Many cheap WiFi routers are sold with the vendor firmware, but the most popular ones likely also support OpenWRT, which some users may prefer as it is much more customizable. However, this may soon become more difficult according to a talk at the upcoming “Wireless Battle of the Mesh” which will take place on August 3-8 in Maribor, Slovenia.
The talk scheduled for August 6 at 15:00 is entitled “openWRT vs. FCC – forced firmware lockdown?” and Simon Wunderlich, the speaker, provided the following abstract:
The new FCC rules are in effect in the United States from June 2nd 2015 for WiFi devices such as Access Points. They require to have the firmware locked down so End-Users can’t operate with non-compliant parameters (channels/frequencies, transmit power, DFS, …). In response, WiFi access point vendors start to lock down firmwares to prevent custom firmwares (such as OpenWRT) to be installed, using code signing, etc. Since the same type of devices are often sold world wide, this change does not only affect routers in the US, but also Europe, and this will also effect wireless communities.
We would like to discuss:
- What are your experiences with recently certified WiFi Hardware?
- How can we still keep OpenWRT on these devices?
- What can we suggest to Hardware vendors so that they keep their firmware open for community projects while still compliant with the FCC?
The rule in question is listed on the FCC website with the question “What are the software security requirements for non-SDR devices and what limitations apply to software configuration control for such devices?” and the critical part of the answer being “require all devices to implement software security to ensure that the devices operate as authorized and cannot be modified“.
It will be interesting to see how all this develops, and whether it will have some real consequences on the hackability of access points.
Thanks to Zoobab for the tip.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
Seems to be same situation as bootloader lock in Android phones/tablets.
It’s something that GPLv2 allow. GPLv3 requires producers to allow to modify software in the device they sell.
Unfortunately, Linux is GPLv2 licensed. http://www.linuxtoday.com/developer/2010092000435OPKNMO
But if the include any GPLv3 software, like gzip, they can be sued if user is unable to modify firmware in device he/she bought. Maybe 🙂
Everyone in US starts to use Chinese devices which give a f%ck, and only a f%ck, about FCC rules? Rainbow WiFi campaign? Supreme Court gives a ruling, love wins again?
So am I to use the faulty stock ROMs of routers in the future? This seems very unreasonable to me. Currently I’m using a router from TP-Link which had Remote Management over HTTP only and other issues. Stock ROM? No thanks. DD-WRT was the way to go.
@anon It doesn’t matter where they’re made. Devices that don’t comply with FCC rules can’t be sold in the U.S.
Who are the FCC kidding? If Apple and Google have not been able to lock down their devices putting much investment trying to do so, why do they think that commodity hardware WiFi router vendors would be more successful? And even if they do lock the device, is the FCC going to demand the vendor to supply timely fixes for horrible security breaches they used to have in their boxes and will surely have going forward?
This is a clear case of an over-zealous federal agency acting against the good of the people, trying to fix a problem by creating a much bigger one.
When I am buying router i always check for openWrt compatibility. If its not there they can keep it. But i dont think this will be a big deal, vendor FW have some many backdoor so hacking it would be easy 😀
Good example is Ubiquiti products. Once so great products are now ruin by FCC. Anyhow if US wants give all wifi business to china it is fine for me also. Naturally china must make us export versions where firmwares are locked but nice thing at china manufacturing is that they usual make also clones for free marker.
Alternate solution – everyone go take the $15 test and get your Technician level amateur radio license.
The FCC is only wanting to control VERY SPECIFIC things, like transmission power and frequency. The FCC has zero interest in any other aspect of the devices. The FCC ONLY cares about the settings that have any (direct) impact on the RF transmissions.
Think how cell phones have the main app processor that runs iOS or Android or … -and- the base band processor that runs the cellular radio. The FCC wanting to lock down ONLY the cellular component, not the rest of the system.
This can very likely be accomplished by a binary driver for the RF portion of the equipment, NOT the rest of the software that provides all the other features.
This will end up being like running any PC with your distro of choice running HostAP (et al) talking to a wireless NIC driven by a binary driver. It is the binary driver that controls the pieces that the FCC cares about. Everything else on the system will be free to be changed as desired.
@Kelly
Kelly,
Even licensed HAMs will have to comply with FCC requirements. Lest you get the pink tickle.
Granted, under some situations licensed HAMs can receive (some) additional operating privileges. I believe that the only thing that -might- apply to licensed HAMs is _some_ additional operating power.
