In a win for the open source community, router maker TP-Link will be required to allow consumers to install third-party firmware on their wireless routers, the Federal Communications Commission (FCC) announced Monday. The announcement comes on the heels of a settlement requiring TP-Link to pay a $200,000 fine for failing to properly limit their devices' transmission power on the 2.4GHz band to within regulatory requirements. On its face, new rules about open source firmware don't seem to have much to do with TP-Link's compliance problems. But the FCC's new rule helps fix an unintended consequence of a policy the agency made last year, which had led to open source developers being locked out of wireless routers entirely.
The FCC set forth a list of Software Security Requirements in March 2015 that included specific language which appeared to encourage restrictions on third-party firmware—in particular the popular DD-WRT—that could be used to circumvent bandwidth requirements. The purpose of the requirements was to prevent wireless routers from interfering with other communications. In November, the FCC clarified that it was not in fact seeking to ban open source software from wireless routers—but by that point the damage had already been done. TP-Link had already begun paving the way for locking out third-party firmware as a way of bringing itself into compliance. Meanwhile, other manufacturers such as Linksys had sought to work with the open-source firmware community to allow consumers to install custom firmware without violating FCC rules.
This decision is a welcome one for the open-source firmware community, which has worked hard to support the wide range of routers in circulation. It's good for security, too. Manufacturers often leave their device firmware neglected after flashing it at the factory, leaving users completely unprotected from security vulnerabilities that are frequently discovered. Just last month, TP-Link let the domain registration lapse for a site allowing consumers to configure their devices over the Internet, potentially exposing a large swath of its users to credentials-stealing or malware attacks. Many open-source firmware projects, on the other hand, release regular updates that allow users to make sure vulnerabilities on their devices get patched. In addition, third-party firmware allows users to take more fine-grained control of their routers than is typically granted by manufacturer firmware. This opens a whole range of possibilities, from power-users wishing to extend the range of their home Wi-Fi by setting up repeaters throughout their homes, to community members wishing to take part in innovative community-based mesh-networking firmware projects.
Although the FCC statement guarantees TP-Link will allow installation of open-source firmware, they have also made clear that manufacturers have to do something to ensure compliance with a second set of rules, relating to the U-NII radio band. This could leave manufacturers with a hard choice: locking down the separate, low-level firmware that controls the router radio so that users cannot tamper with it, or limiting the capabilities of the radio itself at the point of manufacture. The first option would prevent users from taking full control of their hardware by replacing the firmware that controls it with open-source alternatives. It means that even if the high-level firmware on the router is open-source, the device can never be fully controlled by the user because the low-level firmware controlling the hardware is encumbered by closed-source binaries. After the unfortunate reaction of router manufacturers to the FCC's 2015 policy, the agency should have been more careful not to create new incentives to lock down router firmware.
Overall, the FCC has sent a clear message with the TP-Link settlement: work with the community, not against it, to improve your devices and ensure compliance. But they should be more clear about how router makers can comply while allowing for the possibility of fully open-source routers, right down to the firmware.
Update 8/8: TP-Link has issued a statement on the settlement explaining how they will allow third-party firmware to be installed on their devices, but (following the suggestion of the FCC) "any third-party software/firmware developers must demonstrate how their proposed designs will not allow access to the frequency or power level protocols in our devices." This seems to confirm earlier concerns of an open source software advocate that "FCC is trying to do something through an settlement agreement that they can't do through law: regulate what ALL software can do if it interacts with radio devices."