Hacker News new | comments | show | ask | jobs | submit login
TP-Link blocks open source router firmware to comply with new FCC rule (arstechnica.com)
166 points by jhack on Mar 11, 2016 | hide | past | web | favorite | 99 comments



This is the worst part:

>Cisco argues that open source software could be consistent with the FCC's goals. "There is nothing in the Commission's existing or proposed rules that would limit or eliminate the ability of a developer to use Open Source software, including software that controls radio emissions," Cisco said in an FCC filing in November.

>But this would require a more locked-down approach than one in which users can modify the firmware, Cisco said. "The ability to review source code is not inherently incompatible with the notion of locking the integrity of a product against modification or tampering," Cisco wrote. "It is perfectly possible for a product to have source code that is capable of review by the public while that same code is secured inside the device against change by the end-users."

That misses many of the important goals of open source (and points back to the "open source" vs "free software" debate). It's not just about being able to view the existing software, it's about being able to control the systems that process your data.

For example, what if the manufacturer stops supporting the hardware? Today, you can just keep updating openwrt and avoid any security issues. After 2016, that won't be possible.


This is exactly what the GPLv3 protects against.


Which government regulation overrides.


What does that even mean? If regulators say it's illegal to comply with the license terms, you can't use products released under those terms. It's not like the GPL'd components fall into the public domain.


There's a legal order of compliance. You don't get to break the law because you agree to a contract that stipulates you're going to break the law.

In this case, I bet the interpretation would be that if a piece of software requires you to break FCC law if sold as part of a Wifi router, then that software cannot be sold as part of a Wifi router.

Back to VxWorks in other words.


It means you can't license the baseband under the GPL, nor release it the public.


> It means you can't license the baseband under the GPL, nor release it the public

...within the jurisdiction of the US Government. Have a look at libdvdcss for guidance on how such a baseband might be developed and distributed.


It doesn't override anything, if vendors must lock down their firmware, then they cannot use GPLv3'd software.


In a clause is contrary to public policy, it may be unenforceable in that jurisdiction and thus they could use the code without violating the license. The unenforceable clause will be skipped over by the courts. It is a nullity.


IANAL, but GPLv3 requires software to be modifiable by an user.

> If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information.

However, it can be still followed by not letting even Wi-Fi router vendor update the firmware on a device.

> But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).

Otherwise, you cannot provide the program at all. It's intentional, it's supposed to provide pressure on regulations like FCC regulations, at least in theory (vendors who already use GPLv3 software, could complain to FCC that they cannot use free software licensed under GPLv3).

> If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all.


Nope nope nope. My license can say "cannot distribute in places where law x exists." My license can say "no one can distribute. period."


No, they couldn't. The GPL is a grany of rights, not a restriction of them - if you can't fulfil the criteria then you do not get the grant, regardless of public policy.


While I agree with you, if they don't have to release it, you'll never know unless you can successfully decompile the firmware.


This could already be the case with closed source firmwares, which could be using unlicensed non-FOSS blobs too for all you know.

If we're ignoring licences now then this is a different argument.


Nope nope nope. Gpl is a binary decision whether you are in compliance and can distribute or not. So, in this case, it would be negative, not allowed to distribute. Unless the law requires someone to distribute gpl software, which it doesn't, there is no conflict here.



Glad to you brought this to my attention. My proprietary vs OSS essay promoting hybrids was going to change OSS to shared source to avoid confusion of established OSS definitions. Now, I suddenly find Microsoft has a brand of intiatives called Shared Source. They had to pick the most generic, intuitive thing I could come up with. This will probably cause confusion at some point. (sighs)

Might get away with it but maybe need alternatives. If not "open source" or "shared source," what's a generic phrase for software that includes the source but not necessarily OSS principles.


hybrids are sometimes referred to as "open core projects".

A free software (often copyleft) core with addons, which usually means that contributions to the core are riddled with CLAs or other hurdles, if possible at all.

See mysql, openoffice (pre-Apache), ...


I'll try to remember that. Although, my model allows for entirely proprietary software with source available for review, extension, whatever. Any combo of source availability, freedom, or paid so long as a review is possible. I explained more in this essay:

http://pastebin.com/eRGtedU4


Why not focus on the specific properties you want? Something like "auditable source", which also implies a reproducible build.


