Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Networking Government Hardware Hacking Open Source Build

New FCC Rules Could Ban WiFi Router Firmware Modification 242

An anonymous reader writes: Hackaday reports that the FCC is introducing new rules which ban firmware modifications for the radio systems in WiFi routers and other wireless devices operating in the 5 GHz range. The vast majority of routers are manufactured as System on Chip devices, with the radio module and CPU integrated in a single package. The new rules have the potential to effectively ban the installation of proven Open Source firmware on any WiFi router.

ThinkPenguin, the EFF, FSF, Software Freedom Law Center, Software Freedom Conservancy, OpenWRT, LibreCMC, Qualcomm, and others have created the SaveWiFi campaign, providing instructions on how to submit a formal complaint to the FCC regarding this proposed rule. The comment period is closing on September 8, 2015. Leave a comment for the FCC.
This discussion has been archived. No new comments can be posted.

New FCC Rules Could Ban WiFi Router Firmware Modification

Comments Filter:
  • Boy, that is going to work well, now, won't it.

    • by Wrexs0ul ( 515885 ) <mmeier@@@racknine...com> on Wednesday September 02, 2015 @12:17PM (#50444547) Homepage

      I was just thinking that. This is so broad as to be unusable.

      And mature products like DD-WRT are what make consumer-grade routers fly. It's pretty much the only reason I'll buy an ASUS, because the stock firmware doesn't have the feature set needed for latency sensitive hardware.

      • by Z00L00K ( 682162 ) on Wednesday September 02, 2015 @01:20PM (#50445099) Homepage

        Not to mention that DD-WRT is often the only way to make a security upgrade of an older router.

        The corner case that the FCC want to address is not worth the risk increase that may leave a lot of devices insecure because they have issues that haven't been discovered today.

        • by raymorris ( 2726007 ) on Wednesday September 02, 2015 @03:54PM (#50446215) Journal

          I submitted a comment to the FCC outlining several significant security concerns regarding the proposed rule.

          Based on 18 years of professional experience in network security, in both the private sector and government, the proposed rule causes significant concern for information security posture. There are three primary reasons. The legitimate goals of the FCC could be achieved in an alternate manner which does not cause the same widespread security vulnerabilities, by instead requiring that output power levels and any other critical parameters be limited to legal levels by a separate chip. This approach would be far superior to effectively banning proper security practice for the ENTIRE operating system and all utilities on the device, as the current proposal does.

          1

          The proposed rule which requires that manufacturers disallow firmware updates (other than signed manufacturer updates, typically provided for only a very short time), makes it much more difficult to prevent incidents such as the $45 million loss at TJX and the Target breach. In both cases, the victim companies were initially targeted because insecure wifi devices were in use. To reduce future occurrences of such breaches, it is imperative to be able to update devices which use wireless networking. Especially when a vulnerability such as Shellshock is discovered, it is imperative that risks be mitigated immediately.

          Updates provided by the manufacturer may at first seem to be a possible solution, but are not actually a viable solution for two reasons. Manufacturers generally do not provide long-term updates, updates for devices more than about one-two years old. In many cases, no updates are offered at all to handle issues after the date of sale. It is not reasonable to anticipate that organizations and families will replace their network gear every year or two - firmware updates are needed, including for devices which are a few years old. Perhaps ESPECIALLY for devices which are a few years old.

          Secondly, updates from the manufacturer are not a viable solution for more sensitive government and private organizations due to the response time required. In the first 24 hours after the release of Shellshock, thousands of systems were compromised. For many networks, it is critically important to mitigate the threat during this initial time frame. Manufacturer full updates were not available for several days to several months, as we first discussed the best long term solution and that solution propagated downstream from the authors, to the subsystem maintainers, distribution maintainers, OEM repackagers, and finally out to customers after testing at each level. In the meantime, temporary MITIGATIONS were performed on-site by network engineers and security contractors. These vital mitigations which protected sensitive networks in the interim would be illegal and prevented by manufacturer locks under the proposed rule. In simple terms, the proposal makes it illegal to manufacturer equipment which can be _quickly_ protected against new threats to our cyber security.

