Vint Cerf, co-inventor of the Internet, joined 260 other experts in response to a proposed plan by the American Federal Communications Commission (FCC) that will affect the security of home routers for years to come. The proposal, ET Docket No. 15170, would effectively try to limit what a Wi-Fi device could and could not do as far as how it operates in the Radio Frequency spectrum. We sometimes forget that all Wi-Fi devices (like home routers and the things that connect to them) are essentially radio transmitters and receivers and must abide by a set of rules or else chaos will ensue. The FCC, which is responsible for ensuring that all radio frequency devices can peacefully coexist, simply believes that their proposal will prevent overzealous router owners from disrupting other’s communications.
However, the respondents from the technical community see things differently. Most importantly, they say that the proposal as written would prohibit the use of third-party router firmware. People would no longer be able to run alternative firmware on their routers such as DD-WRT or Tomato. This would have the dual effect of limiting technological innovation as well as putting the security of people’s networks at risk.
The fact that the respondents chose to highlight home router security is quite interesting. They clearly see the current state of security for home routers to be lacking. They also recognize that many people choose a third-party firmware solution simply because they think that it will be more secure. If the FCC were to outlaw third-party firmware, then we are all stuck with buggy, security-poor stock router firmware that may never be fixed. This, they say, is unacceptable.
The response makes the following alternative recommendations for the FCC:
- Any vendor of software-defined radio (SDR), wireless, or Wi-Fi radio must make public the full and maintained source code for the device driver and radio firmware in order to maintain FCC compliance. The source code should be in a buildable, change-controlled source code repository on the Internet, available for review and improvement by all.
- The vendor must assure that secure update of firmware be working at time of shipment, and that update streams be under ultimate control of the owner of the equipment. Problems with compliance can then be fixed going forward by the person legally responsible for the router being in compliance.
- The vendor must supply a continuous stream of source and binary updates that must respond to regulatory transgressions and Common Vulnerability and Exposure reports (CVEs) within 45 days of disclosure, for the warranted lifetime of the product, or until five years after the last customer shipment, whichever is longer.
- Failure to comply with these regulations should result in FCC decertification of the existing product and, in severe cases, bar new products from that vendor from being considered for certification.
- Additionally, we ask the FCC to review and rescind any rules for anything that conflicts with open source best practices, produce unmaintainable hardware, or cause vendors to believe they must only ship undocumented “binary blobs” of compiled code or use lockdown mechanisms that forbid user patching. This is an ongoing problem for the Internet community committed to best practice change control and error correction on safety-critical systems.
As we read these recommendations two things immediately come to mind. First, these seem like a good set of rules to follow in order to achieve a better and more secure infrastructure. Second, the people writing these recommendation don’t know (or perhaps don’t care) how home router software actually gets written. Do they really think that router vendors follow good established software engineering practice such as being able to completely build their executable from scratch? Ha!! Think again. Not that it shouldn’t happen, but holding router vendors to this standard will cause a great deal of change in how consumer networking products are developed and delivered.
The experts concluded their letter by saying
The FCC should step back, and prepare rules to enhance the security, reliability and functionality of the routers that operate home and business networks. These rules should increase visibility into the source code that operates these routers, and encourage best software practices to create a better future for billions of Wi-Fi devices already deployed, and the billions to come, as well as a freer, faster, and safer Internet.
We wholeheartedly agree.