FCC Should Mandate Open Source Router Firmware And Fast Security Updates, Say Internet Experts

Dr. Vint Cerf, the co-inventor of the Internet, and Dave Täht, co-founder of the Bufferbloat Project, along with more than 260 network and security experts, called on the FCC to reject an earlier proposal to ban users from installing open source firmware on their routers.

The group also put forward a plan that requires router makers to open source their firmware and offer much better support for updates, and for the FCC to hold them accountable under the threat of decertification.

Most routers aren't updated for very long, or if they are, the process is too slow, which leaves them open to attacks for months or even years on end. The security of such critical piece of infrastructure needs to be taken much more seriously by the device makers.

“We can't afford to let any part of the Internet's infrastructure rot in place. We made this proposal because the wireless spectrum must not only be allocated responsibly, but also used responsibly. By requiring a bare minimum of openness in the technology at the edge of the Internet, we'll ensure that any mistakes or cheating are caught early and fixed fast," said Dr. Vint Cerf, a co-inventor of the Internet and Senior Vice President and Chief Internet Evangelist at Google.

The first measure in the group's plan is a call for the FCC to demand that any vendor of software-defined radio (SDR), wireless, or Wi-Fi radio must make the firmware code public, so it can be audited and improved by anyone. This should allow vulnerabilities to be caught much earlier because more eyes are looking at the same piece of code.

The second part of the plan includes mandating that secure update mechanisms of these devices work at the time of shipment, and that the owner of the device should have ultimate control over the update process.

The third proposal is for the FCC to require all router makers to provide updates for at least five years for their devices, and those updates should arrive within 45 days of the vulnerabilities being disclosed to the public.

The fourth proposal deals with the accountability that's necessary to enforce all of these. Therefore, if the router makers don't comply, their devices should be decertified. In "severe cases," new products from the vendor at fault should not even be considered for certification.

Finally, in the fifth proposal, the group asked the FCC to eliminate any rules it might have that would be in conflict with the existence of open source software on routers, as well as make it clear to router vendors that they are not required to ship only "binary blobs," as it was recently believed that the FCC would soon mandate.

“As the recent revelations about the 'Moon Worm,' 'DNSchanger,' and 'Misfortune Cookie' and now the Volkswagen scandal illustrate, secret, locked-down firmware represents a clear and present danger to the security of the Internet," said Ted Lemon, recent Area Director at the IETF.

Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us @tomshardware, on Facebook and on Google+.

This thread is closed for comments
    Your comment
  • AcostaJA
    I totally Agree, wrong position from FCC, hardware control is not a matter of secret, but responsibility, having OpenSource there is warranty on this software to be auditable and do whatever is supposed have to do AND NOTHING MORE [PERIOD].

    FCC should then establish liability for those publishing open or closed source (as Volkswagen) Firmware doing unwanted or illegal things on regulated hardware.

    On the other hands, IMHO both DD-WRT and OpenWRT are outdated, developing only support for new platforms and radios, but the OS and the User interface are too Outdated, DD-WRT community have years asking for integrated package manager, as well OpenWRT better interface.
  • DrakeFS
    How about the FCC certifies the NOS rather than the hardware?

    Since the FCC only cares about the radio, the NOS would only have to show that a user cannot modify the power settings for it.
  • Achoo22
    Of course, nearly every router I've owned in the last five years (one cellular router, two from ISP, one Linksys) already used open source, GPL software. Of the bunch, only the Linksys adequately followed the terms of the GPL by making it known that I was free to inspect, modify, or distribute the software and showing me where I could find it in human-readable form. The FSF has a legal team that is supposed to work towards protecting GPL software, but I have lost all faith in them and all faith in most GPL projects to protect my work under the terms I have and do contribute. It is NOT OK for GPL software to settle with offenders to the benefit of the a current project leader; that is a perversion of the GPL and a huge betrayal for contributors that would've never become involved with a dual/multi-license system.