The United States Federal Communications Commission (FCC) has introduced ‘software security requirements’ obliging WiFi device manufacturers to “ensure that only properly authenticated software is loaded and operating the device”. The document specifically calls out the DD-WRT open source router project, but clearly also applies to other popular distributions such as OpenWRT. This could become an early battle in ‘The war on general purpose computing’ as many smartphones and Internet of Things devices contain WiFi router capabilities that would be covered by the same rules.

The rules are apparently motivated by a desire to ensure that devices operated within the US comply to FCC regulations on radio frequency spectrum management and power output. Given the size of the US market, and manufacturers’ desire to create products that reach a global market, the rules are likely to have a global impact. This regulation applies to U-NII devices operating in the 5GHz band, though as dual band systems have become more popular, in routers and phones, this will increasingly apply to most devices with WiFi.

Router (and phone) manufacturers typically provide a firmware upgrade mechanism to enable security and feature updates. That same mechanism has often been used to apply alternative firmware from open source communities such as OpenWRT. What the FCC are now demanding is that only authorised firmware can be applied, implying some kind of cryptographic lockdown - in essence digital rights management (DRM) for WiFi enabled devices. Digital rights activists such as Cory Doctorow have repeatedly pointed out how DRM and Open Source are fundamentally incompatible, because if you can see and modify the DRM code then it’s trivial to circumvent it.

OpenWRT, CyanogenMod and other open source firmware has become a popular alternative to original equipment manufacturer (OEM) firmware in order to facilitate more rapid security updates and enable capabilities that are present in the underlying hardware but not offered by the supplied software stack. With phones and tablets open source firmware is also often prefered as a way to avoid ‘crapware’ put on handsets by manufacturers and network operators. A common feature of such firmware is to allow the selection of WiFi channels and output power that might not be offered by the stock firmware. WiFi works within small bands of ‘unlicensed’ spectrum, and although there is much common ground the exact frequency allocation and maximum allowed power output can vary somewhat between countries. For example channel 14 in the 2.4 GHz spectrum is only legal in Japan.

Open source hardware devices have become increasingly popular in recent years with initiatives like the Open Compute Project (OCP) poised to transform the datacenter. WRTnode is a WiFi router specifically designed to run OpenWRT, and handsets from OnePlus and Micromax Informatics ship with CyanogenMod. The FCC appears to be banning the import and use of open source hardware just as industry insiders like Andrew “Bunnie” Huang observe that the handset industry is increasingly moving to open source.

Commenters on a Hacker News thread on the topic have noted that channel selection and power management only apply to the ‘baseband processor’, so the impact could be constrained to that subsystem. The counterpoint is that many systems on chip (SoC) now incorporate the baseband, and even when they don’t the baseband is usually configured externally by the main firmware. There is also some degree of conspiracy theory that the US government wants devices with unpatched security vulnerabilities, or deliberate backdoors, to facilitate interception by the National Security Agency (NSA).

The blocking of open source software resulting from these rules appears to be a retrograde step for the US in terms of consumer choice and security, and will likely have consequences beyond the US border. Whether that impact is meaningful in the long term will likely come down to how the (mostly Chinese and Korean) OEMs choose to respond, and whether there is regulatory contagion from the US into its trading partners.