FCC Reaches Agreement With Router Manufacturers

Last year, the Federal Communications Commission proposed a rule governing the certification of RF equipment, specifically wireless routers. This proposed rule required router manufacturers to implement security on the radio module inside these routers. Although this rule is fairly limited in scope – the regulation only covers the 5GHz U-NII bands, and only applies to the radio subsystem of a router, the law of unintended consequences reared its ugly head. The simplest way to lock down a radio module is to lock down the entire router, and this is exactly what a few large router manufacturers did. Under this rule, open source, third-party firmwares such as OpenWRT are impossible.

Now, router manufacturer TP-Link has reached an agreement with the FCC to allow third-party firmware. Under the agreement, TP-Link will pay a $200,000 fine for shipping routers that could be configured to run above the permitted power limits.

This agreement is in stark contrast to TP-Link’s earlier policy of shipping routers with signed, locked firmware, in keeping with the FCC’s rule.

This is a huge success for the entire open source movement. Instead of doing the easy thing – locking down a router’s firmware and sending it out the door – TP-Link has chosen to take a hit to their pocketbook. That’s great news for any of the dozens of projects experimenting with mesh networking, amateur radio, or any other wireless networking protocol, and imparts a massive amount of goodwill onto TP-Link.

Thanks [Maave] for the tip.

43 thoughts on “FCC Reaches Agreement With Router Manufacturers

  1. While it’s nice that there is an option, this seems like a barrier to anyone wanting to make an open hardware router or a new router manufacturer that wishes to allow open source firmware alternatives. It’s a high barrier of entry for anyone who wishes to compete.

    Furthermore, this now seems less punitive for security issues, and more like an “open source tax”.

    I’m not trying to be pessimistic, but this still seems far from optimal to me.

  2. I didn’t understand what the fine was about. This comment under one of the links made it more plain: https://lwn.net/Articles/696032/

    What that suggests to me is that the standard Linux CRDA system system *IS* sufficient for the FCC, and that the FCC isn’t making it necessary to lock down router firmware. It’s just that locking the firmware down is an alternative if the manufacturer is too dickish to do the right thing.

    1. The thing is, CRDA checks the signature on the wireless-regdb. So if you replace the CRDA binary on the device, you can load your own regulatory database. If CRDA is compiled with OpenSSL instead of gnutls, you don’t even need to replace CRDA. Just add your own public key to the directory that CRDA searches after the build in keys didn’t work to verify the signature.

      And with an unmodified CRDA you can of course tell the kernel that you are in another country with more lax RF regulations.

      1. That’s true but the FCC’s goal is to keep people from configuring their routers into an illegal state that causes disruption. Most people who install alternative firmwares don’t really understand all of the configurations and just set what they think is best or follow guides online that may or may not have been made by someone in their country. I know that with Tomato the channel lists are locked down based on country but transmit power and other options are not.

        1. why can’t we have an international standard frequency for locally broadcasting the country regulation code and current time, and legally oblige radio chip manufacturers sign and hand over to local governments hash of regulation code, time and expiry date?

  3. There is more information in the consent decree at:

    https://apps.fcc.gov/edocs_public/attachmatch/DA-16-850A1.pdf

    Some models allowed the user to change the country code. Apparently this allowed the user to bypass the restrictions on power level implemented by TP-Link. The FCC cares enough about 3rd party software like DD-WRT that it chose to stipulate that as part of the consent decree TP-Link was to support 3rd party software on their routers. I suspect that the fine was reduced in return for TP-Link’s cooperation.

    It seems pretty clear to my reading (IANAL) that what the FCC wants is a hardware solution to limiting the power level which is not hackable. Locking the firmware down is viewed as an illusory fix. The long history of jail breaking smartphones doubtless was a factor. The message from the FCC is that software restrictions are not sufficient.

  4. “Instead of doing the easy thing … TP-Link has chosen to take a hit to their pocketbook”

    You’re saying that you believe the FCC wished to prohibit third-party firmware through this settlement, and the FCC increased the fines against TP-Link because of TP-Link’s insistence that third-party firmware be allowed in the future?

    Your claim seems unsupported by the reporting around this. The settlement agreement appears to show exactly the opposite, in fact. It suggests that TP-Link were perfectly willing to throw open firmware under the bus and locked it out in updates to their devices in the hopes that it would get them out of paying fines in this case. And it shows the FCC desperately at pains to insist (a.k.a. rewrite history) that they have never encouraged the prevention of third-party firmware and were not responsible for TP-Link abandoning their previous openness. If anything, the settlement attempts to suggest that TP-Link’s locking out of third-party firmware is part of the reason the FCC is fining them.

