
TP-Link blocks open source router firmware to comply with new FCC rule - jhack
http://arstechnica.com/information-technology/2016/03/tp-link-blocks-open-source-router-firmware-to-comply-with-new-fcc-rule/
======
aftbit
This is the worst part:

>Cisco argues that open source software could be consistent with the FCC's
goals. "There is nothing in the Commission's existing or proposed rules that
would limit or eliminate the ability of a developer to use Open Source
software, including software that controls radio emissions," Cisco said in an
FCC filing in November.

>But this would require a more locked-down approach than one in which users
can modify the firmware, Cisco said. "The ability to review source code is not
inherently incompatible with the notion of locking the integrity of a product
against modification or tampering," Cisco wrote. "It is perfectly possible for
a product to have source code that is capable of review by the public while
that same code is secured inside the device against change by the end-users."

That misses many of the important goals of open source (and points back to the
"open source" vs "free software" debate). It's not just about being able to
view the existing software, it's about being able to control the systems that
process your data.

For example, what if the manufacturer stops supporting the hardware? Today,
you can just keep updating openwrt and avoid any security issues. After 2016,
that won't be possible.

~~~
_yp
This is exactly what the GPLv3 protects against.

~~~
toomuchtodo
Which government regulation overrides.

~~~
x1798DE
What does that even mean? If regulators say it's illegal to comply with the
license terms, you can't use products released under those terms. It's not
like the GPL'd components fall into the public domain.

~~~
toomuchtodo
It means you can't license the baseband under the GPL, nor release it the
public.

~~~
sangnoir
> It means you can't license the baseband under the GPL, nor release it the
> public

...within the jurisdiction of the US Government. Have a look at libdvdcss for
guidance on how such a baseband might be developed and distributed.

------
No1
It's amazing to me that instead of seeking out and prosecuting the handful of
people causing problems near airports, the FCC wants to prevent everyone in
the United States from running open source router firmware.

~~~
toomuchtodo
Regulating the proper use of a shared public resource (RF spectrum) is sort of
the FCC's thing. Tragedy of the commons, your rights end where the next
person's begin, that sort of jazz.

This will probably evolve into the baseband firmware being closed, and the
higher abstractions being open (with an API to interface to the baseband).
Just like cellphones. Which is acceptable unless you're unrealistic about
necessary regulations.

EDIT: If you _don 't_ believe regulation is required, think about tens or
hundreds of thousands of wireless devices in the wild that can cause RF
interference with no ability to get them recalled.

That time Netgear negligently hardcoded the address of University of
Wisconsin's NTP server comes to mind:
[http://pages.cs.wisc.edu/~plonka/netgear-
sntp/](http://pages.cs.wisc.edu/~plonka/netgear-sntp/)

~~~
aftbit
It's pretty inconvenient for people who want to experiment with e.g. mesh
networks, ham radio, etc as mentioned in the article. Also, it seems a bit
silly, as true SDR prices are going to keep going down. You can already buy a
HackRF for $300 or a YardStick for $150.

I'd be in favor of requiring a significant technical burden to enable access
to the wireless hardware. Maybe make people open the case and solder a jumper.
But there should always be a path forward for experimentation.

~~~
toomuchtodo
> But there should always be a path forward for experimentation.

That's not how regulation of consumer hardware works. Experimentation allowed
in spectrum? Sure. Require consumer hardware be able to do so? No.

------
flyinghamster
If this is going to be the "new normal" then I'm thinking that the best way to
go would be to use a low-power PC or ARM system with two NICs as my router,
and use dedicated access points for wireless. I'm not going to put up with
crappy router firmware.

~~~
wtallis
You should still want the benefits of open-source wireless. Only the open
drivers will benefit from new algorithms for per-packet transmit power control
([https://github.com/thuehn/Minstrel-
Blues](https://github.com/thuehn/Minstrel-Blues)) and queuing/QoS that is
designed for wifi
([http://thread.gmane.org/gmane.linux.network/401202](http://thread.gmane.org/gmane.linux.network/401202)).
Plus, the open drivers get bug fixes to the point that they're actually
stable.

------
visualphoenix
All the more reason to support the Turris Omnia [1]. Open hardware / software
[2]:

    
    
      [1] https://omnia.turris.cz/en/
    
      [2] https://github.com/CZ-NIC/turris-os
    
      [3] https://www.indiegogo.com/projects/turris-omnia-hi-performance-open-source-router#/

------
DannyBee
So, then, i guess they are going to stop using GPL/LGPL software or will soon
be enjoying the wrath of the SFLC.

Time to go give some money to bradley :)

------
awalton
...and now Nobody will buy TP-Link routers, once the Amazon reviews are filled
with 1 stars.

The market will likely sort this out for itself.

