Dr. Vint Cerf, the co-inventor of the Internet, and Dave Täht, co-founder of the Bufferbloat Project, along with more than 260 network and security experts, called on the FCC to reject an earlier proposal to ban users from installing open source firmware on their routers.
The group also put forward a plan that requires router makers to open source their firmware and offer much better support for updates, and for the FCC to hold them accountable under the threat of decertification.
Most routers aren't updated for very long, or if they are, the process is too slow, which leaves them open to attacks for months or even years on end. The security of such critical piece of infrastructure needs to be taken much more seriously by the device makers.
“We can't afford to let any part of the Internet's infrastructure rot in place. We made this proposal because the wireless spectrum must not only be allocated responsibly, but also used responsibly. By requiring a bare minimum of openness in the technology at the edge of the Internet, we'll ensure that any mistakes or cheating are caught early and fixed fast," said Dr. Vint Cerf, a co-inventor of the Internet and Senior Vice President and Chief Internet Evangelist at Google.
The first measure in the group's plan is a call for the FCC to demand that any vendor of software-defined radio (SDR), wireless, or Wi-Fi radio must make the firmware code public, so it can be audited and improved by anyone. This should allow vulnerabilities to be caught much earlier because more eyes are looking at the same piece of code.
The second part of the plan includes mandating that secure update mechanisms of these devices work at the time of shipment, and that the owner of the device should have ultimate control over the update process.
The third proposal is for the FCC to require all router makers to provide updates for at least five years for their devices, and those updates should arrive within 45 days of the vulnerabilities being disclosed to the public.
The fourth proposal deals with the accountability that's necessary to enforce all of these. Therefore, if the router makers don't comply, their devices should be decertified. In "severe cases," new products from the vendor at fault should not even be considered for certification.
Finally, in the fifth proposal, the group asked the FCC to eliminate any rules it might have that would be in conflict with the existence of open source software on routers, as well as make it clear to router vendors that they are not required to ship only "binary blobs," as it was recently believed that the FCC would soon mandate.
“As the recent revelations about the 'Moon Worm,' 'DNSchanger,' and 'Misfortune Cookie' and now the Volkswagen scandal illustrate, secret, locked-down firmware represents a clear and present danger to the security of the Internet," said Ted Lemon, recent Area Director at the IETF.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.