Another good one. Thanks.


> If not "open source" or "shared source," what's a generic phrase for software that includes the source but not necessarily OSS principles.

"Published source"?


Appreciate the suggestion.


"transparent source"?


I like the word "transparent" especially as my main application area is countering subversion or fixing problems. Great idea. :)


I like Openly Developed.


Thanks for the suggestion.


It's amazing to me that instead of seeking out and prosecuting the handful of people causing problems near airports, the FCC wants to prevent everyone in the United States from running open source router firmware.


Are there any documented cases where people were near airports causing such problems with things like OpenWRT, DD-WRT, etc?

Something tells me that cases demonstrating the need for such a ruling are hard to come by.


Regulating the proper use of a shared public resource (RF spectrum) is sort of the FCC's thing. Tragedy of the commons, your rights end where the next person's begin, that sort of jazz.

This will probably evolve into the baseband firmware being closed, and the higher abstractions being open (with an API to interface to the baseband). Just like cellphones. Which is acceptable unless you're unrealistic about necessary regulations.

EDIT: If you don't believe regulation is required, think about tens or hundreds of thousands of wireless devices in the wild that can cause RF interference with no ability to get them recalled.

That time Netgear negligently hardcoded the address of University of Wisconsin's NTP server comes to mind: http://pages.cs.wisc.edu/~plonka/netgear-sntp/


> Regulating the proper use of a shared public resource (RF spectrum) is sort of the FCC's thing. Tragedy of the commons, your rights end where the next person's begin, that sort of jazz.

Right. So they should go after people who actually misuse the spectrum, and not people who install their own firmware without doing that.

Or go after the people who are distributing firmware that misuses the spectrum.

> This will probably evolve into the baseband firmware being closed, and the higher abstractions being open (with an API to interface to the baseband). Just like cellphones

The problem is including separate hardware to lock only the baseband is more expensive than locking the entire device. Smart phones cost several times what consumer-level routers do, and that's after the phone is subsidized by advertising and app store revenue.


> Right. So they should go after people who actually misuse the spectrum, and not people who install their own firmware without doing that.

I don't want the FCC trying to obtain the resources to patrol the RF spectrum across millions of US square miles. Cheaper to simply regulate control over the RF hardware.

Ham radio operators have to take tests to operate in certain areas of spectrum. I'd be willing to allow experimentation with RF hardware if RF hackers want to go through the same licensing requirements that already exist.

> The problem is including separate hardware to lock only the baseband is more expensive than locking the entire device. Smart phones cost several times what consumer-level routers do, and that's after the phone is subsidized by advertising and app store revenue.

The baseband is proprietary in all phones, even those in the $10-30 range. Cost is not the issue.

Full Disclosure: I have a technical ham radio license, and own a HackRF device for experimenting with RF (I only receive though when hacking; AIS, ADS-B, and other such traffic)


> I don't want the FCC trying to obtain the resources to patrol the RF spectrum across millions of US square miles.

Why would they need to? If someone is causing interference then the victims can report it.

It's not like there are going to be millions of different people causing interference. The only way it possibly happens on a mass scale is if someone is mass distributing bad firmware, and then you can go after them.

> Cheaper to simply regulate control over the RF hardware.

Except that it isn't. At all. First, there is software defined radio, then there is hardware from other countries, and then there is the fact that because they're limiting access to the whole device, people are definitely going to figure out how to bypass it for at least some devices, so the regulations can't be effective anyway.

> Ham radio operators have to take tests to operate in certain areas of spectrum. I'd be willing to allow experimentation with RF hardware if RF hackers want to go through the same licensing requirements that already exist.

It isn't about people experimenting with RF hardware. For that use case what you're talking about is fine. But people who have no interest in RF hardware and just want to install OpenWRT should still be able to do it. On everything. Because otherwise, whatever people can't install it on becomes a security zombie as soon as the manufacturer stops supporting it but the customers keep using it.

> The baseband is proprietary in all phones, even those in the $10-30 range. Cost is not the issue.

Then how are we discussing this on an article that says a router maker has decided that it's cheaper to lock the whole device than just the baseband?