          2

          Another reason that the proposed rule is problematic is that the manufacturer default firmware, with all available features designed to be as easily accessible as possible, is not appropriate for any environment in which security is a concern. A central tenet of information security, and security in general, is that the attack surface should be as small as possible - services not needed for a particular installation should not be installed and enabled. The only software which definitely cannot be exploited is software which is not installed or not enabled. Therefore, the most secure firmware tends to be that with as many features _removed_ as possible, with only those items required for the current role installed.

          Manufacturer firmware does the exact opposite, for ease-of-use by ordinary consumers. All services which might be of use to any customer are installed, enabled, and wide open for

      • If it's actually a ban against modifying the firmware does that prohibit outright replacing the firmware altogether?

    • The software logic can be modified via firmware. But the RF side of things must be baked in as I understand it. So if there's WiFi bug, depending on where in the OSI layer it effected, (closer to the hardware for example), the device might have to be recalled and shredded and replaced with a newer product rev.

      • by Megane ( 129182 )
        Um, that's the problem here. The FCC wants the non-RF side of things to be "baked in" now, too. Or at least protected by the secure bootloader type shit that you see in cell phones. If it's got 5GHz, too bad, they can't have you installing custom firmware, even when the radio itself has sufficient protections.
        • Layer 1, maybe 2 would be baked in. But Layer 3, if that that can't be modified, that's a major major problem. Meaning, if Apple isn't allowed to have the firmware updated for post-sales support on a routing bug, that' very bad news. That is to say, might as well make it all ROM based storage.

          I suppose they could make updates in the form of console-like cartridges; swap em out. YUCK!

        • Re: (Score:3, Informative)

          by Gr8Apes ( 679165 )
          The restriction seems to the RF portion only: "and would affect the operating parameters of frequency range, modulation type or maximum output power". So if the firmware doesn't effect any of those 3 items, you're not subject to this.
      • by Z00L00K ( 682162 )

        And if the RF is baked in there's still a way around it for those that want to increase the power. I did a search on eBay and first item was a 6W amplifier. A bit further down a 30W... The latter might be good if you want to cook your neighbor.

        • by TWX ( 665546 )
          And that's already generally against the rules. CB radios aren't supposed to be over 5W as they're for local communications, but routinely people will increase the power and use collinear arrays for increased gain.
      • The software logic can be modified via firmware. But the RF side of things must be baked in as I understand it.

        No, it's not. Alternative firmwares frequently allow modifying both the transmit power and the channels, which can easily make your device operate illegally. The channels, for instance, are different in, say, the US and Japan; some channels that are legal to use in Japan are illegal in the US. With mfgr firmware, this isn't a problem because they lock that stuff out in the ones they ship to the

    • This appears to apply to all software installed on something that is licensed by the FCC... so what about third party software on smartphones? This proposed rule seems to give the FCC certification holder all the power to decide what is or is not legally allowed on their devices.
  • by Anonymous Coward on Wednesday September 02, 2015 @12:17PM (#50444543)

    You can buy an ALIX or Soekris board with a case and wifi card, then install your favorite router distribution on it such as pfSense

    • by idontgno ( 624372 ) on Wednesday September 02, 2015 @12:47PM (#50444807) Journal

      Dammit. No mod points.

      Yes, this is the answer. If commodity Wifi routers become lock boxes, make non-commodity non-firmware Wifi routers. The more you tighten your grip, FCC, the more general-purpose computing systems will slip through your fingers.

  • Like Tomato? (Score:4, Insightful)

    by CauseBy ( 3029989 ) on Wednesday September 02, 2015 @12:18PM (#50444553)

    I have a advanced-consumer-level wifi router and I put Tomato on it long ago. Is that what they are talking about? What kind of rule can prevent you from installing software on computers you own? It seems like a violation of something fundamental to me.

    • Re:Like Tomato? (Score:5, Insightful)

      by gstoddart ( 321705 ) on Wednesday September 02, 2015 @12:26PM (#50444621) Homepage

      As purely a WAG ... my guess is things which radiate are tested and approved according to some form of standard for interference and the like.

      Putting on a new firmware could cause the device to operate outside of those parameters, and would therefore be a non-conforming device.

