Internet Heavyweights Urge FCC To Back Off Firmware Rules

Proposed FCC rules restricting the ability to wirelessly update devices are facing push back from Internet luminaries.
Proposed FCC rules restricting the ability to wirelessly update devices are facing push back from Internet luminaries.

In- brief: Google Internet Evangelist Vint Cerf is among those urging the FCC to reconsider rules governing firmware updates to wireless devices. 

A proposal by the Federal Communications Commission to restrict updates to wireless devices is encountering opposition from Internet luminaries, who worry that proposed rules limiting wireless modifications will lead to a population of unsupported, zombie devices.

The Internet Architecture Board (IAB), a committee of the Internet Engineering Task Force (IETF) that provides oversight of the Internet’s architecture, in a letter to the FCC, took issue with proposed rules that would require wireless device manufacturers to limit updates to devices to parties authorized by the manufacturer. Such a rule, the IAB warned, could lead to a huge population of orphaned devices as their original manufacturers go out of business or cease to support legacy hardware.

The proposed rules are included in proposed amendments to the Commission’s rules governing the license of wireless devices that emit RF energy. The FCC is empowered to regulate any device that might interfere with radio communications.

In a document published in July (PDF), the Commission sought public comment on amendments that would “codify filing requirements for RF devices that incorporate multiple certified modular transmitters” as well as software-defined radios.

The Commission is concerned about newer generations of wireless devices, including phones, that support a more modular paradigm, allowing consumers or carriers to mix and match components. The FCC mentioned Google’s Project Ara as an example, as well as ZTE’s proposed ECO-MOBIUS phone and the work of the startup Puzzlephone.

The FCC is concerned that such devices will challenge the current certification regime, allowing devices to operate out of compliance by way of post-sale modifications or additions by owners. The Commission said it is also concerned that certification of phones and other wireless devices that incorporate multiple modular transmitters made by different firms may not take into account the phone’s performance when those transmitters operate in unison.

The proposed amendments to the FCC rules would require any RF device that uses software to control its defining parameters to incorporate software security features that “permit only those parties that have been authorized by the manufacturer to make changes to the device’s technical parameters.”

[Read Security Ledger coverage of security issues related to routers and embedded devices. ]

That would be a bad idea, wrote IAB Chairman Andrew Sullivan in a letter to the FCC dated October 7.

“The IAB welcomes the focus on security, but notes that software security features of this type must be broad enough to permit device firmware updates by parties other than the manufacturer itself,” Sullivan said. The FCC’s proposed amendment would create a condition whereby a manufacturer ceasing operation would effectively orphan deployed devices “which itself poses significant potential security risks,” Sullivan noted. More generally, radio frequency devices originally intended for one set of use cases have been adapted by the experimental and open source communities for new uses, Sullivan observes. “Closing off this source of innovation and advancement is clearly counter to the interests promoted by the FCC.”

Since submitting the letter, the IAB has received public support from high profile technologists, many of whom had a hand in creating the modern Internet. Vint Cerf, Google’s Chief Internet Evangelist, co-signed a letter to the FCC with noted technologist Dave Täht  encouraging the Commission to “pursue an alternative path.” (PDF)

“We understand there are significant concerns regarding existing users of the Wi-Fi spectrum, and a desire to avoid uncontrolled change,” the two wrote. “However, we most strenuously advise against prohibiting changes to firmware of devices containing radio components, and furthermore advise against allowing non-updatable devices into the field. Doing so would block efforts to address serious ongoing problems with the Internet infrastructure.”

Speaking to Security Ledger at the Information Systems Security Association (ISSA) International Conference in Chicago on Monday, Cerf said that trying to use FCC rules to lock in device ecosystems would condemn the devices to failure.

In his letter, Cerf advises the FCC to instead mandate best practices for software development and require Wi-Fi vendors to provide public, full, and maintained source code for review and improvement, assure that secure firmware updates are available and under owner control and have a method for addressing known security vulnerabilities in source and binary within specific time frames.

Their words were echoed by author and noted Open Source advocate Eric Raymond, who used a blog post to endorse the filings by  Täht, Cerf and others and add his own thoughts.

Raymond called the current state of router and wireless-access-point firmware “nothing short of a disaster with grave national-security implications.” Bu locking down router and WiFi firmware, the FCC rules would “lock irreparably in place the bugs and security vulnerabilities we now have. To those like myself who know or can guess the true extent of those vulnerabilities, this is a terrifying possibility,” Raymond wrote on his blog.

I believe there is only one way to avoid a debacle: mandated device upgradeability and mandated open-source licensing for device firmware so that the security and reliability problems can be swarmed over by all the volunteer hands we can recruit. This is an approach proven to work by the Internet ubiquity and high reliability of the Linux operating system.

Issues surrounding the security of wireless gateways are considered the ‘canary in the coal mine’ for Internet of Things risk. The powerful, low-cost Internet-connected devices are often loosely managed and share components such as firmware and other software. They can be an easy mark for hackers, who have increasingly turned to them as alternatives to better-secured home PCs and laptops.

Unlike those devices, which are actively managed, software updates and security patches are rarely deployed for home routers, which are often managed, at least indirectly by carriers.

In August, for example, US CERT warned of firmware running on DSL routers sold under the ZTE, ASUS, DIGICOM, Observa Telecom and Philippine Long Distance Telephone (PLDT) brands that contains a hard-coded password allowing an attacker who can remotely connect to the devices to log in with administrator credentials. CERT said that there is no solution for the hardcoded password problem. It recommends using firewall rules to block access to the Telnet service on the device from any untrusted sources and to block SNMP service on the device.

In another example, the firm Allegro Software in December urged its customers to apply a 10 year-old software update to address vulnerabilities affecting an embedded web server found in some 12 million broadband routers by manufacturers including Linksys, D-Link, Huawei, TP-Link, ZTE and Edimax.