For more than a decade, consumers have been downloading and installing open-source firmware packages for various popular routers. New rules proposed by the FCC could sharply curtail or eliminate that freedom thanks to a series of provisions that mandate locking down the device's radio and preventing any modifications to its pre-approved settings.
Users may flash to open-source firmware for any number of reasons. Sometimes a router has a previously-unknown bug or security flaw, and the manufacturer has either abandoned the device or refuses to issue a fix in a timely manner. Sometimes users may want additional settings and capabilities that aren't provided by whatever options the manufacturer has chosen to install. In some cases, these features are restricted because the company wants to sell them as part of a high-end router, even if the underlying hardware between the two models is completely identical. Either way, modifying radio settings like transmit power or using unauthorized channels is just one thing that users' do.
The FCC's proposed rules(Opens in a new window) governing software requirements for U-NII (Unlicensed National Information Infrastructure) 5GHz band, however, could end these options altogether. Here's why: In a recent revision to its rules governing the 5GHz spectrum, the FCC ordered that 5GHz devices "be secured to prevent its modification to ensure that the device operates as authorized thus reducing the potential for harmful interference to authorized users."
The document goes on to note that applicants must demonstrate that only authenticated software is loaded and operating the device and that "the device is not easily modified to operate with RF parameters outside of the authorization." So far, none of this is actually big news. The concept of authenticating or validating software isn't intrinsically anti-consumer.
The problem, in this case, is in the footnotes. The FCC's document notes that many devices rely on unacceptably weak security, including "those that rely solely on the distribution of firmware in compiled binary form without any form authentication or verification between the device and entity sending the firmware. These implementations are typically susceptible to device 'flashing' with third-party firmware or software capable of operating the device outside of its authorization."
Then, a little later on, there's this gem:
By specifically calling out DD-WRT as an example of an unacceptable security risk, the FCC has effectively put modders on notice. Many in the community are concerned that while the FCC's security rules technically only apply to radios, they'll be used to lock down entire devices. Modern routers are built around SoCs, not discrete chips or separate operating systems. It may be possible to lock out certain radio controllers while allowing the router firmware to be modified in other ways, but it's not the simple solution -- and if router manufacturers are known for anything, it's for choosing the simple solution. This could cause huge problems for other firmware packages as well, such as Tomato or OpenWRT.
The flaw in the FCC's reasoning is thinking that the ability to modify the modem settings in a manner which may cause limited, short-range interference (5GHz wireless signals attenuate rapidly, which makes long-distance problems much less of an issue) is the primary goal of most modders. I've flashed every router I've ever owned, mostly for security updates, but occasionally to gain better firewall control, more wireless settings, or better administrative options. The FCC's proposed rules need to be changed to accommodate these valid uses.