> It's not like there are going to be millions of different people causing interference

Why not? When someone has trouble with wifi in their apartment because there are a zillion other wifi networks in their neighborhood, and they Google for "boost my wifi signal" or similar they are going to get several articles that suggest installing open source firmware so they can tweak performance parameters that they cannot with the stock firmware, including tweaking transmit power.


Then the FCC can go to the people making that firmware and demand that they remove the option that allows violating FCC regulations or face a large fine. The developers presumably didn't intend to violate FCC regulations, so they comply, and then that stops happening.

It's not like there are millions of different people making open source router firmware. There are a small handful.


And somebody else posts the re-enable code the next day, or forks the repo and undoes that change. Or...


The change is a bug fix. People don't want to distribute firmware that causes problems for people.

And if someone did purposely want to cause problems, there are much cheaper, easier and more effective ways to do it than this.


Not to someone that wants to turn up their signal power it isn't, they don't consider themselves to be causing problems, they just don't care so much about other people.

You can't really place restrictions like this in FOSS software. It doesn't work.


> Then how are we discussing this on an article that says a router maker has decided that it's cheaper to lock the whole device than just the baseband?

Because people are entitled? And think they have rights that they don't? You have a right to software under a certain license. If government regulation prevents that layer of software from bring open source, it isn't. What about that is difficult to understand?

> But people who have no interest in RF hardware and just want to install OpenWRT should still be able to do it. On everything.

There is no law, regulation, whatever that says this is required by a manufacturer. You are free to your opinion, of course.


> Because people are entitled?

That is correct. People are entitled to control the things that they own.

> If government regulation prevents that layer of software from bring open source, it isn't. What about that is difficult to understand?

It isn't difficult to understand. It is unacceptable.


> That is correct. People are entitled to control the things that they own.

so long as it doesn't effect others. Just like existing cell phone regulation. Do you own a cell phone? You already own a device you cannot fully control.


> so long as it doesn't effect others.

Exactly. So people should be able to install OpenWRT as long as they don't actually cause interference.

> Do you own a cell phone? You already own a device you cannot fully control.

Sensible people have objected to that for similar reasons.


There is scads of legal precedent that some actions that may not result in harm are still not permissible because of risk, or consequence, or difficulty of policing, etc.

HN has a rather libertarian bent and loves to suggest what you've suggested- that actual harm is the only thing that ought to be prohibited. But (IMO) that isn't always suitable.


> There is scads of legal precedent that some actions that may not result in harm are still not permissible because of risk, or consequence, or difficulty of policing, etc.

And those things are the last resort after we've proven with much hard thinking and a long stint of trial and error that nothing else can possibly work. Even at that point we would still have to evaluate whether the cure is worse than the disease.

Are you seriously contending that this is such a case? Custom router firmware is in the same category as private ownership of smallpox and nuclear materials?


This is consumer gear. It has hardware filters. It has hardware power limiting. It has hardware implementation of the physical layer. Again: this is consumer gear.

It is very very difficult to do any kind of harm in the spectrum with these devices. Much easier to do damage at layer 2 and beyond, which is of course what this doesn't fix at all. I figure you cited a misconfiguration and software bug because you can't actually find any kind of incident caused by consumer gear routers running with custom firmware that involves any kind of RF?

It's quite ridiculous to hear a ham radio operator applaud the FCC on regulating routers that will by hardware design never, ever output on spectrum where they could do any sorts of damage while the same agency happily approves of powerline communications adapters that turn mains wiring into antennas.


It's pretty inconvenient for people who want to experiment with e.g. mesh networks, ham radio, etc as mentioned in the article. Also, it seems a bit silly, as true SDR prices are going to keep going down. You can already buy a HackRF for $300 or a YardStick for $150.

I'd be in favor of requiring a significant technical burden to enable access to the wireless hardware. Maybe make people open the case and solder a jumper. But there should always be a path forward for experimentation.


> But there should always be a path forward for experimentation.

That's not how regulation of consumer hardware works. Experimentation allowed in spectrum? Sure. Require consumer hardware be able to do so? No.


> Also, it seems a bit silly, as true SDR prices are going to keep going down. You can already buy a HackRF for $300 or a YardStick for $150.

I know YardStick can't do WiFi frequencies and even if it did the throughput is 500 kbps max. Is HackRF actually beefy enough to act as a WiFi radio? Do you know about the state of doing WiFi in SDR in general? I was under the impression that it's not practical with any remotely affordable hardware, but I'd be interested to hear if I'm wrong as I'm not that well informed on the subject.