    In other words, TP-Link very much *did* try to “do the easy thing”, and the FCC then went and fined them anyway. And it wasn’t TP-Link, but the FCC (continuing their attempts at PR rehabilitation) saying that locking down a device is not required and that TP-Link’s decision to do that was contrary to the best interests of their users.

    TP-Link doesn’t seem to have stood up for third-party firmware at any point, and certainly hasn’t opted to take a hit to its pocketbook in any instance where they were able to avoid it. And in the end, TP-Link have paid a fine, blame open-source/third-party firmware for it, and have switched to locking down all firmware going forward. The FCC requires TP-Link to “investigate” supporting third-party firmware again, but I can’t imagine that resulting in anything changing. I expect locked-down TP-Link devices are here to stay.

    1. Wow, just wow, you put a completely not said statement in Brian’s mouth, then add a question mark, as if there is doubt he never said your lengthy and out-of-bounds extrapolated fantasy, then start to disagree with your own imagination.

      1. I put quotation marks around the part I was quoting. The part with the question mark was my asking if I understood what that meant. I used the question mark because I am uncertain if it is an accurate summary of the article, but I did mean that summary of my understanding of what this article is saying in good faith.

        I’m really not sure how else to read this article aside from a claim that TP-Link has A) fought the FCC on behalf of supporting third-party firmware, B) has won, and C) has (willingly) “take[n] a hit to their pocketbook” as a cost of doing so (the fines).

        But if that’s what this article is claiming, as far as I can tell from the linked settlement agreement that is not at all the case: TP-Link were not on the side of third-party firmware, the fines are unrelated to the ability to support or not support third-party firmware, the FCC, not TP-Link, is at pains to say that disabling third-party firmware is unnecessary and bad for consumers, and the only future (minimal) activity promised by TP-Link toward third-party firmware will only be because the FCC is requiring it of them.

        Honestly, I can’t see how else to read this article except as a celebration of TP-Link’s actions, but its description of those actions appears to be so different from what everything else says about the events that I’m confused. I might be misunderstanding this article, but if not, it would appear that Brian is misunderstanding what he is linking to, or he has additional information which hasn’t been reported anywhere, including here.

        1. As an example of reporting on this elsewhere, Ars Technica’s article on this settlement is headlined “FCC forces TP-Link to support open source firmware on routers“, with the subheading “TP-Link settles with FCC after blocking open source and violating power rules”, which appears to be exactly the opposite interpretation of events from the article here. Ars Technica even describe the agreement by TP-Link to investigate supporting third-party firmware as being made in order to *avoid* further fines, though it’s not clear where they’re getting that information from (they claim it’s in the press release, which it is not).

        2. “I put quotation marks around the part I was quoting. The part with the question mark was my asking if I understood what that meant”

          If the History channel has taught me anything, Ancient Aliens can be the only reason these routers are locked down, as expertly proven by [John S]!

    2. I’ve clearly totally misunderstood this article. I honestly read it as claiming that there was a conflict over the use of third-party firmware resulting in a settlement, that in that conflict TP-Link have acted in the best interests of third-party firmware, that the FCC was in opposition, that TP-Link have taken financial damage to maintain their support for third-party firmware, and that TP-Link should receive acclaim for these actions. If that were what was being claimed, every one of those claims would stand in stark contrast to the statements made by the government, the facts stipulated in the agreement reached by the two parties, and the majority of the mainstream reporting on the matter.

      But clearly there is something I’m missing, and I accept that I am simply wrong in my understanding of this article: it is clear that the majority of readers *are* understanding it differently from how I read it. Honestly, I apologize for whatever confusion it is that I have about this article and from which my comments suggesting it might be mistaken have arisen. I especially apologize for my attempt to summarize what I thought was the primary point of the article, which seems to be viewed as having been done in a very rude manner. I had meant it in good faith, I thought it was a fair summary of the largest claims being made in this article, but it’s clear I’ve grossly misunderstood and misrepresented what this article is saying.

  5. “TP-Link has also agreed to take steps to support innovation in third-party router firmware by
    committing to investigate security solutions for certain 5 GHz band routers that would permit
    the use of third-party firmware while meeting the Commission’s security requirements and maintaining the integrity of critical radio parameters.”

