Comment re: Proposed Rulemaking on Software Defined Radios ========================================================== I am an EU resident and citizen, and a software engineer involved in cutting-edge networking research. I wish to make certain that the FCC is aware that their regulations have global effects, not merely local to the United States. I and others firmly believe that these newly proposed certification rules: - will likely have deeply harmful effects, - address a theoretical harm which has not been clearly demonstrated to exist in practice, - will also be ineffective at achieving their stated goal. I would like to take this opportunity to briefly outline alternative rules which would more carefully address the problem, avoiding the disadvantages listed above. Global Reach ============ It is a sad fact that most electronic device manufacture no longer takes place in the Western Hemisphere. Reduced labour costs and less restrictive regulations in the Far East mean that most consumer devices are designed and made there, and only reach America and Europe by export. If faced with tight regulations for imported devices, these manufacturers have few choices: - Abandon the restrictive market entirely. North America is a large market, so this would be considered undesirable for the manufacturer, not just due to reduced choice for the consumer. - Produce a separate, specially adapted product for the restrictive market. For large, durable goods such as road vehicles, it is possible to make such adaptations without much impact on final prices. However, this would unacceptably increase design and manufacturing costs for small, relatively cheap consumer electronics devices, due to disruption of the economies of scale that these manufacturers rely on. - Produce a single product adapted for the most restrictive market the device is sold to. This effectively imposes these restrictive regulations globally. It seems clear that most consumer device manufacturers will choose the latter option. That is why I am writing this comment. Unintended Harms ================ The proposed regulations do not clearly define the limits of what must be protected, especially considering the inevitable fact that the relevant reader - based in the Far East - speaks English only as a second language. This will lead to a misunderstanding of the true requirements, and the following likely consequences: - Firmware modification will be prevented on the entire device, not just the parts which intentionally radiate RF energy. - Software updates will be disallowed as well, even when they are clearly necessary to fix bugs and security holes in the original, certified firmware. - Malicious actors (including such state-level actors as the NSA, GCHQ, Russia and China) will find and exploit holes unknown at the time of certification. This already occurs, due to the minimal effort manufacturers currently put into producing secure, high-quality firmware, but it will become difficult or impossible to close these holes subsequently, as is presently possible by installing third-party, actively-maintained firmware such as OpenWRT. - Legitimate end-user modifications, including those performed by licenced amateur-radio operators (whose permitted frequencies overlap with the capabilities of many SDR devices), will be actively discouraged. Amateur radio has often proved invaluable during crises, including natural disasters and terrorist attacks; hampering its capabilities in this way could conceivably have fatal consequences. - Research which requires firmware modifications will be severely hampered. One current focus of this research is improving the robustness and latency of wired and wireless networks through advanced queuing disciplines; this requires close integration with the relevant network hardware. For example: http://www.bufferbloat.net/projects/codel/wiki/CakeTechnical - FCC-compliant devices will be unable to use the wider frequency ranges and higher powers that may be available in other jurisdictions. - Devices sold abroad, but brought to the US by visitors, will radiate beyond the regulated limits (eg. on channels 12-14 in the 2.4GHz band), with no way for the user to prevent it, unless those capabilities are denied even in jurisdictions in which they are permitted. - An entire class of innovative products may be stifled due to the increased regulatory burden. It is worth emphasising that most recent Wi-Fi devices use SDR techniques, and thus fall under these proposed rules. One reasonable interpretation of the rules as presently proposed would encompass an entire laptop, including its operating system and applications, as the device for which software modifications are to be prevented. If this seems absurd - as it should - then there is clearly scope to define the rules more narrowly. Ineffectiveness =============== As noted above, Far East manufacturers do not have an intrinsic incentive to adopt genuine best practices with respect to software quality and security. While regulations can impose extrinsic incentives, these serve only to enforce the appearance of security, not its effect in practice. This inevitably leads to measures which impose at least as much inconvenience and frustration on end-users as a genuinely secure system would, but without noticeably impeding the efforts of experienced, motivated attackers. Previous experience in this area can be seen in the Digital Rights Management sphere, where technologies such as corrupted floppy-disk sectors, DVD’s CSS encryption, SecuROM, HDMI’s HDCP et al have all been bypassed, some with greater ease than others. Of those mentioned, HDCP is both the least intrusive - most consumers are completely unaware of its operation - and stood the test of time best, but it too was eventually cracked. Some DRM technologies actively harmed the equipment of legitimate users, in pursuit of the extrinsic goal of copy-protection imposed by the entertainment industry, but were immediately bypassed by experienced “software pirates” - the supposed targets of the technology - who already routinely removed copy-protection software before repackaging the product for distribution. The response of corporations to security breaches is also instructive, with regulations being necessary even to make them admit that a major consumer-privacy breach has occurred, and even then cover-ups undoubtedly still occur. This type of regulation is more difficult to extend to the Far East, where it would be required. Typically, consumer devices of this type are based on a standard piece of hardware which, to simplify software development, has a variety of debugging interfaces included - generally including a serial console and a JTAG debugger interface. While the connection headers are generally omitted from the final product for cost reasons, it is easy for an engineer or hacker to fit them manually, using a soldering iron. Instructions for doing so are widely circulated for legitimate purposes, such as porting OpenWRT to the wide range of new devices which regularly appear on the market. It seems highly unlikely that these interfaces can be modified or disabled in a way that would not also inhibit the manufacturer’s own development practices. Hence, even if these debug interfaces become the only reliable way to modify firmware (thus removing this option from the general consumer), they will remain available to sufficiently motivated individuals and organisations. Absence of Harm =============== In proposing these rules, the FCC has not clearly articulated a specific harm that they could reasonably address. Only the “potential” for the originally licenced and certified emissions limits to be bypassed, with no evidence that this is already occurring or likely to occur in practice, and some images of interference caused to a handful of obsolete radar installations (which are already due for replacement) by devices already in the field - devices which can reasonably be assumed to be certified and compliant in any case, but whose emissions can in aggregate be detected by sensitive equipment. Meanwhile, it is straightforward and inexpensive to construct devices which do emit harmful interference in the relevant bands, whether using SDR techniques or not. It is arguably easier to do so than to modify an existing device’s firmware to do so, even without any technological restrictions on the latter. There has also, surprisingly, been little or no mention of any harm caused by certified and compliant devices which have been configured for a foreign jurisdiction with more permissive regulations. For example, 2.4GHz channels 12 and 13 are available in the EU but not in the US; channel 14 is available only in Japan. Power limits also vary between regulatory domains. The volume of visitors to the US from these regions, and the general ignorance among consumers of these differences, implies that a significant amount of misconfigured radio equipment already exists in the US at any given time. Alternatives ============ I make the charitable assumption, here, that reducing the potential for accidental emissions beyond the regulated limits is a desirable goal. Here are some rules which address this goal while also retaining the ability to modify device firmware. This should reduce harms on both sides of the equation, as well as being more realistically practical to implement. - Isolate the components of the radio responsible for the frequency and intensity of emissions from the rest of the system, and provide a narrow, clearly defined interface between the two. This reduces the attack surface, making these isolated components easier to secure. This isolation boundary may include, at maximum, the components of a distinct module such as a PCI Express card (which is currently the industry-standard method of attaching Wi-Fi radios to a device); preferably it would encompass only a minimal portion of that hardware. - Store the firmware of the isolated components securely within those components, eliminating the dependence on the integrity of the larger device’s software or firmware for compliance. The isolated components can then be certified separately from any device they may be attached to. It should, in this case, be possible to adjust certain parameters of the emission spectrum to cater for different regulatory domains; this could be done via a regulatory-domain configuration file uploaded through the defined interface, or via a simple numerical selector between such files stored within the firmware. - Alternatively, integrate a cryptographic verification system within the isolated components, which ensures firmware loaded into the components is verified as authentic before use. This would allow updates to the firmware to be distributed after sale of the device, or different firmware to be loaded for different regulatory domains, while still ensuring that only certified firmware is loaded. - Alternatively, publish the firmware for the isolated components in a human-readable format, so that it can be audited for compliance and modified if necessary. It must then be straightforward to verify (through conversion of the human-readable version into device format) that the published firmware corresponds to that actually loaded into devices on sale. This option is the most beneficial for amateur-radio operators and researchers, since they would then be able to modify the firmware to meet their needs; they would of course assume liability for any regulatory compliance problems their modifications introduce. The above rules specifically address the problem of potential harmful emissions at the RF level. But I would go further to reduce other harms, though these aspirations may require a separate round of rulemaking: - Require device firmware to be demonstrably free of known security vulnerabilities at time of sale. This should include reference to design best-practices (such as verification of digital certificates used for secure communication, absence of fixed default passwords) in consultation with acknowledged software security experts, and reference to a database of known software vulnerabilities, such as the CVE series. There are well-established vulnerability scanners on the market which can be used to assist this process. - Require device firmware to be updated, automatically and without the need for end-user attention, to fix defects (in the above category or otherwise) discovered after time of sale, for the expected lifetime of the device. This should, at minimum, extend to the ordinary manufacturer’s warranty period of the last device of the type sold at retail, and preferably to the period of an extended warranty which might be sold for that device. This update process must also be demonstrably designed to be secure against man-in-the-middle hijack attempts. - Require claims of functionality made in marketing material for the device (including but not limited to the packaging and manual) to have a verifiable basis in fact. In particular, it must be straightforward to quantifiably demonstrate the feature’s functionality and benefits in a typical installation configuration in the laboratory, using only configuration options available to the user and (if relevant) described in the user manual. - Require the ability to replace the manufacturer’s software or firmware with any alternative from a third-party, given explicit and verified consent from the end-user (such as holding down a button during power-on to initiate the firmware reload). This would not necessarily include replacing the firmware of isolated radio components as described above. Exercising this ability would necessarily relieve the manufacturer of any liability related to problems with the firmware, unless the process is repeated to replace the third-party firmware with the original. This would enhance the ability of third-party firmware projects (such as DD-WRT and OpenWRT for consumer devices, or Linux on laptops) to take advantage of hardware advances. The above requirements, if enforced, would go a long way to address the worrying state of consumer device security, especially with respect to the so-called “Internet of Things”. In any case, without them any attempt to implement the rules on SDR as presently proposed are doomed to failure. Thank you for your attention. - Jonathan Morton