“We can't afford to let any part of the Internet’s infrastructure rot in place,” Vint Cerf told the FCC. Cerf, co-inventor of the Internet, is fed up with the seemingly endless supply of security vulnerabilities in Wi-Fi routers. He’s not alone as more than 260 global network and cybersecurity experts believe the state of Wi-Fi routers is “dismal” and the FCC’s proposals to secure such devices risks “permanently locking in place buggy and insecure software.”
It seems like every time you turn around, another router is deemed vulnerable to being hacked; in fact Netgear just published new firmware after publicly disclosed vulnerabilities and reports of up to 10,000 routers being taken over. It’s such an epidemic that a vigilante has been infecting routers and other Linux-running IoT devices in order to secure them and keep the devices protected from other potential malware infections. Even after critical vulnerabilities in router firmware have gone public, it often takes vendors a horrendously long time to release new “secured” versions. As Michael Horowitz politely put it, the software in routers is “buggy as heck.”
In a letter (pdf) to the FCC, the global Internet experts strenuously advise the FCC “against prohibiting changes to firmware of devices containing radio components, and furthermore advise against allowing non-updatable devices into the field.” Instead, they unveiled a new plan for more secure and reliable Wi-Fi routers.
When the FCC proposed new rules (pdf) for Wi-Fi routers and RF devices, rules which were meant to improve security and ensure a faster and more secure Internet, one document (pdf) in particular caused concern that the FCC intended to ban open source router firmware versions like DD-WRT or Tomato. A petition started by the EFF stated, “Router manufacturers are notoriously slow about updating their software – even with critical security fixes on the way. Under the FCC's proposal, you could have no alternative to running out-of-date and vulnerable firmware."
Eventually the FCC clarified that it began the new rulemaking after “illegally modified equipment” caused interference with terrestrial Doppler weather radar at airports; the FCC said it didn’t “want to ban mod software completely,” but it wanted manufacturers to certify that their devices could not be modified in a way that caused “harmful interference.”
But the experts believe “most Wi-Fi router software today is shipped with ancient code, rife with security holes and bugs.” The FCC’s proposed rules put the ability to replace router firmware “in jeopardy;” instead, the experts recommend for the FCC to mandate the following actions:
- Any vendor of software-defined radio (SDR), wireless, or Wi-Fi radio must make public the full and maintained source code for the device driver and radio firmware in order to maintain FCC compliance. The source code should be in a buildable, change-controlled source code repository on the Internet, available for review and improvement by all.
- The vendor must assure that secure update of firmware be working at time of shipment, and that update streams be under ultimate control of the owner of the equipment. Problems with compliance can then be fixed going forward by the person legally responsible for the router being in compliance.
- The vendor must supply a continuous stream of source and binary updates that must respond to regulatory transgressions and Common Vulnerability and Exposure reports (CVEs) within 45 days of disclosure, for the warranted lifetime of the product, or until five years after the last customer shipment, whichever is longer.
- Failure to comply with these regulations should result in FCC decertification of the existing product and, in severe cases, bar new products from that vendor from being considered for certification.
- Additionally, we ask the FCC to review and rescind any rules for anything that conflicts with open source best practices, produce unmaintainable hardware, or cause vendors to believe they must only ship undocumented “binary blobs” of compiled code or use lockdown mechanisms that forbid user patching. This is an ongoing problem for the Internet community committed to best practice change control and error correction on safety-critical systems.
“We made this proposal because the wireless spectrum must not only be allocated responsibly, but also used responsibly,” said Cerf. “By requiring a bare minimum of openness in the technology at the edge of the Internet, we'll ensure that any mistakes or cheating are caught early and fixed fast.”
Recent IETF Area Director Ted Lemon pointed at Moon Worm, DNSchanger, Misfortune Cookie and the Volkswagen scandal as proof that “secret, locked-down firmware represents a clear and present danger to the security of the Internet.”
The letter states:
Requiring all manufacturers of Wi-Fi devices to make their source code publicly available and regularly maintained, levels the playing field as no one can behave badly. The recent Volkswagen scandal with uninspected computer code that cheated emissions testing demonstrates that this is a real concern.
“The Internet is now effectively a battleground with end-users, our employers, our schools and our vendors on one side, and organized crime and nation-states on the other side. Our home gateways are often repurposed by our adversaries into weapons against us because these small, cheap plastic boxes are unpatchable, abandoned by their makers, and completely opaque. These devices are currently the Internet's public enemy #1. The plan proposed would significantly decontaminate our technology supply chain,” said Farsight Security CEO Dr. Paul Vixie.
The experts’ plan has advantages like allowing the “correctness of software drivers,” which are “now hidden in binary ‘blobs’” to be verified; freeing router vendors that publish source code “from the legal risk of being forced to cease shipping code for which they no longer have a license;” improving spectrum utilization and opportunities for innovation which could “make the network ‘work better’ without affecting compliance.”
“Today there are hundreds of millions of Wi-Fi routers in homes and offices around the globe with severe software flaws that can be easily exploited by criminals,” said former FCC Chief Technologist Dave Farber. “While we agree with the FCC that the rules governing these devices must be updated, we believe the proposed rules laid out by the agency lack critical accountability for the device manufacturers.”
The experts concluded:
The FCC should step back, and prepare rules to enhance the security, reliability and functionality of the routers that operate home and business networks. These rules should increase visibility into the source code that operates these routers, and encourage best software practices to create a better future for billions of Wi-Fi devices already deployed, and the billions to come, as well as a freer, faster, and safer Internet.