> On 5 Sep, 2015, at 17:12, Rich Brown <[email protected]> wrote:
>
> Please post a link to your comments when you're done.
I couldn’t figure out a way to link to my comment as submitted, so I’ve
attached it to this e-mail instead.
- Jonathan Morton
Comment re: Proposed Rulemaking on Software Defined Radios
==========================================================
I am an EU resident and citizen, and a software engineer involved in
cutting-edge networking research. I wish to make certain that the FCC is aware
that their regulations have global effects, not merely local to the United
States.
I and others firmly believe that these newly proposed certification rules:
- will likely have deeply harmful effects,
- address a theoretical harm which has not been clearly demonstrated to
exist in practice,
- will also be ineffective at achieving their stated goal.
I would like to take this opportunity to briefly outline alternative rules
which would more carefully address the problem, avoiding the disadvantages
listed above.
Global Reach
============
It is a sad fact that most electronic device manufacture no longer takes place
in the Western Hemisphere. Reduced labour costs and less restrictive
regulations in the Far East mean that most consumer devices are designed and
made there, and only reach America and Europe by export. If faced with tight
regulations for imported devices, these manufacturers have few choices:
- Abandon the restrictive market entirely. North America is a large
market, so this would be considered undesirable for the manufacturer, not just
due to reduced choice for the consumer.
- Produce a separate, specially adapted product for the restrictive
market. For large, durable goods such as road vehicles, it is possible to make
such adaptations without much impact on final prices. However, this would
unacceptably increase design and manufacturing costs for small, relatively
cheap consumer electronics devices, due to disruption of the economies of scale
that these manufacturers rely on.
- Produce a single product adapted for the most restrictive market the
device is sold to. This effectively imposes these restrictive regulations
globally.
It seems clear that most consumer device manufacturers will choose the latter
option. That is why I am writing this comment.
Unintended Harms
================
The proposed regulations do not clearly define the limits of what must be
protected, especially considering the inevitable fact that the relevant reader
- based in the Far East - speaks English only as a second language. This will
lead to a misunderstanding of the true requirements, and the following likely
consequences:
- Firmware modification will be prevented on the entire device, not
just the parts which intentionally radiate RF energy.
- Software updates will be disallowed as well, even when they are
clearly necessary to fix bugs and security holes in the original, certified
firmware.
- Malicious actors (including such state-level actors as the NSA, GCHQ,
Russia and China) will find and exploit holes unknown at the time of
certification. This already occurs, due to the minimal effort manufacturers
currently put into producing secure, high-quality firmware, but it will become
difficult or impossible to close these holes subsequently, as is presently
possible by installing third-party, actively-maintained firmware such as
OpenWRT.
- Legitimate end-user modifications, including those performed by
licenced amateur-radio operators (whose permitted frequencies overlap with the
capabilities of many SDR devices), will be actively discouraged. Amateur radio
has often proved invaluable during crises, including natural disasters and
terrorist attacks; hampering its capabilities in this way could conceivably
have fatal consequences.
- Research which requires firmware modifications will be severely
hampered. One current focus of this research is improving the robustness and
latency of wired and wireless networks through advanced queuing disciplines;
this requires close integration with the relevant network hardware. For
example: http://www.bufferbloat.net/projects/codel/wiki/CakeTechnical
- FCC-compliant devices will be unable to use the wider frequency
ranges and higher powers that may be available in other jurisdictions.
- Devices sold abroad, but brought to the US by visitors, will radiate
beyond the regulated limits (eg. on channels 12-14 in the 2.4GHz band), with no
way for the user to prevent it, unless those capabilities are denied even in
jurisdictions in which they are permitted.
- An entire class of innovative products may be stifled due to the
increased regulatory burden.
It is worth emphasising that most recent Wi-Fi devices use SDR techniques, and
thus fall under these proposed rules. One reasonable interpretation of the
rules as presently proposed would encompass an entire laptop, including its
operating system and applications, as the device for which software
modifications are to be prevented. If this seems absurd - as it should - then
there is clearly scope to define the rules more narrowly.
Ineffectiveness
===============
As noted above, Far East manufacturers do not have an intrinsic incentive to
adopt genuine best practices with respect to software quality and security.
While regulations can impose extrinsic incentives, these serve only to enforce
the appearance of security, not its effect in practice. This inevitably leads
to measures which impose at least as much inconvenience and frustration on
end-users as a genuinely secure system would, but without noticeably impeding
the efforts of experienced, motivated attackers.
Previous experience in this area can be seen in the Digital Rights Management
sphere, where technologies such as corrupted floppy-disk sectors, DVDâs CSS
encryption, SecuROM, HDMIâs HDCP et al have all been bypassed, some with
greater ease than others. Of those mentioned, HDCP is both the least intrusive
- most consumers are completely unaware of its operation - and stood the test
of time best, but it too was eventually cracked. Some DRM technologies
actively harmed the equipment of legitimate users, in pursuit of the extrinsic
goal of copy-protection imposed by the entertainment industry, but were
immediately bypassed by experienced âsoftware piratesâ - the supposed
targets of the technology - who already routinely removed copy-protection
software before repackaging the product for distribution.
The response of corporations to security breaches is also instructive, with
regulations being necessary even to make them admit that a major
consumer-privacy breach has occurred, and even then cover-ups undoubtedly still
occur. This type of regulation is more difficult to extend to the Far East,
where it would be required.
