FCC Should Mandate Open Source Router Firmware And Fast Security Updates, Say Internet Experts

Dr. Vint Cerf, the co-inventor of the Internet, and Dave Täht, co-founder of the Bufferbloat Project, along with more than 260 network and security experts, called on the FCC to reject an earlier proposal to ban users from installing open source firmware on their routers.

The group also put forward a plan that requires router makers to open source their firmware and offer much better support for updates, and for the FCC to hold them accountable under the threat of decertification.

Most routers aren't updated for very long, or if they are, the process is too slow, which leaves them open to attacks for months or even years on end. The security of such critical piece of infrastructure needs to be taken much more seriously by the device makers.

“We can't afford to let any part of the Internet's infrastructure rot in place. We made this proposal because the wireless spectrum must not only be allocated responsibly, but also used responsibly. By requiring a bare minimum of openness in the technology at the edge of the Internet, we'll ensure that any mistakes or cheating are caught early and fixed fast," said Dr. Vint Cerf, a co-inventor of the Internet and Senior Vice President and Chief Internet Evangelist at Google.

The first measure in the group's plan is a call for the FCC to demand that any vendor of software-defined radio (SDR), wireless, or Wi-Fi radio must make the firmware code public, so it can be audited and improved by anyone. This should allow vulnerabilities to be caught much earlier because more eyes are looking at the same piece of code.

The second part of the plan includes mandating that secure update mechanisms of these devices work at the time of shipment, and that the owner of the device should have ultimate control over the update process.

The third proposal is for the FCC to require all router makers to provide updates for at least five years for their devices, and those updates should arrive within 45 days of the vulnerabilities being disclosed to the public.

The fourth proposal deals with the accountability that's necessary to enforce all of these. Therefore, if the router makers don't comply, their devices should be decertified. In "severe cases," new products from the vendor at fault should not even be considered for certification.

Finally, in the fifth proposal, the group asked the FCC to eliminate any rules it might have that would be in conflict with the existence of open source software on routers, as well as make it clear to router vendors that they are not required to ship only "binary blobs," as it was recently believed that the FCC would soon mandate.

“As the recent revelations about the 'Moon Worm,' 'DNSchanger,' and 'Misfortune Cookie' and now the Volkswagen scandal illustrate, secret, locked-down firmware represents a clear and present danger to the security of the Internet," said Ted Lemon, recent Area Director at the IETF.

______________________________________________________________________

Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us @tomshardware, on Facebook and on Google+.

See more Routers News

TOPICS

Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.

More about routers

Wi-Fi 6E versus Wi-Fi 7: Which type of router is a better buy?

MSI Roamii BE Lite Wi-Fi 7 mesh router review: Affordable dual-band with class-leading long-range performance

Sabrent's USB Type-C M.2 SSD Enclosure reduced to just $22 at Amazon

See more latest

14 Comments Comment from the forums

AcostaJA

I totally Agree, wrong position from FCC, hardware control is not a matter of secret, but responsibility, having OpenSource there is warranty on this software to be auditable and do whatever is supposed have to do AND NOTHING MORE .

FCC should then establish liability for those publishing open or closed source (as Volkswagen) Firmware doing unwanted or illegal things on regulated hardware.

On the other hands, IMHO both DD-WRT and OpenWRT are outdated, developing only support for new platforms and radios, but the OS and the User interface are too Outdated, DD-WRT community have years asking for integrated package manager, as well OpenWRT better interface.
Reply
DrakeFS

How about the FCC certifies the NOS rather than the hardware?

Since the FCC only cares about the radio, the NOS would only have to show that a user cannot modify the power settings for it.
Reply
Achoo22

Of course, nearly every router I've owned in the last five years (one cellular router, two from ISP, one Linksys) already used open source, GPL software. Of the bunch, only the Linksys adequately followed the terms of the GPL by making it known that I was free to inspect, modify, or distribute the software and showing me where I could find it in human-readable form. The FSF has a legal team that is supposed to work towards protecting GPL software, but I have lost all faith in them and all faith in most GPL projects to protect my work under the terms I have and do contribute. It is NOT OK for GPL software to settle with offenders to the benefit of the a current project leader; that is a perversion of the GPL and a huge betrayal for contributors that would've never become involved with a dual/multi-license system.
Reply
dgingeri

No. Mandating anything by government is a horrible idea. The government screws up everything they touch. They need to keep their noses out of this. If they even try this, routers will cost over $1000 in a matter of a year, and probably cut the usable bandwidth in half and need to reboot every few hours. Government = morons. Government = bad. Leave them out of this.

As far as people, the morons who buy routers that aren't kept secure by proper updates get what they deserve. I continue to buy small business routers that do have proper security and build Linux or Windows 2012r2 routing servers for people who want even better security. (All for much less than $1000, keep bandwidth at maximum, and don't need reboots, btw.) If people want better security, then they can pay for it. Those who just want cheap will continue to suffer. That's the way of things.
Reply
Kewlx25

If the government can't mandate a minimum quality, then customer should have a lemon law that they can invoke and easily sue companies for failing to provide basic support.

" the morons who buy routers that aren't kept secure by proper updates get what they deserve" - Blaming the victim ehh? Classic move.

