No, The FCC Is Not (Intentionally) Trying To Kill Third-Party Wi-Fi Router Firmware

from the unintended-consequences dept

For a few months now a rumor has been circulating that the FCC is intentionally planning to ban third-party custom router firmware. Wi-Fi hobbyists (and people who just like a little more control over devices they own) have long used custom, open source firmware like DD-WRT or Open-WRT to bring some additional functionality to their devices, with the added bonus of replacing clunky router GUIs. Custom firmware is also handy in an age when companies like to force firmware upgrades that either eliminate useful functionality, or add cloud-features and phone-home mechanisms a user may not be comfortable with.

But at last July's BattleMesh 8 event, Wi-Fi enthusiasts noticed the clunky wording of an FCC NPRM (notice of proposed rulemaking) discussing the FCC's plan to modify the rules governing RF devices. The NPRM in question (pdf), like all NPRMs, is basically the FCC's way of fielding questions about potential rule changes. It's important to understand no rules have actually been passed yet before committing gadget-nerd seppuku.

It's also important to note the FCC's motivation here is primarily safety, not to be a bureaucratic hardware-enthusiast buzzkill factory. The FAA found some illegally modified equipment operating in the unlicensed bands was interfering with terrestrial doppler weather radar (TDWR) at airports, and pushed the FCC to update its rules governing radios accordingly. But with many routers having systems-on-a-chip (SOC) where the radio isn't fully distinguishable from other hardware, Wi-Fi hobbyists are worried that a ban on modifying a device's radio could result in a blanket ban on modifying the device:

"Like all government regulations, the law of unintended consequences rears its ugly head, and the proposed rules effectively ban Open Source router firmware. The rules require all relevant devices to implement software security to ensure the radios of devices operating in this band cannot be modified. Because of the economics of cheap routers, nearly every router is designed around a System on Chip – a CPU and radio in a single package. Banning the modification of one inevitably bans the modification of the other, and eliminates the possibility of installing proven Open Source firmware on any device.

And these concerns aren't entirely unjustified, thanks to a few troubling phrases buried in both the NPRM itself, and previous FCC guidance (pdf), which asks vendors questions like:

"What prevents third parties from loading non-US versions of the software/firmware on the device? Describe in detail how the device is protected from “flashing” and the installation of third-party firmware such as DD-WRT.

So yes, it's understandable that sloppy FCC engineer wording has some people nervous. But as folks like Stanford lawyer and software engineer Jonathan Mayer have noted, shitty wording during a conversation about potential rules does not automatically equate to shitty rules. Meanwhile, one needs to apply some common sense, and ask if an agency on a uncharacteristic pro-consumer tear -- fresh from a battle over one of the most important open platform fights of our time (net neutrality) -- would seriously think that banning all personal hardware freedom is a nifty follow up.

Curiously nobody seems to have asked the FCC what they think about all of this. So I asked, and the FCC offered me this admittedly clunky statement (note the underlined bit):

"(FCC rules) require that the devices must ensure that under all circumstances they comply with the rules. The majority of the devices have software that is used to control the functionality of the hardware for parameters which can be modified and in turn have an impact on the compliance of devices. Our rules do permit radios to be approved as Software Defined Radios (SDRs) where the compliance is ensured based on having secure software which cannot be modified. The (FCC's) position is that versions of this open source software can be used as long as they do not add the functionality to modify the underlying operating characteristics of the RF parameters. It depends on the manufacturer to provide us the information at the time of application on how such controls are implemented. We are looking for manufacturers of routers to take more responsibility to ensure that the devices cannot be easily modified."

So in essence the FCC is saying that third-party firmware is just fine, just as long as it's not pushing the radio outside of legally-mandated parameters and causing a safety hazard. I also talked a little bit about the FCC's plan with Public Knowledge lawyer and FCC wireless policy guru Harold Feld, who spends more time wading through FCC NPRMs and telecom policy wonkery than any expert I know. Feld agrees that killing custom firmware isn't the FCC's intentional goal. That said, he's also quick to note there's still reason for concern if the rules aren't crystal clear:

"This is, of course, why the FCC does notices of proposed rulemaking and seeks comment from the parties and affected stakeholders. Especially on technical engineering matters like this, it isn't a matter of something being baked already. The FCC is responding here to a real world issue: we had problems with illegally modified equipment interfering with terrestrial doppler weather radar (TDWR) at airports. Naturally the FAA freaked out, and the FCC responded to this actual real world concern.

But at the same time, we don't want the FCC to accidentally write rules that are over-broad or subject to misinterpretation by companies. The real concern here is not some government conspiracy to wipe out open source or mandate encryption. The real worry is that major chip manufacturers will respond by saying "the easiest thing for us to do is lock down all the middleware rather than worry about where to draw the line." That would potentially kill a lot of innovation and valuable uses."

The nifty part? This being an open conversation, the FCC is fielding comments on the proposed rule changes. And if you're a hardware owner looking to protect your right to modify devices you own, you can head here to comment on the NPRM at the FCC website. You can also file a comment in the Federal Register, but need to do so before midnight, September 8.

Update: It appears the FCC decided to begin Labor Day weekend backend system upgrades shortly after this story was posted, meaning their public comment system is offline until next week. Fortunately it appears that the comment deadline had previously been extended, and users concerned about the FCC's upcoming rules regarding third party open source firmware have until October 9 to make their voices heard.

Filed Under: dd-wrt, fcc, firmware, open-wrt, router, wifi