The FCC is currently inviting open comments on its plan to require router manufacturers to lock down device firmware as a means of ensuring that consumer devices can’t operate in certain frequency bands or at power levels that violate FCC guidelines. While these requirements are made to guarantee that limited spectrum is allocated fairly and in a manner that minimizes interference, many have raised concerns that locking down devices in this way will prevent open source firmware projects from continuing as well as hampering critical security research.
Now, a group of more than 250 researchers and developers, including the Internet’s grandpa, Vint Cerf, have sent the FCC a letter proposing an altogether different set of rules that would actually mandate open-source firmware while simultaneously protecting the FCCs original goals. There are multiple reasons, the letter argues, why open-source firmware updates are a necessary part of securing the Internet against attack.
The first problem is that existing router models are incredibly insecure. Hundreds of router models shipped insecure out-of-the-box and fundamental hacks continued to be found in devices that ship today. While it’s true that this is partly a problem of update policies (it’s relatively rare for consumers to update their router’s firmware), shipping locked-down firmware would prevent research into router bugs and hamper efforts to create secure networks. Today, open-source firmware like DD-WRT provides at least some additional security to users knowledgeable enough to seek it out. If the FCC stops allowing firmware updates, that route will close.
Second, the team points out that with IPv4 addresses now exhausted in the United States, IPv6 is going to be increasingly important to future deployments — but the state of IPv6 in default firmware and older devices varies enormously. Without the ability to perform checks and verify proper operation, scandals like VW — in which the regulatory bodies of the US and Europe were deliberately lied to and misled for over half a decade — become more likely. While a rash of improperly secured WRT54G routers isn’t going to ruin the air quality in the United States, being unable to perform certain kinds of evaluations and updates to business and some consumer hardware could expose critical information to corporate or inter-governmental espionage.
Paul Vixie, the CEO of computer security firm Farsight Security, told Motherboard about one recent router vulnerability that allowed hackers to redirect their victims’ internet traffic to an ad server under their control. “Now, most people may not care about who gets what advertising revenue,” Vixie said, ”but the fact that [traffic] can be redirected at scale for hundreds of thousands of victims means that people [may end up] going to a phishing site.”
The letter acknowledges the need to protect certain radio functions from tampering, but calls on the FCC to require that companies keep other areas of the router open and able to be modified as a means of protecting against these other problems. Whether the FCC will listen, or consider such changes, is still unclear.