You should go back in time a bit and seen the free market before government regulations. People would take young orphan child off the streets and force them to work. Child slave labor.

Of course it now sounds like you support child slave labor because you have a strict no-government intervention stance.
Reply
falchard

How about the FCC get out of the fucking way and let the best router emerge victorious with network engineers?
Reply
Mike_61

how about the fcc shut it's yap and leave us alone.
Reply
blazorthon

How about the FCC get out of the fucking way and let the best router emerge victorious with network engineers?

The market does not favor the best product. It favors what is more affordable. Betamax vs. VHS: VHS had inferior quality/length, but was cheaper. Guess which one became popular. Same thing happens almost every time with every other product competition.

The FCC has to step in when the companies are doing something wrong under the FCC's jurisdiction. That is literally what the FCC is there for. Fact is that the way the router manufacturers handle security problems in their bought products is putting their customers at significant risk and this is not something they will change unless they're given a reason to change.

Its one thing for the companies to not issue open source firmware for all of their products, but not fixing security vulnerabilities in reasonable amounts of time (if at all) is unacceptable.
Reply
dgingeri

16787712 said:
How about the FCC get out of the fucking way and let the best router emerge victorious with network engineers?

The market does not favor the best product. It favors what is more affordable. Betamax vs. VHS: VHS had inferior quality/length, but was cheaper. Guess which one became popular. Same thing happens almost every time with every other product competition.

The FCC has to step in when the companies are doing something wrong under the FCC's jurisdiction. That is literally what the FCC is there for. Fact is that the way the router manufacturers handle security problems in their bought products is putting their customers at significant risk and this is not something they will change unless they're given a reason to change.

Its one thing for the companies to not issue open source firmware for all of their products, but not fixing security vulnerabilities in reasonable amounts of time (if at all) is unacceptable.

You sound as if people don't have a choice in what they buy. They have a choice. They can research before buying. They can listen to experts. The problem is that most don't. They're too lazy to bother with it, or intentionally sacrifice security to get what's cheap. What is cheap is cheap because the manufacturers don't put the effort into it. If they were forced to put the effort into it, they'd have to spend more, and therefore charge more. People would hate it because they'd have to spend more money. There would be a lot more people who would just go without any firewall and connect directly to the internet again, and then things would be a lot worse.

Free markets regulate themselves, and people get what they pay for. Stupid and lazy people get bad stuff because they don't put effort into finding the right product, and then they learn and do better later. Without that, they'd never learn, and they'd stay stupid and keep buying crap, and the government would have to keep stepping in for them. That gives more and more power to the elite few and enslaves the rest of us. Keep the government out of it.
Reply
blazorthon

16788049 said:

You sound as if people don't have a choice in what they buy. They have a choice. They can research before buying. They can listen to experts. The problem is that most don't. They're too lazy to bother with it, or intentionally sacrifice security to get what's cheap. What is cheap is cheap because the manufacturers don't put the effort into it. If they were forced to put the effort into it, they'd have to spend more, and therefore charge more. People would hate it because they'd have to spend more money. There would be a lot more people who would just go without any firewall and connect directly to the internet again, and then things would be a lot worse.

Free markets regulate themselves, and people get what they pay for. Stupid and lazy people get bad stuff because they don't put effort into finding the right product, and then they learn and do better later. Without that, they'd never learn, and they'd stay stupid and keep buying crap, and the government would have to keep stepping in for them. That gives more and more power to the elite few and enslaves the rest of us. Keep the government out of it.

In what way does "people choose the more affordable product over the more expensive, yet superior product" translate to "people have no choice in what they buy"?

Yes, they can research routers before they buy. Unfortunately, most people won't understand what makes one router better than another even if they research it unless they pour weeks into learning how to quantify the differences. Furthermore, that has almost nothing to do with the article's purpose which is not about what routers are best, but about getting router companies to be more responsible about issuing effective and rapid updates to fix vulnerabilities as they are discovered. Now they also have to try to figure out which company is more likely to fix these problems in a timely manner.

Even your example of increased costs is false. Fixing the software needs to be done on high end models just as much as cheaper low end models. If they fix a high end model, then they can apply the same fix to a low end model, unless they're using two completely different systems for the two models which is in of itself a waste of time and money. Furthermore, buying a more expensive model doesn't mean you get the security updates that are in question, so the "you get what you pay for" argument doesn't apply anyway.

In no way whatsoever does the government telling these companies that they need to respond to threats to their customers "give more and more power to the elite few and enslave the rest of us." Completely free markets always regulate themselves in favor of exploiting the customer and the situation which the FCC is being asked to respond to is the result of such a free market that is supposedly regulating itself. Yes, too much regulation or improper regulation is bad and causes inefficiency.

However, complete lack of regulation is also bad. What happens if we don't regulate water quality? You end up drinking lead and mercury in your morning coffee. What happens if we don't regulate internet prices? You end up spending exponentially more money for inferior services because you don't have any choice other than garbage for premium prices, especially in rural areas. That's some great self-regulation in action. These are all things that happen right now in the USA. The FCC is trying to fix these problems because the markets will never stop exploiting the people until the markets are forced to do stop the exploitation. The only odd exceptions are things like Google Fiber and that's nowhere near enough to fix things at this point.
Reply