Hey FCC, Don't Lock Down Our Wi-Fi Routers

Proposed rules by the FCC have digital watchdogs and open source advocates worried that manufacturers will lock down routers. Here's why that matters and what you can do about it.
GettyImages476291414
wifi internet router on shelf in white interiorGetty Images

On the coastal edge of Tunisia, a signal bounces between 11 rooftops and 12 routers, forming an invisible net that covers 70 percent of the city of Sayada. Strategically placed, the routers link together community centers—from the main street to the marketplace. Not long ago, the Zine el-Abidine Ben Ali government censored access to the Internet. The regime is gone now. And this free network gives the community unfettered access to thousands of books, secure chat and file sharing applications, street maps, and more.

The Sayada community network is part of the Open Technology Institute’s (OTI) Commotion Wireless project. The organization works with local groups to install mesh networks in communities across the globe—from New York to India. Commotion Wireless uses routers that utilize and extend (among other things) OpenWRT—an open source operating system with nonstandard features that make these unique networks possible. Reprogrammed and repurposed, the routers become something entirely new: a hub of information, a beacon of open access, and a symbol of freedom.

Now, the future of Commotion Wireless—and countless other programs and projects like it—might be in jeopardy. Proposed rules by the Federal Communications Commission have digital watchdogs and open source advocates worried that manufacturers will lock down routers, blocking the installation of third-party firmware—including open source software like OpenWRT and DD-WRT.

The Reasoning Behind Locking Routers Down

In March of 2014, the FCC updated its requirements for U-NII devices operating on the 5 Ghz bandwidth—a designation that covers a wide range of Wi-Fi devices and routers. FCC regulations aren’t the sort of the thing you keep on your nightstand for a bit of light reading—they are technical and dense. And so it wasn’t until last month that Wi-Fi hobbyists pointed out some regulatory language that might affect the open source community:

“Manufacturers must implement security features in any digitally modulated devices capable of operating in any of the U-NII bands, so that third parties are not able to reprogram the device to operate outside the parameters for which the device was certified.”

On its own, the language isn’t a deliberate war on modding. “In this particular case, this is about safety,” said William Lumpkins, Sr. Member IEEE, IEEE Sensors Council/SMC Standards Chair. Most modern equipment—from laptops to planes—emits radio frequencies (RF). And the FCC carefully orchestrates traffic to ensure signals don’t get tangled up. Devices modified to operate beyond their intended parameters can cause interference with important systems (the FCC cites a 2009 case where user-modified devices were getting in the way of Doppler Weather Radars).

RF modding could also interfere with “medical devices like pacemakers, optical implants, diabetic insulin regulators, and a slew of other medical devices,” Lumpkins said. “An insidious person could also turn a radio into a white noise generator and not allow anyone to use Wi-Fi/Bluetooth within a 1500 foot radius, which is what a few well-intentioned theater owners tried last year.”

It isn’t unusual, Lumpkins said, for the FCC to take steps to keep devices operating within their intended parameters. What is unusual, Lumpkins added, is for the FCC to call out—by name—specific software. But that’s exactly what the FCC did.

This March, the FCC published a guideline to help manufacturers meet the new requirements for the hundreds of new routers and access points that hit the American market every single year. One prompt read: “Describe in detail how the device is protected from “flashing” and the installation of third-party firmware such as DD-WRT."

And that’s a big red flag: DD-WRT, like OpenWRT, is a free, Linux-based firmware for wireless routers and access points. The two are widely used within the tinkering community—and they are important.

So, is the FCC mandating that manufacturers lock down the whole router—including its operating system? Not really. The guidance is more what you’d call (badly worded) guidelines than actual rules. More importantly, guidances aren’t written by the same people who write the actual regulations. In fact, the FCC explicitly told TechDirt’s Karl Bode that it’s fine with mods and open source software “as long as they do not add the functionality to modify the underlying operating characteristics of the RF parameters.” So, modding the operating system? Okay. Modding the RF parameters? Not cool.