~~~
happycube
They _all_ have to do this.

~~~
awalton
No, they don't:
[https://apps.fcc.gov/kdb/GetAttachment.html?id=zXtrctoj6zH7o...](https://apps.fcc.gov/kdb/GetAttachment.html?id=zXtrctoj6zH7oNEOO6De6g%3D%3D&desc=594280%20D02%20U-NII%20Device%20Security%20v01r03&tracking_number=39498)

------
giancarlostoro
I wonder if the blocking is simple to circumvent. If people circumvent it, the
fault is not TP-Links, they had no idea or whatever, right? Either way I'm
sure people would "root" these devices eventually, it usually happens. That or
I could see a market in e-bay for older routers.

~~~
pingec
So far I think tp-link locked down just the web interface. I believe it is
still possible to flash via tftp and some other methods.

When tp-link plug these holes there will still exist many exploits possible to
get root access and if not we will have to flash it through SPI.

Edit: here is one of the first exploits available:
[https://forum.openwrt.org/viewtopic.php?id=63123](https://forum.openwrt.org/viewtopic.php?id=63123)

~~~
qb45
This can be easily "fixed" by making the SoC check RSA signatures on flash
contents.

It all really depends on how much the FCC will be willing to bother hardware
vendors whose products end up as popular hack platforms.

------
dconrad
Appears that TP-Link's heart is not in this -- they're doing the minimum to
comply with FCC rules.

Will be interesting to watch the arms race between OpenWRT and the reluctant
ODMs.

~~~
awalton
> Appears that TP-Link's heart is not in this -- they're doing the minimum to
> comply with FCC rules.

The FCC has commented that the minimum is significantly less than what TP-Link
actually implemented. See [https://ifixit.org/blog/7571/fcc-
routers/](https://ifixit.org/blog/7571/fcc-routers/) (and the linked FCC
amendment) for more information.

~~~
moefh
TP-Link appears to be doing the minimum as in "minimum effort", as opposed to
"minimum restriction to firmware modifications".

The article you linked shows that people saw it coming:

> Open source projects might not be fully out of the woods yet, though. A few
> commenters on the FCC’s post have pointed out that some manufacturers might
> choose to lock down the whole router—as opposed to just the radio—as a cost-
> saving measure, even if that’s not what the FCC intended.

------
transfire
Not to worry! Next they'll require an open backdoor into every network.

------
puppetmaster3
This is the most depressing news for human race during my lifetime.

I see this as sign of coming total control, followed by lack of initiative and
stagnation of humanity.

------
nickpsecurity
I just bought a TP-Link wireless adapter due to specs, reviews, and OSS
support. Then I read this crap. That's just great. There's actually an obvious
solution to this that gives us plenty freedom and meets FCC regulations. I'm
not sure why companies aren't doing it. I plan to approach some of them or SOC
providers this year to see if they might help us and them out.

~~~
wmf
Does the obvious solution cost one cent more?

~~~
nickpsecurity
It might cost less, about the same, or slightly more. It's not clear without
more information from their side. Let's just say the techniques I considered
are widely applied in industry in cost-sensitive HW. Even products build
around 8-bit SOC's use similar techniques sometimes.

------
hc000
This is interesting, big companies are moving their enterprise switch /
routers to open source software and Cisco is trying to lock it down. I think
long term, Cisco will lose this battle.

------
wsha
How hard is it to import a European router to the US? Is that illegal? I would
think as long as one operated it within the FCC's limits it would be legal to
use it.

~~~
ycmbntrthrwaway
The problem is that most likely these routers will be locked as well because
of mass production.

------
datashaman
I wonder if this will actually be restricted to US models only, or whether we
will all suffer the same fate.

------
bcook
The FCC ruling seems logical. The earliest "sky is falling" reaction comes
from TP-Link's initial attempt to comply, and even TP-Link's response is
logical and somewhat subdued compared to the alternatives.

TP-Link's response is hopeful in my opinion, compared to what router's were 10
years ago. We are fighting for improvement, and the FCC ruling is simply a
speedbump. The current mentality is openness, as I see it.

------
jacquesm
At some point the FCC and the open source community are going to clash
violently with some reluctant vendor caught in the middle.

~~~
zokier
I thought the point is right here right now?

------
geographomics
Is this really that much of a problem? Circumventing the block sounds like it
could be a rather interesting technical challenge.

~~~
drdaeman
Not really.

Reverse engineering things can be a fun challenge - but not if your purpose is
not to have fun analyzing it, but to do something else, like actually use the
device you bought. If RE is not something you want to do but you have to -
it's more like frustrating than interesting.

~~~
geographomics
If you're buying a device to replace the stock firmware with something
customised to your liking, then you're already in the hacker mindset, so
having to tinker that little bit harder surely shouldn't be much of a burden.

~~~
drdaeman
There is a _slight_ difference between flashing a custom firmware (right from
the stock one, no RS232+TFTP or JTAG), and hacking your way through a locked
bootloader.

~~~
geographomics
Only in the amount of effort one is willing to expend in doing so, and
learning any necessary skills. It's only a happy accident that so many
(relatively inexpensive) routers are easily flashable with custom firmware,
not an entitlement.

------
KiDD
BOO!

