Vint Cerf, Dave Farber and Dave Täht present to the FCC a plan for more secure, reliable WiFi Routers and Internet. Cerf urges “a bare minimum of openness in the technology at the edge of the Internet. He believes this would “ensure that any mistakes or cheating are caught early and fixed fast.”
260 engineers joined the call including prominent ones like Linus Torvalds, Bruce Schneier, David Reed and Paul Vixie. The vendor would be required to post their software on a public repository such as Github. They would be required to fix any security holes and provide updates as security problems are discovered. In particular, the FCC rules should:
- Provide public, full, and maintained source code for review and improvement
- Assure that secure firmware updates are available and under owner control
- Address known security vulnerabilities in source and binary within specific time frames
- Be made aware that noncompliance could result in decertification.
Many, probably most, WiFi routers and smartphones are not updated to fix all known security holes, I believe. Without access to the source code/firmware, users cannot do anything about vulnerabilities in their own equipment. Without access, many Internet advances will be difficult or impossible to implement.
TCP/IP is 42 years old; Other Internet software is often a decade or two old. Of course performance, security and bandwidth demands can be improved, I believe. The signers call attention to:
“Making WiFi Fast The CeroWrt team is now working on the MakeWifiFast project, which will vastly improve WiFi 19 functionality, particularly when multiple stations are in use, using open, unpatented, and standards compliant algorithms and protocols. This work can be incorporated into new WiFi products, and can be retrofitted into hundreds of millions of non=locked existing products. This is all within the existing capabilities of WiFi, and does not affect regulatory compliance.”
The context is an FCC proceeding on how to lock down radios, routers, etc. to prevent them going out of band or use too much power. The suggestion that these principles should extend beyond this limited context is mine.
The 200 engineers who signed off on this suggest a totally different approach: make everything open source and (in their opinion) more secure. Bad actors would be controlled by ordinary enforcement procedures, not by locking down the hardware
.
A change like this would ordinarily take years to consider. Large companies that want to lock in their users normally would kill this at the FCC. At least three companies – AT&T, Verizon, & Comcast – have influence budgets over $100M. That buys many Congressmen of both parties and exerts enormous pressure on the FCC.(In 15 years of reporting on the FCC, I’ve never seen anything that even smells like bribery. Dale Hatfield says the same from the inside. The FCC is heavily influenced by a few giant companies.)
The FCC is now on notice that many of the world’s best engineers think their lockdown proposal is a grave mistake. Will they listen to the engineers and support the public interest?
John Stankey, CEO of AT&T Internet, gives me hope. Last year he said “With today’s FCC, no one can predict what they will do.”
Here’s comments from the experts and the press release.
“We are at an important inflection point in the history of the Internet. The FCC has an opportunity to take positive action that will increase the security and performance not only of these devices, but also influence how manufacturers develop secure Internet of Things while preserving an open Internet,” said Jim Gettys, Chairman, Bufferbloat Project.
“Networking research and innovation fundamentally depend on the ability to modify firmware on CPE and deploy it in real-world settings in home networks,” said Dr. Nick Feamster, Acting Director of Center for Information Technology Policy at Princeton University.
“The Internet is now effectively a battleground with end-users, our employers, our schools and our vendors on one side, and organized crime and nation-states on the other side. Our home gateways are often repurposed by our adversaries into weapons against us because these small, cheap plastic boxes are unpatchable, abandoned by their makers, and completely opaque. These devices are currently the Internet’s public enemy #1. The plan proposed would significantly decontaminate our technology supply chain,” said Dr. Paul Vixie, CEO of Farsight Security, Inc.
Here’s the press release
Global Internet Experts Reveal Plan for More Secure, Reliable Wi-Fi Routers – and Internet
Letter to FCC Requests Mandates for Securing and Updating Wi-Fi Devices
October 14, 2015 06:00 AM Eastern Daylight Time
WASHINGTON–(BUSINESS WIRE)–In a letter submitted to the Federal Communications Commission (FCC), Dave Täht, co-founder of the Bufferbloat Project, and Dr. Vinton Cerf, co-inventor of the Internet, along with more than 260 other global network and cybersecurity experts, responded to the newly proposed FCC rules laid out in ET Docket No. 15-170 for RF Devices such as Wi-Fi routers by unveiling a new approach to improve the security of these devices and ensure a faster, better, and more secure Internet.
“The recommendations in this document would go a long way toward ensuring the existence of a highly performant, secure, and regulation-compliant Internet far into the future”
The letter was filed during the agency’s public comment period on this issue.