      It's not saying you can't put software on something you own. It's saying putting something onto a device which broadcasts can make changes you didn't expect.

      As I said, that's purely a WAG, but it seems like the kind of thing within their mandate.

      • There are existing rules for this. You can't modify firmware in order to increase radiated power beyond the limit (on commodity devices anyway). Many radios will not even allow this even if you do rewrite the controlling firmware. The problem is that these rules tend to creep and pretty soon they'll think that other parts of firmware should be left alone, after all changing firmware is something evil that only hackers know how to do... It won't help the issue that the router manufacturers will likely ba

    • Re:Like Tomato? (Score:5, Insightful)

      by The MAZZTer ( 911996 ) <megazzt&gmail,com> on Wednesday September 02, 2015 @12:43PM (#50444771) Homepage
      Only the RADIO firmware has to be intact. In theory you can still modify whatever else you want. But the fear here is that companies may take the path of least resistance to meet compliance, which may result in all the router software getting locked down, instead of that specific piece of it.
      • Yes - that was my reading too. The Radio must operated within its class and originally licensed / tested parameters.

        However - the basic software of the router can be modified. Those features that boost signal or change it beyond that allowed is what (will need) to be controlled.

        My father is a Ham radio operator. His radio must stay within specs - and so must the Power lines outside. If a power line starts transmitting stray signals he calls the power company and they come to repair their equipment.

        Those

      • by raymorris ( 2726007 ) on Wednesday September 02, 2015 @02:16PM (#50445531) Journal

        That would be reasonable, perhaps, but it's not the approach the FCC is taking. The FCC instructions (linked below) require all applicants (manufacturers) to:

              Describe in detail how the device is protected
        from âoeflashingâ
              and the installation of third-party firmware such as DD-WRT.

        So indeed the rule they have proposed is to explicitly require that manufacturers prevent the installation of DD-WRT.

        https://apps.fcc.gov/kdb/GetAt... [fcc.gov]

        • by tlhIngan ( 30335 )

          That would be reasonable, perhaps, but it's not the approach the FCC is taking. The FCC instructions (linked below) require all applicants (manufacturers) to:

          Describe in detail how the device is protected
          from ÃoeflashingÃ
          and the installation of third-party firmware such as DD-WRT.

          So indeed the rule they have proposed is to explicitly require that manufacturers prevent the installation of DD-WRT.

          Perhaps it'

          • by jwdb ( 526327 )

            I agree with your assessment, but shouldn't the FCC then be going after the radios, not the rest of the board? If the radio is licensed for channels 1-11, it shouldn't be capable of operating on channel 13 at all (also legal in the EU, btw). That would still allow us to flash the firmware without allowing the illegal operation you're talking about.

            Essentially, installing DD-WRT should still not let you enable channel 13 in the US, but it should still be possible to install DD-WRT.

        • None of the major manufacturers are happy about people installing third-party firmware on their hardware, or make it easy to do so. It is only possible because of dedicated developers and hobbyists spent countless hours painstakingly reverse-engineering the hardware. All these rules are likely to do is kill the pre-installed third-party-firmware market.
    • Re:Like Tomato? (Score:5, Informative)

      by jimbolauski ( 882977 ) on Wednesday September 02, 2015 @01:08PM (#50444991) Journal
      The restrictions are only for the 5GHz band. The reason is 5GHz is supposed to use dynamic frequency selection and transmit power control this is to avoid interfering with weather radar and allow more people to play nice together. They just don't want Dorthy to get hit by a tornado because some one is crapping all over that frequency. They are using a cannon to kill a fly when all they have to do is require that any firmware follow DFS and TPC on 5GHz routers.
      • My understanding what that integrators who build custom firmwares for routers (and other devices with radios) DO NOT generally touch the radio firmware, which is usually obtained from the radio chipset manufacturer. It kind of makes sense that one would not want random people messing with the actual radio firmware for various reasons.

        The only thing I've seen is when they may obtain a more recent firmware from the radio manufacturer which the router manufacturer has not include in an update.

