With the Federal Communications Commission being criticized for rules that may limit a user’s right to install open source firmware on wireless routers, we’ve been trying to get more specifics from the FCC about its intentions.

Despite an FCC guidance to router manufacturers that seems to ban open source firmware such as DD-WRT and OpenWRT, FCC spokesperson Charles Meisch told Ars that there is in fact no such ban. But there are restrictions that in some cases could cause a manufacturer to decide to prevent the installation of third-party firmware. In fact, disabling the installation of third-party firmware by the user may be the easiest and most straightforward way for hardware makers to comply with the FCC's guidance.

That guidance specifically requires manufacturers to prevent user modifications that cause radios to operate outside their licensed RF (radio frequency) parameters. The goal is to prevent interference with other systems by making sure devices only work within their allowed frequencies, types of modulation, and power levels. The FCC said its actions are meant to address “interference with FAA Doppler weather radar systems caused by modified devices” and other potential interference problems.

Manufacturers could choose to achieve compliance by simply locking out any kind of third-party firmware, the FCC acknowledged.

“Manufacturers could choose to ban software mods, but if they have a different solution that achieves the same end (preventing RF mods that take the device out of compliance) that would be acceptable,” Meisch told Ars.

Software like DD-WRT can change the transmit power of a router, but it can also perform other functions that don’t affect the router’s compliance with radio frequency rules. Many customers install free, open source firmware on routers to get a better user interface and functionality than what is provided by the hardware vendor. Free software proponents argue that the third-party firmware is updated more often than vendor-supplied firmware and thus can be more secure.

The FCC is considering additional rule changes that could further restrict router modifications, but the most immediate cause of concern in the open source community is a guidance released in March that describes how manufacturers should comply with new security requirements for devices that operate in the 5GHz band. The new requirements were voted on last year and took effect in June this year.

The guidance says, among other things, that hardware makers seeking equipment certification should ensure that “only properly authenticated software is loaded and operating the device,” and they should describe to the FCC “how the device is protected from ‘flashing’ and the installation of third-party firmware such as DD-WRT.”

While that sounds like a ban on DD-WRT and similar software, FCC officials say it must be viewed in context of the rules and the rest of the document, which talk extensively about preventing modifications to radio frequency parameters. The rules do not specify what technical method manufacturers should use to secure devices against interference-causing RF changes, nor do they require manufacturers to render devices inoperable if third-party software is installed. In its rulemaking last year, the FCC noted that Motorola's 5GHz devices already have "features that prevent operators and users from programming them in ways that conflict with their granted equipment authorizations, such as disabling DFS [dynamic frequency selection]."

In practical terms, what’s important is how vendors are responding. The FCC told Ars that so far, no vendors have interpreted the guidance as a ban on third-party firmware.

The DD-WRT reference is understood to mean that “an applicant seeking to certify a 5GHz Wi-Fi router would have to ‘describe in detail how the device is protected from ‘flashing’ and the installation of third-party firmware such as DD-WRT’ that would modify the RF parameters in a way that would take the device out of compliance and cause harmful interference,” the FCC told Ars.

Reason for concern

Users of open source software are skeptical. They point to recent software updates that appear to prevent loading of third-party firmware on some older routers. Those routers would have gotten certifications prior to the FCC rule changes, but it's possible that hardware makers would still lock them down in order to comply. While the security requirements that took effect in June this year applied only to newly certified devices, hardware makers must stop selling older routers by June 2016 unless they meet the new rules.

Eric Schultz, community manager at the Prpl Foundation and a free and open source software advocate, believes that the FCC is making it very difficult to install third-party router firmware despite having "the best of intentions” as it tries to protect the radio spectrum.

While router makers might be able to design hardware that allows modification while still complying with FCC rules, “[t]here’s minimal advantage to them in doing so and the easiest method of ensuring the rules are followed is to simply prevent modification,” Schultz wrote this week. “After all, they’ll have to rewrite drivers, redesign firmware, and create new wireless radios with the hope that the design they’ve come up with will meet the requirements of the FCC. If you’re rushing to market to beat your competitors, why not just take the easiest method and lock everything down?”

In addition to the rule changes already in effect, the FCC in July proposed new regulations that would further clarify how router makers should treat user modifications. The proposal says that hardware makers should “implement well-defined measures to ensure that certified equipment is not capable of operating with RF-controlling software for which it has not been approved.”

The FCC is accepting initial comments on its proposal until October 9 and reply comments until November 9. Proponents of open source router software have been submitting comments to the FCC urging the commission not to lock out third-party firmware, and the FCC could change course when it issues final rules.

A senior FCC official who spoke on condition of not being named told Ars that the commission believes a majority of devices are capable of locking RF parameters while still allowing third-party firmware. But the purpose of seeking public comment before issuing final rules is to identify potential problems before they take effect, the official said.

Router makers remain silent

Router manufacturers seem reluctant to talk. A Linksys spokesperson told Ars that company officials are “still having discussions with the FCC and do not want to comment at this time.”

Linksys has previously touted its support for open source firmware. Before Linksys released its WRT1900AC device last year, the company provided early hardware along with SDKs and APIs to the developers of OpenWRT so they could make firmware available for the router upon its release.

D-Link and Netgear declined interview requests, and we were unable to get an interview with Asus.

“The easiest way to comply is to lock down the whole platform.”

We did talk to Senior Product Manager Kathy Giori at wireless chipset maker Qualcomm Atheros, who said there are reasons for both pessimism and optimism. Giori, who has collaborated with the open source software community, said router makers have been contacting her for guidance on the FCC’s new treatment of third-party software.

“The easiest way to comply is to lock down the whole platform. Just lock down the whole thing and the FCC is happy,” Giori told Ars. But if that happens, “the OpenWRT people aren't happy.”

Giori said it’s technically possible to prevent modifications to RF characteristics while still allowing third-party software changes, similar to how an Android phone can be flashed with a different version of the OS without altering cellular and Wi-Fi functionality.

But implementation could be complicated. Radio devices used in multiple countries already have to follow different rules depending on where they are, but that’s a little easier with phones because of their GPS capabilities. “Wi-Fi routers don't know where they are, so the regulatory domain is unknown,” Giori said. “That's sort of the big difference here.”

The FCC guidance says router makers seeking certification must “[e]xplain if any third parties have the capability to operate a US-sold device on any other regulatory domain, frequencies, or in any manner that is in violation of the certification.”

It will take cooperation among open source software developers, hardware makers, and the FCC to ensure that routers maintain compliance with radio frequency parameters, but such cooperation isn’t unusual, Giori said.

“The current regulatory domain infrastructure in the Linux kernel was coordinated closely with the FCC,” Giori said, noting that Linux PCs can be turned into wireless access points with the right hardware.

A router maker could also partner with an open source project on a one-off basis, for example to build a version of DD-WRT that’s validated for a particular router, she said.

But one-off solutions won't scale easily. Giori is worried about businesses that make their own custom firmware for privately operated Wi-Fi hotspots and other devices. So-called “Internet of Things” devices that rely on custom implementations of open source firmware could also be affected, she said.

“Before I started working at Atheros, I was working at a Wi-Fi hotspot-as-a-service company and we built our own firmware,” she said. “All the Wi-Fi hotspots in the world, that's all value-add, after-market software, it's not what's loaded on a platform when it comes out of Taiwan. That huge ecosystem—how do you possibly manage secure keys with such a huge ecosystem of after-market development?”

Giori believes a compromise that pleases both the FCC and open source users is possible, but it will be difficult to work out.

"It's a very hot topic and nobody has all of the answers," she said.