But as HAMs know, power is not everything. – In fact, as a licensed HAM, you are REQUIRED to use the minimum power necessary to reliably communicate.
73
KD0OBJ
If the firmware can be user-updated, then it can be user-modified. The FCC must be stoned if it thinks programmers can’t circumvent such a “lockdown”.
@Kelly
How would that solve anything?
But the producers get to self-certify compliance.
Technician license doesn’t let you play in the 2.4GHz unregulated band and doesn’t solve the problem in this article one whit. While the self-satisfaction of achieving the license is priceless, most of the equipment that would let you set up wifi equivalent in the amateur bands is way more expensive than consumer devices and not “stupid simple.”
@Isaac Rabinovitch
“Devices that don’t comply with FCC rules can’t be sold in the U.S.” In stores or US based retailers… people will buy things online. If you outlaw something, then people will find a way to break the “law” – Cuban cigars.
This issue is more than just a nusance for technical people. It’s an act of war against the people. If you put up with it they will come for you eventually. Arguably they already have. They’ve instuted many government programs (regardless of what tyou think of them) that have created taxes and those taxes are taken by any means necessarily including violant force. If you don’t agree stop contributing. Start participating in and funding rational projects that are fighting back.
The recent governments (ie all parties and terms of office) and the democratic system as a hole (not suggesting democracy is bad, just this system of it has failed) has shown its incapable of stopping these agreesions against the people. There is only one way out of this and it’s to step up to the plate. These are issues worth risking life and limb over. The government will use violence against us even if we do not use violence against them. That’s OK. We just need to be more careful.
The people need to organize taking aggressive non-violent action to disrupt government and economic interests in major ways. There are people beginning to do this. One of them is the Free State Project in New Hampshire: https://freestateproject.org/. While not directly aggressive many of its participants are involved in non-violent revolutionary action which is bringing tens of thousands of people to the state who desire liberty over all else. I’m moving and I hope you’ll join us. We need more technical people if we are going to defeat the oppression of our national governments.
Is this really that big of a problem? Surely adding unapproved antennas and external amplifiers is more problematic than this? Most consumer chipsets/designs are probably not even capable of exceeding the limits by very much if at all. Is there that much of a problem with interference on channels 12-14? Or is this just a handy way to keep factory firmware installed with government approved backdoors?
Those things are already limited, even with 3rd party firmware since people seem to not be able to figure out all that is going on in the wireless drivers, thus the FCC limits cannot be bypassed. The drivers for a WiFi radio are extremely complex and require a very specialized set of skills to understand, and that is when you have source code. Without it, it is nearly impossible to effectively modify the drivers. (For example, even firmware that allows for transmit power control, none of them allow you to go beyond 1000mw, even if the transmitter has a datasheet claiming to support it)
(PS, there are valid and legal reasons for wanting to transmit as more than 1 watt, for example, to combat certain line losses and inefficiencies in the signal path)
There are a few ways to “comply” with this: A unpopulated write-protect override header, making reflashes only possible via an unpopulated serial port or a socketed ROM chip.
@DrScriptt
What your suggesting is still extremely dangerous. Your taking away control from the user and opening up space to hide malicious features and other backdoors (which is something we know is going on as EVERY android device had malicious spyware hidden in those proprietary components). While its not impossible to sneak in malicious features in other ways it certainly makes it more difficult. None of what the FCC is suggesting is going to increase security. It’ll only have the opposite impact. Users should be able to upgrade router firmware and they shouldn’t be relying on whomever made the router. Companies do not care about security fixes and the like beyond what is utterly necessary (and even then) will leave there customers hanging.
@DrScriptt
Recent wifi drivers use “mac80211 framework” https://en.wikipedia.org/wiki/Wireless_network_interface_controller#FullMAC_and_SoftMAC_devices. Moreover these drivers are designed to be dynamically configured to comply with the regulatory rules https://wireless.wiki.kernel.org/en/developers/regulatory/crda . It will be very tricky to comply with the new FCC rules.
@Joe
I can see why you say what I’m saying is dangerous.
What I’m trying to convey is that having a binary driver with an otherwise open and replaceable firmware is better than having a firmware that you can’t replace.
I don’t think what the FCC is talking about has anything to do with security per say. I think it does have to do with enforcing some already well defined boundaries on the WiFi radio spectrum.
I’m suggesting that we take a few minutes and see how we can legally work within the bounds that the FCC is proposing while still allowing us to do (most of) what we want.