      • but Money = Power so Money = Work/Money, or Money = (Work)^(1/2) so you have to work four times as hard to make twice as much money... ;)

  • My phone can act as a WiFi router. Does that mean no more firmware updates allowed for my phone?
    • by Megane ( 129182 )
      It's not "firmware updates" that's the problem, it's unauthorized firmware updates, as in not signed by the manufacturer, etc. So your carrier won't upgrade you past Jelly Bean, fuck you, no CyanogenMod. Although it seems the FCC is primarily going after routers with 5GHz WiFi right now, so no DD-WRT or Tomato to replace the manufacturer firmware, no matter how many security holes it had.
      • Re: (Score:2, Funny)

        by Anonymous Coward

        It's not "firmware updates" that's the problem, it's unauthorized firmware updates, as in not signed by the manufacturer, etc

        In the words of the Prophet, "fuck that noise." It's an authorized firmware update. I , the lawful owner of this hardware, authorized it. Pencil-dick bureaucrats and corporate pigopolists have no say in the matter.

  • by Anonymous Coward

    Parsing legalese tends to cause me physical pain, but I decided to check the actual text rather than accept the summary.

    So, here's the deal, any radio transmitter physically capable of operating in certain controlled bands has some complex and moderately convoluted limits applied to parts of those bands. This is about keeping those bands operating in the ways the FCC has approved. IFF your preferred Open Source software were to include those restrictions in its default behavior list, they'll be fine. If

    • If the act of operating outside of normal bands is already illegal than how does making a law with more restrictions to an already illegal act provide any extra law enforcement ability?
      Has there been a case where someone doing something illegal got off the hook for violating FCC limits because they were using a custom firmware solution and claimed ignorance?
      Is this new law going to help reduce Wi-Fi congestion by a large enough magnitude that it justifies the restrictions of everyone in the market?
    • So phones are included? cyanogen/jailbreaking to be criminal now?

    • Now think about how wifi equipment manufacturers are going to actually enforce this. Are they going to check if the firmware you're trying to load follows the rules? No, because they can't magically do that. They're just going to only allow you to update to a manufacturer-signed firmware.
  • Translation (Score:3, Interesting)

    by Anonymous Coward on Wednesday September 02, 2015 @12:27PM (#50444631)

    We don't want you to be able to overwrite our back doors.

  • Isn't this delicious irony? The FCC's own "SamKnows" broadband survey project uses Netgear routers with modified firmware so that they can "phone home" the benchmark data collected. This rule would invalidate their own survey project unless they hypocritically exclude it from the rule! "YOU can't modify the firmware of routers you own, but it's okay if WE do it."

    (I know about this hacked firmware because I'm a project participant and have one of the hacked routers.)

    • This sounds like the perfect sort of thing to include in a comment to them, so they know just how bad of an idea making the rule change would be. I encourage you to submit it, if you haven't already.
      • by macraig ( 621737 )

        I was already trying, but their stupid form is heavily scripted in a moronic way and won't allow pasting anything into the fields: if you paste anything - and I have a browser extension that lets me paste frequently used text - then it erroneously claims that the field is empty and won't allow you to proceed. Some Web coders need to be taken out back and shot in the head.

        • just paste, hit a key, then delete so that keystrokes are registered.

  • I use different firmware on my router, seeing as it's also has 2.4 and 5Ghz WiFi incorporated this would block my abilities to upgrade. This may be a duh statement but only after thinking a bit more on the subject, did I feel the pain.

  • by Indy1 ( 99447 ) <spamtrap@fuckedregime.com> on Wednesday September 02, 2015 @12:35PM (#50444699) Homepage

    That I'll happily ignore.

    • And if you can't get firmware upgrades from any legitmate source because that sort of thing is illegal now, what then?

      • Remember, when firmware mods are criminalized, only criminals will have firmware mods. Or however that phrase goes.

        What a great opportunity for vendors to bake in spyware, adware, who knows what. Nah, they'd never do that, right?

    • That I'll happily ignore.

      Exactly...if we spent all of our time trying to comply with every Federal regulation and law, we'd never have time to set foot outside our own homes.

      This is just another batch of far-reaching laws that will be totally ignored...until they need to screw over someone in particular that they can't get by any other means. Then suddenly, "Oh look, you've violated Firmware Integrity Law #25342.11z, that'll be $10,000 and 5 years in jail."