Typically, consumer devices of this type are based on a standard piece of
hardware which, to simplify software development, has a variety of debugging
interfaces included - generally including a serial console and a JTAG debugger
interface. While the connection headers are generally omitted from the final
product for cost reasons, it is easy for an engineer or hacker to fit them
manually, using a soldering iron. Instructions for doing so are widely
circulated for legitimate purposes, such as porting OpenWRT to the wide range
of new devices which regularly appear on the market. It seems highly unlikely
that these interfaces can be modified or disabled in a way that would not also
inhibit the manufacturerâs own development practices. Hence, even if these
debug interfaces become the only reliable way to modify firmware (thus removing
this option from the general consumer), they will remain available to
sufficiently motivated individuals and organisations.
Absence of Harm
===============
In proposing these rules, the FCC has not clearly articulated a specific harm
that they could reasonably address. Only the âpotentialâ for the
originally licenced and certified emissions limits to be bypassed, with no
evidence that this is already occurring or likely to occur in practice, and
some images of interference caused to a handful of obsolete radar installations
(which are already due for replacement) by devices already in the field -
devices which can reasonably be assumed to be certified and compliant in any
case, but whose emissions can in aggregate be detected by sensitive equipment.
Meanwhile, it is straightforward and inexpensive to construct devices which do
emit harmful interference in the relevant bands, whether using SDR techniques
or not. It is arguably easier to do so than to modify an existing deviceâs
firmware to do so, even without any technological restrictions on the latter.
There has also, surprisingly, been little or no mention of any harm caused by
certified and compliant devices which have been configured for a foreign
jurisdiction with more permissive regulations. For example, 2.4GHz channels 12
and 13 are available in the EU but not in the US; channel 14 is available only
in Japan. Power limits also vary between regulatory domains. The volume of
visitors to the US from these regions, and the general ignorance among
consumers of these differences, implies that a significant amount of
misconfigured radio equipment already exists in the US at any given time.
Alternatives
============
I make the charitable assumption, here, that reducing the potential for
accidental emissions beyond the regulated limits is a desirable goal. Here are
some rules which address this goal while also retaining the ability to modify
device firmware. This should reduce harms on both sides of the equation, as
well as being more realistically practical to implement.
- Isolate the components of the radio responsible for the frequency and
intensity of emissions from the rest of the system, and provide a narrow,
clearly defined interface between the two. This reduces the attack surface,
making these isolated components easier to secure. This isolation boundary may
include, at maximum, the components of a distinct module such as a PCI Express
card (which is currently the industry-standard method of attaching Wi-Fi radios
to a device); preferably it would encompass only a minimal portion of that
hardware.
- Store the firmware of the isolated components securely within those
components, eliminating the dependence on the integrity of the larger
deviceâs software or firmware for compliance. The isolated components can
then be certified separately from any device they may be attached to. It
should, in this case, be possible to adjust certain parameters of the emission
spectrum to cater for different regulatory domains; this could be done via a
regulatory-domain configuration file uploaded through the defined interface, or
via a simple numerical selector between such files stored within the firmware.
- Alternatively, integrate a cryptographic verification system within
the isolated components, which ensures firmware loaded into the components is
verified as authentic before use. This would allow updates to the firmware to
be distributed after sale of the device, or different firmware to be loaded for
different regulatory domains, while still ensuring that only certified firmware
is loaded.
- Alternatively, publish the firmware for the isolated components in a
human-readable format, so that it can be audited for compliance and modified if
necessary. It must then be straightforward to verify (through conversion of
the human-readable version into device format) that the published firmware
corresponds to that actually loaded into devices on sale. This option is the
most beneficial for amateur-radio operators and researchers, since they would
then be able to modify the firmware to meet their needs; they would of course
assume liability for any regulatory compliance problems their modifications
introduce.
The above rules specifically address the problem of potential harmful emissions
at the RF level. But I would go further to reduce other harms, though these
aspirations may require a separate round of rulemaking:
- Require device firmware to be demonstrably free of known security
vulnerabilities at time of sale. This should include reference to design
best-practices (such as verification of digital certificates used for secure
communication, absence of fixed default passwords) in consultation with
acknowledged software security experts, and reference to a database of known
software vulnerabilities, such as the CVE series. There are well-established
vulnerability scanners on the market which can be used to assist this process.
- Require device firmware to be updated, automatically and without the
need for end-user attention, to fix defects (in the above category or
otherwise) discovered after time of sale, for the expected lifetime of the
device. This should, at minimum, extend to the ordinary manufacturerâs
warranty period of the last device of the type sold at retail, and preferably
to the period of an extended warranty which might be sold for that device.
This update process must also be demonstrably designed to be secure against
man-in-the-middle hijack attempts.
- Require claims of functionality made in marketing material for the
device (including but not limited to the packaging and manual) to have a
verifiable basis in fact. In particular, it must be straightforward to
quantifiably demonstrate the featureâs functionality and benefits in a
typical installation configuration in the laboratory, using only configuration
options available to the user and (if relevant) described in the user manual.
- Require the ability to replace the manufacturerâs software or
firmware with any alternative from a third-party, given explicit and verified
consent from the end-user (such as holding down a button during power-on to
initiate the firmware reload). This would not necessarily include replacing
the firmware of isolated radio components as described above. Exercising this
ability would necessarily relieve the manufacturer of any liability related to
problems with the firmware, unless the process is repeated to replace the
third-party firmware with the original. This would enhance the ability of
third-party firmware projects (such as DD-WRT and OpenWRT for consumer devices,
or Linux on laptops) to take advantage of hardware advances.
The above requirements, if enforced, would go a long way to address the
worrying state of consumer device security, especially with respect to the
so-called âInternet of Thingsâ. In any case, without them any attempt to
implement the rules on SDR as presently proposed are doomed to failure.
Thank you for your attention.
- Jonathan Morton
_______________________________________________
Bloat mailing list
[email protected]
https://lists.bufferbloat.net/listinfo/bloat
