We Can’t Afford To Let Any Part Of The Internet Rot In Place

Over the last decade Wi-Fi devices have become tremendously popular. Unfortunately it seems the Federal Communications Commission (FCC) and its counterpart in the EU are becoming concerned that 3rd party software that controls the radio hardware may negatively impact interoperability with other applications using the same frequency bands, e.g. by increasing transmission power beyond the regulatory limits. As a result the FCC and the EU are proposing or have already implemented laws that require the hardware manufacturer of a device to ensure that only their radio software can be used in the device. The problem with that is that instead of 'only' locking down the radio software, manufacturers of Wi-Fi access points and other Wi-Fi devices such as smartphones might be tempted to use this as an excuse to lock-down the whole device thus making it potentially impossible in the future to use Wi-Fi routers with alternative software such as Open-WRT or smartphones with alternative Android derivates such as CyanogenMod.

While the EU has already published a directive to that end that shall come into effect in June 2016, but first needs to be implemented in national laws of the individual member states, the FCC is still in the comments phase of the process. One response, signed by pretty much everyone of the who-is-who in the Open Source community including Linus Torvalds and Internet luminaries such as Vint Cerf, is truly outstanding:

In their response, the authors explain the dire state of the Wi-Fi router market today that is only driven by price but not by quality and responsibility. This leads to hundreds of millions of devices in the field today that are insecure and pose a significant risk to their owners and the Internet as a whole.

To fix both the radio issue addressed by the FCC and the wider issue of software with grave security issues being abandoned by device manufacturers, the authors propose an alternative approach to the FCC's lock-down proposal:

1. Any vendor of software-defined radio (SDR), wireless, or Wi-Fi radio must make public the full and maintained source code for the device driver and radio firmware in order to maintain FCC compliance. The source code should be in a buildable, change-controlled source code repository on the Internet, available for review and improvement by all.

2. The vendor must assure that secure update of firmware be working at time of shipment, and that update streams be under ultimate control of the owner of the equipment. Problems with compliance can then be fixed going forward by the person legally responsible for the router being in compliance.

3. The vendor must supply a continuous stream of source and binary updates that must respond to regulatory transgressions and Common Vulnerability and Exposure reports (CVEs) within 45 days of disclosure, for the warranted lifetime of the product, or until five years after the last customer shipment, whichever is longer.

4. Failure to comply with these regulations should result in FCC decertification of the existing product and, in severe cases, bar new products from that vendor from being considered for certification.

5. Additionally, we ask the FCC to review and rescind any rules for anything that conflicts with open source best practices, produce unmaintainable hardware, or cause vendors to believe they must only ship undocumented “binary blobs” of compiled code or use lock down mechanisms that forbid user patching. This is an ongoing problem for the Internet community committed to best practice change control and error correction on safety-critical systems.

These are powerful proposals and I am delighted that the letter was signed by a huge number of well known and respected people in the industry. But not everyone will like the proposals and I can already see the marching orders for lobbyists of hardware manufacturers to fight this. While many manufacturers have an open source driver for their Wi-Fi hardware today, the software that runs on the Wi-Fi chip itself is usually closed source and only available as a binary blob. Having the source available of this part as well would be truly revolutionary. Requiring that the owner of the device must have ultimate control over the software update process (if he wishes so) is another strong requirement. This wouldn't prevent automatic updates for those who don't care but the ability to stay in control of what you own if you wish to do so.

The paper from which I have quoted the 5 proposals above is well worth a read. It is well written and explains in detail why the FCC should adopt the proposals above instead of what they have initially suggested. So let's see how visionary the FCC can be.

P.S.: The headline of this post is an abbreviation of a quote of Vint Cerf in a recent article on the topic in Businesswire:

"We can't afford to let any part of the Internet's infrastructure rot in place. We made this proposal because the wireless spectrum must not only be allocated responsibly, but also used responsibly. By requiring a bare minimum of openness in the technology at the edge of the Internet, we'll ensure that any mistakes or cheating are caught early and fixed fast"

P.P.S.: And for further background info about EU directive 2014/53/EU that has something similar like the FCC in mind have a look at Julia Reda's recent blog entry on the topic.