Last year, the FCC announced new rules that were intended to prevent routers and other wireless devices from using settings or power levels that would violate their licensed RF parameters. When users pointed out that these restrictions could mean the end of open source firmware and result in a significant negative impact to device security, the FCCissued guidelines clarifying that it had no intention of making open source firmware illegal, and simply wanted to ensure that certain specific settings were no longer available for configuration.
It now seems that user fears were justified. Despite the FCC’s clarification of its original proposed rules, the simplest way to comply with those rules remains the same: Disable open source firmware updates. At least one firm, TP-Link, has just announced that’s exactly what it intends to do.
The company has made it clear where and why it’s moving to lock things down, writing:
The FCC requires all manufacturers to prevent user from having any direct ability to change RF parameters (frequency limits, output power, country codes, etc.) In order to keep our products compliant with these implemented regulations, TP-LINK is distributing devices that feature country-specific firmware. Devices sold in the United States will have firmware and wireless settings that ensure compliance with local laws and regulations related to transmission power.
As a result of these necessary changes, users are not able to flash the current generation of open-source, third-party firmware. We are excited to see the creative ways members of the open-source community update the new firmware to meet their needs. However, TP-LINK does not offer any guarantees or technical support for customers attempting to flash any third-party firmware to their devices.
That’s some decidedly odd language in the second paragraph. Not only did the FCC want these capabilities locked down, it originally mandated that companies would have to explain how they would specifically prevent the use of third-party firmware solutions like DD-WRT. TP-Link seems to be giving a wink and a nod to the idea that it had to implement this lockout, but gosh, if you enterprising end-users happen to find a way around the problem, that’s just too bad. The company could get into legal trouble if it actually leaves in this kind of loophole, but the text could just be a rhetorical bone to throw enthusiasts.
The FCC’s requirements were drafted after the FAA found illegally modified equipment interfering with Doppler radar at airports, but its rules could end up compromising device security and security research. One of the reasons why end users have valued the ability to install third-party firmware is because many routers are effectively abandoned by their manufacturers post-manufacture or poorly updated at best. The ability to flash third-party firmware updates allows an end-user to close security vulnerabilities that the vendor may have no interest in resolving. It’s also been a boon to people who have routers with functions that are gated off via firmware and reserved for more expensive models. Then again, from the manufacturer’s perspective, this is lost revenue. If the FCC’s new rules kill third-party firmware updates, we suspect most vendors won’t shed a tear for the loss.
Despite TP-Link’s comments, it’s not clear if third-party firmware authors can create a solution that would meet FCC requirements at all. We’ll have to wait to see what more manufacturers are doing, but this isn’t an encouraging development.