It is the same kinda of idea of banning big scary guns instead of going after the people who use guns to commit crimes (and also ignoring that the people who do commit crimes often aren't even using the big scary guns).

Regulators gonna regulate!


What country do you live in? In the US, gun violence is a real serious crime and the police will use all their resources to go after criminals yet we are a world leader in gun violence. It's probably something to do with guns being so unregulated, plentiful, and easy to get here...


I was talking about different forms of gun violence. Namely, bigger, scarier, more powerful weapons are the least likely to be used in a crime but which receive the most regulations. Such as 'assault weapon' laws which ignore all the handguns used in gang violence.


Obviously, country that has no guns also has no gun violence, but such country may have higher violence rate overall. Guns also prevent at least some violence, you need to take it into account.


Plus, if we limit that ability, no malicious people will figure out how to buy a single-board computer with some type of open radio platform </s>


If this is going to be the "new normal" then I'm thinking that the best way to go would be to use a low-power PC or ARM system with two NICs as my router, and use dedicated access points for wireless. I'm not going to put up with crappy router firmware.


You should still want the benefits of open-source wireless. Only the open drivers will benefit from new algorithms for per-packet transmit power control (https://github.com/thuehn/Minstrel-Blues) and queuing/QoS that is designed for wifi (http://thread.gmane.org/gmane.linux.network/401202). Plus, the open drivers get bug fixes to the point that they're actually stable.


All the more reason to support the Turris Omnia [1]. Open hardware / software [2]:

  [1] https://omnia.turris.cz/en/

  [2] https://github.com/CZ-NIC/turris-os

  [3] https://www.indiegogo.com/projects/turris-omnia-hi-performance-open-source-router#/


So, then, i guess they are going to stop using GPL/LGPL software or will soon be enjoying the wrath of the SFLC.

Time to go give some money to bradley :)


...and now Nobody will buy TP-Link routers, once the Amazon reviews are filled with 1 stars.

The market will likely sort this out for itself.


Hah, yeah right. The general consumer simply doesn't care they can't flash open source firmware. For every 1 star review from someone who does care, there'll be plenty of 5 star reviews from regular users who have their needs filled by the router with default firmware.


There is no way to comply with those regulations without prohibiting software updates on current generation of WiFi chips because they don't enforce regulatory constraints in hardware - it's driver's job.

I expect all other vendors to do the same, at least for now. Market can't sort this out.


I'll make sure my next router is not TP-Link. I'm upgrading in about a month.


From their FAQ, the change will only happen on routers produced after June of this year. So technically, the best time to buy a TP-Link router is right now!


The cheap option is to lock down everything, other manufacturers will follow suit.

The average person doesn't care.

We thought the same thing about privacy and user data mining, but look where we are.


It seems it would be only a matter of time before other manufacturers join TP-Link on this.


They all have to do this.



No, they do not, they just chose to take the easy way out and prevent flashing an open source firmware.


I wonder if the blocking is simple to circumvent. If people circumvent it, the fault is not TP-Links, they had no idea or whatever, right? Either way I'm sure people would "root" these devices eventually, it usually happens. That or I could see a market in e-bay for older routers.


So far I think tp-link locked down just the web interface. I believe it is still possible to flash via tftp and some other methods.

When tp-link plug these holes there will still exist many exploits possible to get root access and if not we will have to flash it through SPI.

Edit: here is one of the first exploits available: https://forum.openwrt.org/viewtopic.php?id=63123


This can be easily "fixed" by making the SoC check RSA signatures on flash contents.

It all really depends on how much the FCC will be willing to bother hardware vendors whose products end up as popular hack platforms.


Good point. I mean, these are low margin devices.... how much is TP-Link going to spend to try and prevent rooting?


I just bought one of the affected TPLink models. Personally I hope this means more vendors ship a good quality copy of OpenWRT a la Buffalo (though I ended up sticking with their modified version) as an officially supported firmware. People who buy premium routers are aware enough of the benefits that it is worth it for Buffalo to ship it on their devices. I can't see it not being a value add for others.


Wait... the article says the change isn't happening until June 2nd of this year.... how do you already have one of the affected models?