Dave Farber, former Chief Technologist of the FCC, supports the new approach, stating, “Today there are hundreds of millions of Wi-Fi routers in homes and offices around the globe with severe software flaws that can be easily exploited by criminals. While we agree with the FCC that the rules governing these devices must be updated, we believe the proposed rules laid out by the agency lack critical accountability for the device manufacturers.”
“We can’t afford to let any part of the Internet’s infrastructure rot in place. We made this proposal because the wireless spectrum must not only be allocated responsibly, but also used responsibly. By requiring a bare minimum of openness in the technology at the edge of the Internet, we’ll ensure that any mistakes or cheating are caught early and fixed fast,” said Dr. Vint Cerf, a co-inventor of the Internet and also Senior Vice President and Chief Internet Evangelist at Google.
To improve accountability significantly while keeping the original intent of the regulation, the signatories, who also included Dr. Paul Vixie, Dr. Sascha Meinrath, Dr. Nick Feamster, Jim Gettys, Dr. David P. Reed, Dr. Andreas Petlund, Jeff Osborn, and other well-known industry experts, recommend the FCC mandate the following actions:
1. Any vendor of software-defined radio (SDR), wireless, or Wi-Fi radio must make public the full and maintained source code for the device driver and radio firmware in order to maintain FCC compliance. The source code should be in a buildable, change-controlled source code repository on the Internet, available for review and improvement by all.
2. The vendor must assure that secure update of firmware be working at time of shipment, and that update streams be under ultimate control of the owner of the equipment. Problems with compliance can then be fixed going forward by the person legally responsible for the router being in compliance.
3. The vendor must supply a continuous stream of source and binary updates that must respond to regulatory transgressions and Common Vulnerability and Exposure reports (CVEs) within 45 days of disclosure, for the warranted lifetime of the product, or until five years after the last customer shipment, whichever is longer.
4. Failure to comply with these regulations should result in FCC decertification of the existing product and, in severe cases, bar new products from that vendor from being considered for certification.
5. Additionally, we ask the FCC to review and rescind any rules for anything that conflicts with open source best practices, produce unmaintainable hardware, or cause vendors to believe they must only ship undocumented “binary blobs” of compiled code or use lockdown mechanisms that forbid user patching. This is an ongoing problem for the Internet community committed to best practice change control and error correction on safety-critical systems.
“Our fight for a free and open Internet began long before the invention and wide use of Wi-Fi home routers, whose manufacturers chose to base on open software. We are at an important inflection point in the history of the Internet. The FCC has an opportunity to take positive action that will increase the security and performance not only of these devices, but also influence how manufacturers develop secure Internet of Things while preserving an open Internet,” said Jim Gettys, Chairman, Bufferbloat Project.
“Networking research and innovation fundamentally depend on the ability to modify firmware on CPE and deploy it in real-world settings in home networks,” said Dr. Nick Feamster, Acting Director of Center for Information Technology Policy at Princeton University.
“The Internet is now effectively a battleground with end-users, our employers, our schools and our vendors on one side, and organized crime and nation-states on the other side. Our home gateways are often repurposed by our adversaries into weapons against us because these small, cheap plastic boxes are unpatchable, abandoned by their makers, and completely opaque. These devices are currently the Internet’s public enemy #1. The plan proposed would significantly decontaminate our technology supply chain,” said Dr. Paul Vixie, CEO of Farsight Security, Inc.
“The recommendations in this document would go a long way toward ensuring the existence of a highly performant, secure, and regulation-compliant Internet far into the future,” said Jonathan Corbet, Executive Editor, LWN.net.
“As the recent revelations about the ‘Moon Worm,’ ‘DNSchanger,’ and ‘Misfortune Cookie’ and now the Volkswagen scandal illustrate, secret, locked-down firmware represents a clear and present danger to the security of the Internet,” said Ted Lemon, recent Area Director at the IETF.
“If we raise the bar for firmware code quality, maintenance, and upgrades, we can finish beating bufferbloat, especially on Wi-Fi, deploy IPv6 faster, improve security, and build a vastly better Internet, for everybody,” said Dave Täht, Architect, CeroWrt, co-founder, Bufferbloat Project.
If you care about this important issue and agree with our approach, please contact your local Congressional representative and share our letter with them. For media interview requests or other inquiries, please contact media@bufferbloat.net.
About the Bufferbloat Project
The Bufferbloat Project is an international coalition of individuals, many who were instrumental in the development of the Internet, and several with Wi-Fi, deeply concerned about the future health, speed, and safety of the edge of the Internet. In operation for 5 years, and working primarily on third-party firmware, it has pioneered new algorithms, boosted safety and security, helped develop new standards, and worked to make as much of this new theory and code available as possible for all to use. For more information, please visit http://www.bufferbloat.net.