also believe that to date the FCC has received zero actually complaints about someone illegally modify current routers. So in attempting to address this imagined problem the FCC is going to enlarge a gigantic real problem (ie unpatched routers).
Consumer Private Key (Score:5, Interesting)
Re:Consumer Private Key (Score:4, Funny)
To update the firmware, you should be required to insert a Windows '95 floppy boot disk containing firmware.bin and flash.com, then press the reset button.
Seriously though: wouldn't a simple switch be sufficient?
Re: (Score:3)
And what would your USB-drive private key solution solve?
You're completely missing the point. The problem isn't "hackers" remotely logging into routers and doing nefarious things; what they want to prevent is YOU modifying your own router.
Re: (Score:2)
All they would have to do is what they do with cell phones. The radio would have it's own realtime OS that controls the radio that would be separate from the main OS driving the device.
Re:or else what, exactly? (Score:5, Insightful)
I also believe that to date the FCC has received zero actually complaints about someone illegally modify current routers. So in attempting to address this imagined problem the FCC is going to enlarge a gigantic real problem (ie unpatched routers).
There's the clue to "follow the money." If this isn't a real problem, it's likely legislation that's been written by some big company whose profit model is threatened by open source. Look for the sponsors to be Cisco or Belkin, someone who would benefit by selling you replacement hardware if their old hardware gets hacked.
And that suggests a potential cure.
If this is to go forward, it needs to come with a big safety, hacking, and consumer safety clause, something like "Due to the restrictive nature of this rule, the vendors of devices subject to these restrictions must offer a free 20 year warranty repair or replacement of any device found to have a flaw in either the hardware or the software included with the device, including any flaws that expose the device to unauthorized access or use. This replacement must include free shipping of the replacement part, free return shipping of the failing device, and free on-site installation of the replacement device. If repairs can be made via software update, the manufacturer may opt to update all affected machines remotely. All such repairs must be completed within one month of the FCC being made aware of the flaw. This free service must be extended for 20 years from the date of the device registration with the FCC. Any company who dissolves or reorganizes before the 20 year span expires will automatically transfer the liability for free replacements to the majority acquirer of their assets. Non-compliance with this law will result in fines to the manufacturers and distributors of these devices equal to twice the retail purchase price at the date of the sale of the first device multiplied by the quantity of devices manufactured, with the fines to be disbursed equally to customers who physically present the device to an authorized FCC representative, and the FCC."
If they still want this law when it includes a poison pill like this, then we'll all be cheering for bugs to be found every month so we can get another "router check" from them.
Re: (Score:2)
No, they're requiring the manufacturers to put secure bootloaders on their devices, so you can't load your DD-WRT firmware unless it's been cryptographically signed, which you can't do because you don't have the correct private key to do so.
This doesn't mean it'll be impossible to load an alternative firmware, but it'll make it orders of magnitude more difficult (and likely require using a JTAG debugger to do so).
Re:or else what, exactly? (Score:5, Insightful)
We couldn't get the rape, hate crime and murder charges to stick... But you're going down for updating your WiFi!
Justice Has Been Served !!!!
Re: (Score:3)
Re: (Score:2)
Translation: "I don't like a certain group of people. Even though they aren't breaking any laws, mother government MAKE THEM STOP!! WAAHHHHH MOMMY!!!!"
While I certainly agree that those guys are a bunch of jaggers, they're also mostly harmless losers who don't hurt anything. If you can't tell the difference between those jokers and a real cop, get out of the gene pool. You know what I hate, though, for real? Assholes who want the government to "whack" people who are not breaking the law but merely mild
Re: (Score:3)
IF uncle charlie has actually started earning his money I'll be very happy.
I was reduced to putting a pin through a dudes coax. He was running a 1kW linear on the cheapest tweaked for power CB base station he could get for free off craigslist. We could not only hear him on the TV, Radio and phone but on the god damn microwave oven.
Repeated complaints to the FCC were ignored and I was forced to fix it myself.
Re: (Score:2)
The legislative boat already sailed, in 1934, with the passage of the Communications Act of 1934, that both created the FCC and specifically authorized it to craft regulations to do exactly what they are doing with this without further action by Congress. Congress has further amended the Communications Act over the years, one of the largest amendments being in 1996. Congress, by power vested in our elected representatives and with the approval of the President (in 1934, that was of course FDR; in 1996, it
Re: (Score:2)
However the commercial software often unlocks those channels as well, if you configure it to be for a different country. The router maker can't be held liable for this, it's customer error. However the router maker can be required to disallow certain configurations (never exceed a certain radiated power) or arbitrary configurations (let the user pick channel spacing).