22 days ago: TP-Link begins router firmware lockdown due to FCC proposed regulation (ninux.org) https://news.ycombinator.com/item?id=11122966


Sorry, I guess it's more accurate to say that the model will be affected in the future. I'm obviously still able to put OpenWRT on the one I actually own.


Appears that TP-Link's heart is not in this -- they're doing the minimum to comply with FCC rules.

Will be interesting to watch the arms race between OpenWRT and the reluctant ODMs.


> Appears that TP-Link's heart is not in this -- they're doing the minimum to comply with FCC rules.

The FCC has commented that the minimum is significantly less than what TP-Link actually implemented. See https://ifixit.org/blog/7571/fcc-routers/ (and the linked FCC amendment) for more information.


TP-Link appears to be doing the minimum as in "minimum effort", as opposed to "minimum restriction to firmware modifications".

The article you linked shows that people saw it coming:

> Open source projects might not be fully out of the woods yet, though. A few commenters on the FCC’s post have pointed out that some manufacturers might choose to lock down the whole router—as opposed to just the radio—as a cost-saving measure, even if that’s not what the FCC intended.


At the very least they could start selling some DD-WRT routers to appease the critics and make them forget all of their other products are closed, but they aren't even willing to do that.


This is why I always buy Buffalo routers. They are marginally more expensive, but in the same way I will intentionally buy laptops that ship with Linux as a price premium, I'll also buy routers that ship open source firmware by default because my money sends a message.

It does not matter that I replaced Ubuntu on my Galago with Arch or the DDWRT on my wzr-n600 with OpenWRT, becauase I'm on the books at these companies buying hardware running open source software.


Not to worry! Next they'll require an open backdoor into every network.


This is the most depressing news for human race during my lifetime.

I see this as sign of coming total control, followed by lack of initiative and stagnation of humanity.


I just bought a TP-Link wireless adapter due to specs, reviews, and OSS support. Then I read this crap. That's just great. There's actually an obvious solution to this that gives us plenty freedom and meets FCC regulations. I'm not sure why companies aren't doing it. I plan to approach some of them or SOC providers this year to see if they might help us and them out.


Does the obvious solution cost one cent more?


It might cost less, about the same, or slightly more. It's not clear without more information from their side. Let's just say the techniques I considered are widely applied in industry in cost-sensitive HW. Even products build around 8-bit SOC's use similar techniques sometimes.


This is interesting, big companies are moving their enterprise switch / routers to open source software and Cisco is trying to lock it down. I think long term, Cisco will lose this battle.


How hard is it to import a European router to the US? Is that illegal? I would think as long as one operated it within the FCC's limits it would be legal to use it.


The problem is that most likely these routers will be locked as well because of mass production.


I wonder if this will actually be restricted to US models only, or whether we will all suffer the same fate.


The FCC ruling seems logical. The earliest "sky is falling" reaction comes from TP-Link's initial attempt to comply, and even TP-Link's response is logical and somewhat subdued compared to the alternatives.

TP-Link's response is hopeful in my opinion, compared to what router's were 10 years ago. We are fighting for improvement, and the FCC ruling is simply a speedbump. The current mentality is openness, as I see it.


At some point the FCC and the open source community are going to clash violently with some reluctant vendor caught in the middle.


I thought the point is right here right now?


Is this really that much of a problem? Circumventing the block sounds like it could be a rather interesting technical challenge.


Not really.

Reverse engineering things can be a fun challenge - but not if your purpose is not to have fun analyzing it, but to do something else, like actually use the device you bought. If RE is not something you want to do but you have to - it's more like frustrating than interesting.


This, and also it can become a whack-a-mole game with vendors threatened by the FCC, possibly ending up in shit like encrypted firmware. Go ahead and hack that.


If you're buying a device to replace the stock firmware with something customised to your liking, then you're already in the hacker mindset, so having to tinker that little bit harder surely shouldn't be much of a burden.


There is a slight difference between flashing a custom firmware (right from the stock one, no RS232+TFTP or JTAG), and hacking your way through a locked bootloader.


Only in the amount of effort one is willing to expend in doing so, and learning any necessary skills. It's only a happy accident that so many (relatively inexpensive) routers are easily flashable with custom firmware, not an entitlement.


BOO!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: