[Discuss] "Plan for More Secure, Reliable Wi-Fi Routers"

[sronan at panix.com (Stephen Ronan)]

---------- Forwarded message ----------
Date: Wed, 14 Oct 2015 08:51:43 -0400
From: David Farber <farber at gmail.com>
To: ip <ip at listbox.com>

Global Internet Experts Reveal Plan for More Secure, Reliable 
Wi-Fi Routers - and Internet Letter to FCC Requests Mandates for 
Securing and Updating Wi-Fi Devices

October 14, 2015 06:00 AM Eastern Daylight Time

WASHINGTON--(BUSINESS WIRE)--In a letter submitted to the Federal 
Communications Commission (FCC), Dave Tht, co-founder of the 
Bufferbloat Project, and Dr. Vinton Cerf, co-inventor of the 
Internet, along with more than 260 other global network and 
cybersecurity experts, responded to the newly proposed FCC rules 
laid out in ET Docket No. 15-170 for RF Devices such as Wi-Fi 
routers by unveiling a new approach to improve the security of 
these devices and ensure a faster, better, and more secure 
Internet.

"The recommendations in this document would go a long way toward 
ensuring the existence of a highly performant, secure, and 
regulation-compliant Internet far into the future."

The letter was filed during the agency.s public comment period on 
this issue.

Dave Farber, former Chief Technologist of the FCC, supports the 
new approach, stating, "Today there are hundreds of millions of 
Wi-Fi routers in homes and offices around the globe with severe 
software flaws that can be easily exploited by criminals. While 
we agree with the FCC that the rules governing these devices must 
be updated, we believe the proposed rules laid out by the agency 
lack critical accountability for the device manufacturers."

"We can't afford to let any part of the Internet's infrastructure 
rot in place. We made this proposal because the wireless spectrum 
must not only be allocated responsibly, but also used 
responsibly. By requiring a bare minimum of openness in the 
technology at the edge of the Internet, we'll ensure that any 
mistakes or cheating are caught early and fixed fast," said Dr. 
Vint Cerf, a co-inventor of the Internet and also Senior Vice 
President and Chief Internet Evangelist at Google.

To improve accountability significantly while keeping the 
original intent of the regulation, the signatories, who also 
included Dr. Paul Vixie, Dr. Sascha Meinrath, Dr. Nick Feamster, 
Jim Gettys, Dr. David P. Reed, Dr. Andreas Petlund, Jeff Osborn, 
and other well-known industry experts, recommend the FCC mandate 
the following actions:

1. Any vendor of software-defined radio (SDR), wireless, or Wi-Fi 
radio must make public the full and maintained source code for 
the device driver and radio firmware in order to maintain FCC 
compliance. The source code should be in a buildable, 
change-controlled source code repository on the Internet, 
available for review and improvement by all.

2. The vendor must assure that secure update of firmware be 
working at time of shipment, and that update streams be under 
ultimate control of the owner of the equipment. Problems with 
compliance can then be fixed going forward by the person legally 
responsible for the router being in compliance.

3. The vendor must supply a continuous stream of source and 
binary updates that must respond to regulatory transgressions and 
Common Vulnerability and Exposure reports (CVEs) within 45 days 
of disclosure, for the warranted lifetime of the product, or 
until five years after the last customer shipment, whichever is 
longer.

4. Failure to comply with these regulations should result in FCC 
decertification of the existing product and, in severe cases, bar 
new products from that vendor from being considered for 
certification.

5. Additionally, we ask the FCC to review and rescind any rules 
for anything that conflicts with open source best practices, 
produce unmaintainable hardware, or cause vendors to believe they 
must only ship undocumented .binary blobs. of compiled code or 
use lockdown mechanisms that forbid user patching. This is an 
ongoing problem for the Internet community committed to best 
practice change control and error correction on safety-critical 
systems.


"Our fight for a free and open Internet began long before the 
invention and wide use of Wi-Fi home routers, whose manufacturers 
chose to base on open software. We are at an important inflection 
point in the history of the Internet. The FCC has an opportunity 
to take positive action that will increase the security and 
performance not only of these devices, but also influence how 
manufacturers develop secure Internet of Things while preserving 
an open Internet," said Jim Gettys, Chairman, Bufferbloat 
Project.

"Networking research and innovation fundamentally depend on the 
ability to modify firmware on CPE and deploy it in real-world 
settings in home networks," said Dr. Nick Feamster, Acting 
Director of Center for Information Technology Policy at Princeton 
University.

"The Internet is now effectively a battleground with end-users, 
our employers, our schools and our vendors on one side, and 
organized crime and nation-states on the other side. Our home 
gateways are often repurposed by our adversaries into weapons 
against us because these small, cheap plastic boxes are 
unpatchable, abandoned by their makers, and completely opaque. 
These devices are currently the Internet's public enemy #1. The 
plan proposed would significantly decontaminate our technology 
supply chain," said Dr. Paul Vixie, CEO of Farsight Security, 
Inc.

"The recommendations in this document would go a long way toward 
ensuring the existence of a highly performant, secure, and 
regulation-compliant Internet far into the future," said Jonathan 
Corbet, Executive Editor, LWN.net.

"As the recent revelations about the 'Moon Worm,' 'DNSchanger,' 
and 'Misfortune Cookie' and now the Volkswagen scandal 
illustrate, secret, locked-down firmware represents a clear and 
present danger to the security of the Internet," said Ted Lemon, 
recent Area Director at the IETF.

"If we raise the bar for firmware code quality, maintenance, and 
upgrades, we can finish beating bufferbloat, especially on Wi-Fi, 
deploy IPv6 faster, improve security, and build a vastly better 
Internet, for everybody," said Dave Tht, Architect, CeroWrt, 
co-founder, Bufferbloat Project.

If you care about this important issue and agree with our 
approach, please contact your local Congressional representative 
and share our letter with them. For media interview requests or 
other inquiries, please contact media at bufferbloat.net.

About the Bufferbloat Project

The Bufferbloat Project is an international coalition of 
individuals, many who were instrumental in the development of the 
Internet, and several with Wi-Fi, deeply concerned about the 
future health, speed, and safety of the edge of the Internet. In 
operation for 5 years, and working primarily on third-party 
firmware, it has pioneered new algorithms, boosted safety and 
security, helped develop new standards, and worked to make as 
much of this new theory and code available as possible for all to 
use. For more information, please visit 
http://www.bufferbloat.net.