FCC Introduces Rules Banning WiFi Router Firmware Modification

For years we have been graced by cheap consumer electronics that are able to be upgraded through unofficial means. Your Nintendo DS is able to run unsigned code, your old XBox was a capable server for its time, your Android smartphone can be made better with CyanogenMod, and your wireless router could be expanded far beyond what it was originally designed to do thanks to the efforts of open source firmware creators. Now, this may change. In a proposed rule from the US Federal Communications Commission, devices with radios may be required to prevent modifications to firmware.

The proposed rule only affects devices operating in the U-NII bands; the portion of the spectrum used for 5GHz WiFi, and the proposed rule only affects the radios inside these devices. Like all government regulations, the law of unintended consequences rears its ugly head, and the proposed rules effectively ban Open Source router firmware.

The rules require all relevant devices to implement software security to ensure the radios of devices operating in this band cannot be modified. Because of the economics of cheap routers, nearly every router is designed around a System on Chip – a CPU and radio in a single package. Banning the modification of one inevitably bans the modification of the other, and eliminates the possibility of installing proven Open Source firmware on any device.

212 thoughts on “FCC Introduces Rules Banning WiFi Router Firmware Modification

  1. I didn’t read the entire FCC proposal. However, from what I did read, it sounds like the requirements focus on SDRs rather than radios in general. For example, with an SoC that contains a microcontroller and a WiFi radio, it sounds to me like updating the firmware on the microcontroller would not be covered by this proposal. If, on the other hand, the WiFi is created by an SDR, the proposal requires control over when you can update the SDR code to prevent the radio from working outside the original certified parameters. After all, if you updated the SDR and now it could transmit outside the WiFi band, that wouldn’t be able to pass certification for WiFi anymore.

  2. So this only applies to dual-band devices or devices that operate single band on 5Ghz?

    A bit off-topic, but this seems to be along the same vein as laptop BIOS locks on wireless cards. Toss in a WiFi card whose ID isn’t in the (signed) BIOS’s list of approved IDs? WiFi disabled.

    Anyone know if there’s, say, an editable eeprom on some/most/many WiFi cards to edit the PCI(e) ID?

  3. “devices with radios may be required to prevent modifications to firmware.”

    BWahahahahahaa…. that’s darling. Maybe they can add a law requiring the manufacturers of devices with radios to sing us sweet, sweet lullabies when we go nighty-night. It would be just as effective.

    Seriously – hacking systems has been various shades of legal or illegal now for years, and how much has that stopped us? Not you and I, of course – we are law abiding citizens. I mean the vile hacker community, rat-bastards to a man (or woman), who will pop the top of a “protected” wifi router – especially a relatively inexpensive, powerful one – in an afternoon. Hell – It’ll be a challenge.

    But in all seriousness, it might be *nice* to have the wifi router manufacturers be required to spend a bit of time on security; the list of exploits is a mile long, and growing, and one of the reasons to root the router is to *secure* the damned thing. So long at the protection doesn’t go overboard, this is no real issue.

    These sorts of rules and laws never cease to amaze me – it is almost as if the people making them think that by “requiring” it, it will somehow come to be. They… they can’t be that stupid, right? I mean, not really. They must understand that all this sort of policy will do is drive innovation in the technical underground. Remember napster? Yeah, I do. They killed it, and now I can download any song, any time, anywhere, for free (if I can be bothered to). Fat lot of good it did. The surest way to ensure anyone who wants it can crack their wifi router is to try to prevent it…

  4. haha they actually think they’re going to stop us from using custom firmware on our own equipment. I could see this actually working if custom router firmware was a super niche thing, but it’s far too big to be stopped now.

  5. A pretty stupid idea of the FCC to force US citizens to use potentially insecure firmware and not allow them the security that OpenWRT offers. Hopefully the Chinese manufactures will start offer US compliant routers for the US market and continue to offer open routers to those of us not governed by US law. I personally refuse to by any router that does not run OpenWRT, they are just not worth the hassle.

  6. Ok so firstly what exactly is the problem here? Is there a real issue with people on 5GHz WiFi interfering with other users of 5GHz wireless data transmission? Or is there some other user of 5GHz that is actually important enough for the FCC to care? (a quick search on Google doesn’t show anything important-looking on 5GHz frequencies but I may be missing something)

    Also, in terms of locking things down, as already mentioned many WiFi routers have separate CPUs for the wireless hardware (especially the 5GHz part) that run their own digitally signed software. If there is a concern that people will reflash it with firmware from EU or JP or some other region, they can always store the signing keys in one-time-programmable circuitry on the chip and load different signing keys for each region. That way its not possible for anyone other than the manufacturer to modify the radio firmware OR to load firmware designed for a different region.

    Isolate the 5GHz firmware so that (short of cracking the digital signatures) its physically impossible to transmit at power levels or on frequencies not allowed for 5GHz WiFi signals and then the FCC should have no need to care about what might be happening in the rest of the system (which has no way to interfere with the 5GHz firmware)

    1. I just saw up-thread that the FAA cares about this because rogue 5GHz WiFi routers (intentionally or unintentionally transmitting outside the approved frequency bands or power levels) have been interfering with aviation weather radar. Now as someone who knows a bit about what modern weather radar has done to aircraft safety (mostly from watching episodes of Air Crash Investigation mind you) I will agree with the FAA and FCC that stopping these rogue WiFi routers from interfering with aviation weather radar is a good thing.

      I still believe there is a way to lock down the radio part sufficiently that its not possible to cause the WiFi radio to transmit outside the approved power and frequency for US use but doesn’t require locking down the rest of the system. My cellphone (a Nokia N900) does it by obtaining the current country code from the cellular network and passing that info to the chip and firmware so it can configure its settings correctly for that country. If it cant see a cellular network, it grabs the country code from an OTP memory blob on the main CPU (which is presumably written to at manufacture time based on where the device is intended to be sold).

  7. I filed a comment with the Federal Register then wrote letters to both of my US senators and my US Representative (even though I despise his party and his politics).

    I encourage all other US residents who care to do this as well. Executive bureaus are somewhat insulated from direct voter wrath, but they are still beholden to the legislators who hold the purse strings. Put respectful but earnest pressure on your elected reps and we can head this off.

  8. I just read that proposal and it’s much ado about noting. The proposal has nothing to do with preventing open source firmware from being installed. It will only force them to secure the radio so no firmware proprietary or open source can use that radio in a way that will interfere with other radios using that frequency spectrum.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.