  • by diamondmagic ( 877411 ) on Wednesday September 02, 2015 @12:35PM (#50444701) Homepage

    At least this has something to do with electromagnetic spectrum, but only tangentially: They're still claiming the ability to rule over hardware and software, as opposed to merely effects that are detectable over the air.

  • by YesIAmAScript ( 886271 ) on Wednesday September 02, 2015 @12:38PM (#50444725)

    It simply requires the hardware to be designed such that if you install open source, you cannot modify the radio to use frequency bands and powers that it is not supposed to use.

    And this is easy to do. Just put in settings to limit power and lock out bands and make those settings irreversible until a full system reset. Then make the bootloader set those settings before running the installed OS.

    Then the OS can be open source.

    It would be absolutely fantastic if people would be rational about tech news. Tech people/netizens are starting to sound like my grandfather now. Every change is something to be feared. OBAMA IS GOING TO TAKE YOUR GUNS! The people running the FCC are people, just like you. They aren't demons or out to get you. Try to work with other people you haven't met instead of exhibiting xenophobia.

    • The FSF seems to be taking this seriously.
    • by dywolf ( 2673597 )

      OBAMA IS GOING TO TAKE YOUR GUNS!

      Just you wait!
      It'll happen soon!
      Any day now! /s

    • by Ramze ( 640788 )

      Don't forget the FCC doesn't set the rules for the rest of the world's Wi-Fi. Many of the designs are sold overseas and the OS is what locks out improper use of the radio by region. Take 802.11G channels for instance -- USA allows channels 1 - 11. Most of the rest of the world allows channels 1-13. The USA technically allows channels 12 and 13 on low-power devices, but all Wi-Fi routers in the US restrict those just to be sure they don't overlap Channel 14 -- b/c interfering with CH 14 is strictly fo

      • You're wrong.

        The parameters can be set by the bootloader and a digitally signed. There is no need to make 3 different chips for 3 different units. Just put the parameters in a payload with the target serial number then digitally sign it.

        Then in secure code (either in ROM or loaded from flash by a ROM and checked before running) you load those parameters into the radio before proceeding.

        This would add no cost (or trivial at best). All you need is an unchangeable unique ID. Everything else can be in the exist

    • by bored_engineer ( 951004 ) on Wednesday September 02, 2015 @02:48PM (#50445789)

      I don't think that this does what you think it does. The FCC, in an advisory document, specifically mentions the DD-WRT OS. From Software Security Requirements for U-NII Devices: [fcc.gov]

      What prevents third parties from loading non-US versions of the software/firmware on the device? Describe in detail how the device is protected from “flashing” and the installation of third-party firmware such as DD-WRT.

      The FCC is trying, with this rule, to prevent any modification to future devices. From the same document:

      An applicant must describe the overall security measures and systems that ensure that:

      • 1. only properly authenticated software is loaded and operating the device; and
      • 2. the device is not easily modified to operate with RF parameters outside of the authorization.

      The description of the software must address the following questions in the operational description for the device and clearly demonstrate how the device meets the security requirement.

      The same document also suggests that there be strong security between the regulated device and the manufacturer's website to verify installed software. How does this not eliminate the use of Tomato or OpenWRT? If you expect to use one of the alternate firmware on future devices, this proposed rule will absolutely affect your ability to do so.

    • It would be absolutely fantastic if people would be rational about tech news.

      With the amount of fearmongering that goes on in the media, it would be great if people would be rational about ALL news. With that said, I can't help but think that in some cases the reason that the proposed regulation isn't as bad as people fear is because the fearful raise some reasonable objections and the government scales back the scope of the new regulations. Therefore, a little paranoia (and more importantly, voicing you

    • by crtreece ( 59298 )

      It simply requires the hardware to be designed such that if you install open source, you cannot modify the radio to use frequency bands and powers that it is not supposed to use. And this is easy to do. Just put in settings to limit power and lock out bands and make those settings irreversible until a full system reset. Then make the bootloader set those settings before running the installed OS. Then the OS can be open source.

      From the FCC docs:

      An applicant must describe the overall security measures and systems that ensure that:

      1. only properly authenticated software is loaded and operating the device; and
      2. the device is not easily modified to operate with RF parameters outside of the authorization.

      Add that all up, and the easiest, cheapest way for device manufacturers to comply would be by implementing a cryptographically signed firmware image, and checks at boot time to make sure the image has the correct signature. Even che

  • And how exactly are they going to enforce such a law? Any method manufacturers use to lock out 3rd party firmware can and will be circumvented. They're wasting time and taxpayer money on nonsense like this.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Actually, no.

      Almost every embedded SoC - from the most expensive Altera down to Atmel's pinhead-sized ATTiny-13 BGA package - comes with security fuses for exactly this purpose. By writing 1 to fuse bits in the code, upon upload it can be made to physically destroy the debug interface, the flash memory's writeability, and/or a few other things used by the in-house hackers (engineers) to develop a product before rendering it "final" when it's shipped out to the hostile world. Yes, our beloved hobbyist micros

  • I can see the logic here - the FCC regulates the airwaves be licencing the devices on them (*OR* licencing the operators, in the case of ham radio). The rule is, devices must be approved an may not be modified. (Those withe ham licences can build and/or modify, because THEY are required to force the rules, whereas with a licensed device the device itself must "enforce the rules").

    I don't think the FCC is arguing that they don't want people's own distribution running along side a WiFi device, but rather, a

  • The FCC regs linked in the summary above:

    An applicant must describe the overall security measures and systems that ensure that:

    1. only properly authenticated software is loaded and operating the device; and

    2. the device is not easily modified to operate with RF parameters outside of the authorization. The description of the software must address the following questions in the operational description for the device and clearly demonstrate how the device meets the security requirements. While the Commission

    • by Jiro ( 131519 )

      Read again. The rules in your own quote require that "the device is not easily modified to operate with RF parameters outside of the authorization". That doesn't prohibit modifying the device with such parameters, this prohibits having devices that are even able to be modified, and a device that is merely able to be modified, period, is able to be modified with such parameters.

      Furthermore, #1 says they must ensure that only properly authenticated software is loaded. It doesn't say "they have to ensure pr

      • That doesn't prohibit modifying the device with such parameters, this prohibits having devices that are even able to be modified, and a device that is merely able to be modified, period, is able to be modified with such parameters.

        That actual term is "properly authenticated software". That doesn't mean the firmware can't be modified. It means a method must exist that authenticate the firmware executed on the device. You are implying that it means no modification is allowed, but the FCC purposely waved their

  • So...is the FCC's Firmware Compliance Strike Team is going to kick down my door, shoot my dog, and audit my router's firmware?

    Ha ha, the joke is on them- I don't even have a dog!

  • by Wiseleo ( 15092 ) on Wednesday September 02, 2015 @01:19PM (#50445089) Homepage

    The PDF explicitly mentions DD-WRT as an example of what should not be permitted:

    Third-Party Access
    Control
    1. Explain if any third parties have the capability to operate a US sold device on any
    other regulatory domain, frequencies, or in any manner that is in violation of the
    certification.
    2. What prevents third parties from loading non-US versions of the
    software/firmware on the device? Describe in detail how the device is protected
    from “flashing” and the installation of third-party firmware such as DD-WRT.

    Wrote a comment.

    • by MobyDisk ( 75490 )

      Gah! I posted so I can't mod you up! This is reeeaallly important!
      It's the second attachment [fcc.gov] in the FCC link in the summary. Page 2.

      What prevents third parties from loading non-US versions of the software/firmware on the device? Describe in detail how the device is protected
      from “flashing” and the installation of third-party firmware such as DD-WRT.

      I work for a fortune 500 company and we use DD-WRT on the routers in our labs. They will definitely hear from me!

    • It's because it's easy to install a new firmware (ddwrt or tomato), set your country as JP and use channel 13 for instance at full power, they want to prevent things like this.
      5GHz frequencies you are allowed to TX is very complicated, just check the table on https://en.wikipedia.org/wiki/... [wikipedia.org]
    • Many routers and devices ship by default with support for many different country configurations. The end user can then configure which country it is for. This may not be so common with home based devices but we definitely ship products that can be configured for the wrong country by the customer.

