Manufacturers are locking down routers
March 23, 2016,
Remember when the FCC reassured us last year that it wasn’t going to lock down Wi-Fi routers? And everyone breathed a sigh of relief, because custom router firmware is actually a really good thing? Sure, it’s fun to improve your router by extending the range or making your network friendlier for guests. But open firmware is important for other reasons: it enables critical infrastructure, from emergency communications for disaster relief and building free community access points to beefing up personal security.
Well, there goes that. Because even though the FCC said its new requirements were not intended to lock down router software or block the installation of open source firmware, at least one large manufacturer has reacted by doing just that. And more could follow.
Last month, Libre Planet a free software community raised the alarm that TP-Link, one of the largest router manufacturers, had begun locking down firmware in newly released routers. As proof, Libre Planet pointed to a transcript of a support conversation. In the chat, a TP-Link rep says that the lockdown—which blocks the installation of open source firmware was a reaction to new FCC requirements.
That’s a problem, because alternative router software packages like DD-WRT are hugely popular. These tools provide more sophisticated features and faster security patches than manufacturers offer.
The new TP-LINK FAQ page confirmed the lockdown. The FAQ reads, Why is TP-LINK limiting the functionality of its routers? “TP-LINK is complying with new FCC regulations that require manufacturers to prevent certain firmware customizations on wireless routers.”
What exactly are these regulations? The FCC recently updated its requirements for “U-NII devices operating on the 5 Ghz bandwidth” a designation that covers a wide range of Wi-Fi devices and routers to stop users from modifying RF (radio frequency) devices outside of their intended parameters. Last year, the FCC proposed an expansion on the RF modding prohibition to anything with a software-defined radio.
The wording of the rules was met with concern that the FCC was functionally mandating manufacturers lock down router software. That concern intensified into a full blown uproar in September after the FCC issued a compliance guidance asking manufacturers to “describe in detail how the device is protected from ‘flashing’ and the installation of third-party firmware such as DD-WRT.” DD-WRT is a popular open source firmware available for many consumer routers.
Thousands of people lodged complaints with the FCC, urging the organization to take steps to protect open source software. The outcry prompted an official response from the FCC soon after.
The FCC even changed the troublesome wording in their compliance documents omitting any reference to ‘third-party software’ and ‘DD-WRT.’
Despite the reassurances, experts were quick to point out that it would be easier, quicker, and cheaper for manufacturers to comply with the rules by just locking down the whole router whether or not that’s what the FCC intended.
It looks like those fears were warranted. Locking that firmware down seems to be what TP-Link just did.
The company appears to be using this as an excuse to wash its hands of third-party software. Even though the FCC’s rules only require the manufacturer to prevent modifications to the RF parameters not to prevent the installation of third-party firmware.
In the meantime, going over and above the FCC’s rules means TP-Link is pushing the door closed on a lot of the beneficial applications of third-party firmware including personal security. Open source firmware tends to be more rigorously scrutinized, updated, and secured. Worse, this precedent makes it likely that other manufacturers will take the easy route and lock down their routers as well.
“It’s a sad state of affairs, but custom firmware will eventually be loaded onto these routers; it’s just a little harder now and slightly more absurd,” Hackaday’s Benchoff goes on to say.