    So the restrictions that forced TP-Link to lock down their routers and block open source softwre still apply, they’ve just agreed to investigate if there’s any way for them to meet those restrictions whilst allowing open source software. Furthermore, this is not intended to in any restrict TP-Link’s ability “to select, in its sole discretion, particular chipsets, that it will use in the manufacture of its devices”. So they can continue using hardware that can only meet the FCC requirements by blocking all third-party router firmware if it’s cheaper. (Which it almost certainly always will be, given the complexity and country-specific nature of the rules.) All the FCC cares about is whether they’re seen to be blocking open source firmware, not whether we can actually make use of it.

      1. Not with so much stuff coming from China now. No doubt China will still be making routers that make no attempt to comply with US regulations and no doubt they will get into the US anyway.

        Most of the US’s tech stuff is just domestic consumer goods anyway. The US doesn’t have a global influence in consumer/tech products because US postal costs make your products non-competitive price-wise.

    1. Vendors are lazy. Many produce only one variant that complies with all regulations instead of making country specific devices.
      It happens quite often that devices sold here in Germany can’t connect to access points on channel 13 just because of the FCC…

  6. this is hardly a “win”. first i found TP-Link products outstandingly bad. second the “fine” doesn’t really solve the issue, rather it confirms and supports the exclusion of 3rd party firmware from running on devices we buy unless the manufacturer pays “penalty” by the FCC.

  7. No being an American, I wonder what all of this is about.

    Logic would suggest that it is to reduce/eliminate cross interference in dense Wi-Fi cells.

    However history shows that the US government doesn’t subscribe to “logic” and it is more likely about limiting citizens ability to create independent networks that can’t be monitored by the NSA. Well either that or your internet service providers have purchased enough political representatives to launch a pre-emptive response by declaring war on competing technologies before they emerge. Weapons of mass communication ???

    1. No, this has nothing to do with government snooping. Over transmitting on 5ghz can interfere with other communications systems. Harmonics are a concern as they become stronger out of band as power transmission increases beyond the FCC tested scenarios. Increasing transmission power also disrupts other devices working at the legal level and drowns them out, causing a denial of service. Imagine a dense city block with a bunch of high powered wifi signals and hundreds of legal levels. Many people would be unable to use wifi.

  8. When someone up high pushes for security in a communication device. Effectively making their transceiver a black box. It makes me think they are simply adding another spying tool and additional level of control.

  9. I have a TP-Link TL-WR702N which has apparently decided it will no longer access anything on the internet, though it will login to my WiFi router.

    After futzing with it for a few hours (many resets and trying different settings) I dug out a Linksys EA2700 and put the latest DD-WRT beta on it. Took me a while to find a how-to that didn’t omit some critical steps for making the thing run ‘backwards’ from what it was built to do. Cisco/Linksys never intended for it to be able to be a WiFi bridge/repeater, or to use the WAN port as a LAN port, but DD-WRT makes it do it. Only cost me 75 cents at a yard sale. :)

    But even with this formerly costly piece of hardware I’ve had to pull its plug to reboot it when it decided to disconnect itself from the outside world.

    Why can’t these companies get networking SOLID after all these years? This stuff should work and stay working 24/7/365 once the settings are set. Shouldn’t be crapping out every so often and needing to be restarted.

    Even Microsoft screwed that one up big time with Windows 10. Preview releases, the RTM build and also the huge 1511 update all had bugs in networking which would have them connecting but unable to pass any internet traffic. *Finally* after nearly a year, on July 12, 2016 Microsoft released a “servicing stack update” for RTM and 1511 which for most computers fixed the networking problems. If you have 10 RTM and want to do an online update to 1511 you’ll have to download the July 12 SSU and install it first. That update is NOT rolled into the current 1511 update. Hopefully it is in the upcoming 1607 build.

    If after installing the SSU and rebooting you still can’t get online, open command prompt as an administrator and enter netcfg -d at the prompt. You’ll get some error messages. Hit enter again. Enter netcfg- d again, then enter again. *Close the command prompt window!* If you just restart without closing the command prompt, Windows 10 most likely still won’t have internet access.

    What gets me is how the heck Microsoft screwed this up in the first place? They’ve done TCP-IP IPV4 networking for a long time, should have had it all sorted out long ago. Even worse is the problem was in the beta and preview builds and wasn’t debugged before the RTM version, and *still* wasn’t fixed in 10’s first major update. Microsoft should’ve put a special team onto finding and fixing the problem two years ago instead of waiting nearly after release to manufacturing to get it fixed.