Without putting on my conspiracy hat, I think it would behoove us to be willing to give up some (20%) to get most of what we want (80%).
Also, keep in mind that you are choosing to run the small multi-function platform. There is nothing that prevents you from dropping a wireless NIC in a regular PC with any distro you want on it. Even if said wireless NIC requires a binary driver from the manufacturer, you still have control over all the other aspects of the system. – You have the choice to run the small SOHO router platform vs a low power atom based PC with a wireless NIC. – I’ll even bet that you would have MORE features with the latter.
i am having a very big problem with my cable router at the moment and i cannot do anything to fix it because there is no firmware update or firmware rollback option. there is no firmware to download at all because my isp telstra pushed the firmware into my modem without me knowing about it and now i cannot stream video content without getting freeze.
youtube and all the google stuff is ok i can download a video from youtube at 4 mbps and yet when want to watch iptv nearly everything freeze. and yet i can watch all that on my smartphone using the data internet connection with no problems. i called my isp severel times asking them if iam being throttled and they acting like they dont know anything and my service should be working good.
WHY CANT THE FCC LEAVE 2.4GHZ/5GHZ ALONE!!!
NSA wants to monitor everyone by router!OpenWrt is open source which is NOT back door!
@me
If the upload has to be signed, then the only way to modify a device is to hack the manufacturing company and steal the private key. This has NSA snooping written all over it, because only an NSL or NSA hack can get a copy of router modification codes so they can control your router.
>This has NSA snooping written all over it,
Precisely.
Talk is online now:
https://www.youtube.com/watch?v=LnorCwNyDHo
@zoobab
Thanks. I don’t seem to find slides however, and they don’t show them in the video.
@cnxsoft
OK.. Found it at the source -> http://battlemesh.org/BattleMeshV8/Agenda?action=AttachFile&do=view&target=2015-08-06_wbmv8_FCC.pdf
Tessel 2 may be one of the first victims http://makezine.com/2015/08/27/new-fcc-rules-tessel-2/
@cnxsoft
Finally false alerts. See issue on github: https://github.com/tessel/project/issues/79
“Tessel 2 is seeking FCC approval. Tessel 2 runs OpenWRT, a distribution of Linux designed as open firmware for routers with very granular control over wireless capabilities. Currently Tessel 2 is stuck in FCC approval pending its demonstration of being able to generate packets in the 802.11n range.”
Unrelated to the new rules.
Manufacturers could as well sell two versions: one for the US market and one for non-us markets. While this may sound like a lot of work it’s not totally unrealistic as it’s handled in software.
Microsoft – for example – had to provide – N – versions of Windows for European customers and that didn’t even remotely affect the US market.
For router manufacturers this might even be a specific selling point, I for once bought an Asus Router for ~ 200 Bucks, because they specifically let me flash whatever I want on it and they also release the source code, which led Merlin to create *super* firmware versions.
OpenWRT project should actively and officially support open hardware like Arduino and Raspberry Pi and maybe even start to focus on those. While you can get the cheapo routers for free from your telco or basic models for a low price the open hardware is becoming more and more powerful and WiFi-adapters also exist, maybe even too many. They are the better platform for homebrew routing anyway.
I don’t think its because of maybe “non-compliant parameters”. It’s because end users should not replace the NSA trojaned firmware from the manufacturer to a safe firmware.
Though a little late it may be,, i am all for strict fcc regulations in anticipation of future disaster to our life. . Now this is wireless business evolvingrous, prosperos, they tend to only pay attention to making money, not potential health problems. The future dangers of the RF as result of exposure from use of wireless devices will be latent and soon shed light on the issue in matter of causing illness, cancer, brain damages. Like cigarlet industry. there will occure class actions against a big firm I firmly believe from injured people. After long, the public regconition is matter of time.
FCC answer: https://www.fcc.gov/blog/clearing-air-wi-fi-software-updates
All is well finally…
Using WiFi router is like smoking cigarettes. People are enjoying smoking, feeling good, amusing at first time. Planters, vendors, Cigalettee manufactures feels good too. Business is good and the Government feels good for their taxes and civil services get a great salaries for stupid works. Later they found a little by little complaints from users and they are addicted and problems in public health. Likewide the same in WiFi producrts and rousers producing invisible harmful waves to people. It seems that FCC realized what they should do to protect their sons and daughters. Absurd World we live in. stopping importing paper-products imported thru overseas thru amazon ebay etc.