The real worry is that major chip manufacturers will respond by saying "the easiest thing for us to do is lock down all the middleware rather than worry about where to draw the line." That would potentially kill a lot of innovation and valuable uses,” wireless policy guru Harold Feld told TechDirt.

A Broad Loss for Security, Tinkerers, and Society

And that’s a real concern. Especially as the FCC is currently considering a proposal that would expand the rules to anything with a software-defined radio. Which could apply to pretty much anything—because everything with Wi-Fi-capability is essentially a radio. The FCC’s current Notice of Proposed Rulemaking (NPRM) seeks to “minimize the potential for unauthorized modification to the software that controls the RF parameters of [a] device” by implementing “well-defined measures” to ensure the equipment “is not capable of operating with RF-controlling software for which it has not been approved.”

No word on what those “well-defined measures” actually are—or where the “radio” ends and the rest of the device begins—but digital watchdogs are worried that the new rules could prompt manufacturers to lock down any computing devices with a wireless radio. Of course, if you’re technically inclined (and most people who take the time to reflash routers are), it’s not hard to pick digital locks that protect vendor programming. It’s just that breaking those locks opens tinkerers up to prosecution under the Digital Millennium Copyright Act—a distinction comes with up to 5 years in prison and $500,000 fine. But that’s a whole other can of worms.

The primary concern is this: If manufacturers take the NPRM and the guidance as an invitation to lock down routers and Wi-Fi devices, it would be a huge loss to the tinkering community and a net loss to society. Open source software gives users far more control over devices than proprietary vendor firmware—thousands of people have used open source firmware to unlock new functionality on cheap routers or breath new life into old access points.

“I personally use OpenWRT on my home wireless router because it provides more capabilities than the firmware that came pre-installed,” Oakland resident Kerrick Staley wrote in a letter to the FCC. “…OpenWRT, being open source, encounters far fewer vulnerabilities than manufacturer firmwares, and existing vulnerabilities are fixed quicker, meaning my home network stays more secure.”

Staley’s not exaggerating about the security benefits. Open source systems are more easily audited by security researchers, and OpenWRT has occasionally beaten the big router manufacturers to market with security patches for their own hardware.

It’s not just the the high-tech nerds who are taking issue with the FCC’s proposed rules. Wi-Fi routers are easy to repurpose as hotspots, wireless repeaters, network storage devices, and low-cost wireless networks; they can be cheaply and quickly patched together as a communication stopgap after emergencies. Which is why amateur radio operators have also stepped up to caution the FCC on its new proposed restriction to software defined radios.

“In at least the last 5 years, Amateur Radio operators have found new and inventive ways to use these inexpensive devices to build broadband networks in support of community events, and to prepare for deployment of these devices for emergency incidents,” wrote ham radio operator James Kinter, Jr. “…Third party software (OpenWRT, DD-WRT, etc) is the basis for many of the Amateur Radio projects, that we then expand and customise for our own projects to easily allow us to build these projects without reinventing the wheel.”

The FCC is currently asking for feedback on the NPRM before the rules become law—so now is the time to pipe up. The FCC has already received tons of concerned comments from citizens and organizations around the nation—most of them extolling the virtues of open source software and asking the FCC to make sure consumers aren’t locked out of their own routers and Wi-Fi devices.

Yes, regulating the airwaves is important—especially as more and more Wi-Fi-enabled devices explode onto the market. But encouraging manufacturers (even unintentionally) to lock down entire devices—making every part of them, as opposed to just the radio, unmodifiable—is the regulatory equivalent of using a rocket launcher to eliminate with a rat infestation. You might get the rats, but at what cost?

In this case, I’m hoping that open source communities don’t wind up as collateral damage.

Want to voice your concern to the FCC? They are accepting feedback and comments on the NPRM until Oct. 9.