A few months ago, the FCC issued a set of security requirements meant to ensure that routers stayed within their assigned spectrum bands and didn’t cause problems for other hardware operating nearby. The rules caused significant concern in the router modding and security communities, however, because they specifically called out DD-WRT as a software package that should be blocked from install, and required manufacturers to submit an action plan detailing how they would prevent the use of unauthorized firmware. While the FCC’s goal — preventing unauthorized spectrum usage — wasn’t something many people had a problem with, the fear was that manufacturers would take the opportunity to kill third-party firmware support altogether, rather than trying to sandbox spectrum adjustments to meet FCC guidelines.
The FCC has now stripped the previous language from its documentation and no longer refers to DD-WRT as an application that should be blocked from running. Instead, it says:Describe, if the device permits third-party software or firmware installation, what mechanisms are provided by the manufacturer to permit integration of such functions while ensuring that the RF parameters of the device cannot be operated outside its authorization for operation in the US. In the description include what controls and/or agreements are in place with providers of third-party functionality to ensure the devices’ underlying RF parameters are unchanged and how the manufacturer verifies the functionality.
This was followed by a blog post by Julius Knapp, chief of the Office of Engineering and Technology. In the blog post, Knapp notes that while the overall comments supported the FCC’s goals, “one particular element generated thousands of comments from individuals concerned that the proposal would encourage manufacturers to prevent modifications or updates to the software used in devices such as wireless local area networks (e.g., Wi-Fi routers).”
Knapp goes on to write that the FCC’s proposal is absolutely not intended to encourage manufacturers to ban third-party router firmware or to enact restrictions. He notes that the FCC’s guidance on such issues must be absolutely clear, acknowledges that previous wording had not accomplished this, but that the revised document should properly convey the necessary restrictions. He also notes that the FCC has engaged with various stakeholders on a one-on-one basis to confirm that the government body had no intent of banning DD-WRT or similar projects.
Will this actually solve the problem? That’s less clear. Much depends on exactly how robust the FCC wants these locks to be, and what level of proof manufacturers are actually required to demonstrate. Some areas of the device can be locked out with custom firmware that refuses to adjust antenna power or frequencies outside of the legally defined spectrum, even if ordered to do so in software. It’s also possible to use one-way fuses in hardware to perform some of these lockouts.
On the other hand, the simplest way to meet FCC requirements might still be to lock the router down. If the user can’t install any third-party firmware, the user can’t crack the router to gain access to capabilities they aren’t supposed to use.
Manufacturers might adopt a bifurcated strategy, in which cheap routers with minimal capabilities are locked down, but users can pay extra for unlocked routers that are capable of loading third-party firmware. From the manufacturer’s standpoint, this is the best of both worlds — it prevents customers from flashing cheap routers to gain expensive features, it complies with the FCCs’ directives, and it creates a new premium market for a previously free features. The best features, after all, are the ones you can monetize without needing to develop them first.