The Federal Communications Commission on Nov. 12 offered reassurance that it's not trying to ban third-party router firmware in the wake of proposed rules that suggest otherwise.
In March, as part of the agency's effort to update its process for authorizing Unlicensed National Information Infrastructure (U-NII) radio devices, which operate in the 5GHz portion of the spectrum and include WiFi routers, the FCC sought to establish a framework for how it asks hardware vendors to comply with a software security rule adopted last year.
That rule requires hardware makers to implement security controls to ensure that "third parties are not able to reprogram the device to operate outside the [RF] parameters for which the device was certified."
While this falls squarely within the FCC's spectrum oversight responsibilities, it has alarmed those who use open source router firmware packages like DD-WRT, OpenWRT, or Tomato. Open source firmware can make routers more powerful and more useful, allowing users to implement functions that have been disabled or omitted by manufacturers. However, it could also be programmed in ways that would make routers interfere with wireless signals.
In this, software is no different from any other tool that can be misused. Yet the FCC is considering rules that would encourage manufacturers to limit that possibility.
Responding to concerns raised by the technical community, Julius Knapp, chief of the FCC's Office of Engineering & Technology, said on Thursday the agency has issued a revision of its proposed rules that aims to clarify the agency's focus on modifications that would make devices non-compliant.
"We were not [mandating wholesale blocking of open source firmware modifications], but we agree that the guidance we provide to manufacturers must be crystal-clear to avoid confusion," wrote Knapp.
Yet the issue goes beyond a contemplated security requirement. In July, the FCC proposed rules that would require makers' certified equipment to "implement well-defined measures to ensure that certified equipment is not capable of operating with RF-controlling software for which it has not been approved," in order to minimize the chance of unauthorized modification of the software that controls the radio-frequency parameters of the device.
Prominent technologists acknowledge that the FCC's rules need to be updated, but with an eye toward greater transparency and manufacturer responsibility. They point to the Volkswagen emissions scandal as an example of the consequences of lack of access to software source code.
In a letter submitted to the FCC website last month, Dave Täht, cofounder of the Bufferbloat Project, and Vinton Cerf, co-inventor of the Internet, argue that "rather than denying users the ability to make any changes to the router whatsoever, router vendors be required to open access to their code (especially code that controls RF parameters) to describe and document the safe operating bounds for the software defined radios within the Wi-Fi router."
**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.