  10. what’s the harm? (correct me if i am wrong) it isnt like the wifi module could.

    1. be a software defined radio and you could change the frequency to say the 88 to 108 mhz range and drown out all fm radio or a little higher say in the 130 to 150 mhz and drown out the maritime radios like those that are used in deadliest catch on tv or higher into the 300 to 400 mhz ask and ook and drown out consumer devices like garage door openers ,key fobs and ipod air clicks or even higher and get it into the frequency that your microwave uses and murder someone by making their pacemaker malfunction and cause heart attack.

    2.make a massive extreme high wattage wifi because the power is limited (correct me if i am wrong) by the power supply (ohm’s law here) a 12 volt 1 amp power supply can only give 12 watts most likely the power is limited by the amplifier circuitry in the wifi module so you will probably fry the module and release the blue smoke long before doing any real harm.

    also is the fine per router modified or all routers?

    if it is per router it could add up to billions and even bring down the company.

    if the government is worried about users being able to step onto the frequencies of the emergency radios then why not use cell phones or move their radios off those bands say for example design and build a 10 ghz system reserved for that use

    1. I doubt many wifi devices are physically capable of transmitting that far out of spec. But they might still transmit on channels or with power levels outside of legal specs. Given the deliberate effort required to flash firmware, this still reasonably puts compliance on the tech who flashes and configures the router, far more than a manufacturer who produces a by default compliant device.

  11. If national security cannot allow undecryptable communications, then they also must already be listening to everyone’s conversations, wherever they might be, in public or in private. Simple logic.

    The actual process of communication is the protected thing, regardless of the media used to do the communicating, be it via human mouth to human ear, or via wireless network 3 feet or 3 light years away.

    1. It does not follow that because they want it to be possible to, if they choose to do so, decrypt data, that they must be decrypting literally everything continuously. It’s entirely possible they only care about some subset, or want the capability to be there when they arbitrarily decide to snoop on someone. I share suspicions of ulterior motives, at least to an extent, I just object to calling this leap of intuition *logic.*

  12. We’re seeing more and more application of what are basically software-defined radio technologies in consumer products (such as WiFi routers).

    The physical radio itself can generate a very large power output, with great flexibility in its modulation scheme and channel use, with great flexibility in what higher-level protocols are used, across a wide range of different frequencies. The radio is as agile and general-purpose as possible – and we “fix it in software” for all the higher-level stuff for a particular application. So we can (for example) build a single bit of silicon that can do Bluetooth Low Energy, or WiFi, or 802.15.4.

    You submit that hardware-plus-software stack to the FCC (or similar international agencies), with given hardware and given software, and that given combination is certified. If you change it, in the hardware or in the software, you’re no longer selling an FCC-certified product.

    Software-defined radio means that a specified software configuration is now intrinsically a part of the technology stack that is regulated and approved by FCC. And people cry that this is taking away our SOFTWARE FREEDOM.

    But the fact is, where radio is concerned, you don’t have freedom.

    Radio is regulated. It’s that simple – and it’s nothing new.

    Some of that regulation is just moving from fixed, inflexible hardware systems – where “lack of freedom” has been well established for decades – into the software components.

    What’s the alternative? To move away from software-defined radio technologies and the advantages that they bring.

  13. Are there any examples of routers that are actually locked down? The link doesn’t actually state any concrete examples. Just that “We got confirmation today from one of the largest router manufacturer that they have begun locking router firmware down due to recent FCC rule changes.”

    They’d be interesting targets for security research.

  14. so now instead of picking up a 100mw router and putting dd-wrt on it and getting 350mw. one could always just use a inline antenna amplifier of a few watts from china. great job fcc.. my multi watt setup has been tested with a 1/2 mile obstructed wifi connection with my dd-wrt router I couldnt get that with my 350mw setup. i’d also expect router manufactures to release less secure routers if they know it or not. easter eggs find a way. this really seems to be pointless so now the occasional 350mw user will be pumping several watts out instead.
    and less competition for manufactures to get there product better.

  15. If I read the information correctly, what has happened is that TP-Link got busted selling routers that (out of the box with the official firmware and settings on them) broke FCC regulations and a deal has been done whereby the FCC will give TP-Link a lower fine than would otherwise have been the case in return for TP-Link agreeing to find a way to make open source router firmware possible on TP-Link hardware going forward?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.