  • This is easily solved by using a separate router and Wifi AP.
  • I have been curious about SDR (Software Defined Radio) for a few weeks now, but haven't had time to really look into it. Would this rule have any impact on SDR?

  • by e r ( 2847683 ) on Wednesday September 02, 2015 @02:05PM (#50445461)
    If this is enacted then that means only router manufacturers would be able/allowed to modify router firmware, right? That means that any security flaws or backdoors will be permanently in place with nothing the end-user can do about it.

    Gee-whiz, cui bono?

    Stallman was 100% right.
  • The people who write RF management code are not security experts.
    People who write router code may be.

    But the composition of the two into one box is guaranteed to lead to unintended consequences.

    Get APs to put on your wired network and a router to connect to the outside world. Putting both in one box has been an ongoing security disaster for a decade.

  • As far as I understand, integrators who build custom firmwares for wifi routers do not alter the actual radio firmware, which they usually obtain from the manufacturer and integrate into their builds.

    There is good reason why you would not want random people hacking the radio firmware.

  • The comment period is actually open until sometime in October, but promptly entering your comments is more likely to be effective (call now before you forget). The FCC has responded to mass commenting before on the net neutrality issue - it's time to do it again before the FCC lays us all open to having wireless devices with massive security failures that we can't fix ourselves.

  • by David G Jr ( 4246629 ) on Wednesday September 02, 2015 @05:34PM (#50446931)
    With NSA hijacking shipments of routers and installing "special" firmware on them wouldn't it be smart of them to have a fellow agency make a law that would stop you from undoing all their hard work. The NSA didn't go to all the trouble of hijacking that truck so you could install clean firmware. I'm surprised this hasn't been brought up in the comments yet. http://yro.slashdot.org/story/... [slashdot.org] http://tech.slashdot.org/story... [slashdot.org]
  • by raymorris ( 2726007 ) on Wednesday September 02, 2015 @06:30PM (#50447261) Journal

    Some certainly don't care for it.

    On the other hand, the "wrt" in dd-wrt and openwrt refers to the WRT-54 line of routers from Linksys. It was the first one that had widely available third-party firmware.

    When Linksys changed their internal architecture to use less expensive parts, they also starting selling a special modder version which retained dd-wrt compatible internals. So that's one example of _catering_ to people who choose open firmware.

    On a related note in a different industry, Roomba did the same.

  • by craighansen ( 744648 ) on Wednesday September 02, 2015 @10:39PM (#50448553)

    I noticed when I put in my comments that the deadline has been extended by about a month, but still, I put a comment in before the FCC took their system down for a WEEK for a software upgrade. That in itself ought to be an indication of how wrong-headed this regulation is - even the FCC can't write software that doesn't fail and require modification in the field. This regulation will effectively freeze development of wireless routers and other wireless devices that are key to Internet security and ensure that these devices are full of unfixable software defects that when discovered, make these products immediately and irreversably worthless. Not that any of these routers and devices are actually unfixable or irreversably damaged, but they are effectively so, because manufacturers often take no obligation to repair broken software in products that have expired warranties. Unfortunately, it's the nature of these software defects that the entire manufactured base of product become 100% defective all at once upon the discovery of a critical software security defect - that's world's away from the kind of random, slowly developing defects that result in poorly manufactured hardware. For example, all of my twenty or so personally owned routers would have needed to have been thrown away and replaced when "Heartbleed" was uncovered, and again when "Shellshock" was uncovered, except that they were all running open software for which fixes were provided by the open source community. If I had to rely on the kindness of profit-seeking router manufacturers, they'd all be in the garbage bin, so that I could "shell-out" for new routers. Others have written that millions of devices will never be fixed because of effectively abandoned support of these devices: http://www.technologyreview.co... [technologyreview.com] ..or have exposed long-standing vulnerabilties left unfixed: https://www.mocana.com/blog/20... [mocana.com]

    This one-week downtime is unfortunate, because the news may be forgotten by this community by the time the FCC restores the ability to provide comments online. Someone needs to ping slashdot back in a week when the FCC restores service, or else this ill-considered proposal may become part of established regulation.

"Don't tell me I'm burning the candle at both ends -- tell me where to get more wax!!"

Working...