FCC decision on TP-Link: no reason to relax

In an FCC decision published on August 1st, router manufacturer TP-Link was sentenced to a $ 200,000 fine and changes in its hard and software. Even though the decision wants to make sure Open Source firmwares remain installable on WiFi routers, the sentencing could have devastating consequences for Free Software projects. (Article originally published in German on netzpolitik.org, August 2nd, 2016.)

Consumer electronics producer TP-Link had put to market a router that allowed changing the country setting in its configuration. From June 2016 on, manufacturers in the US must make sure software installed on their radio devices does not produce harmful interference.

As a reaction to the original FCC request, TP-Link changed the software so that the country setting was no longer available. At the same time they removed the possibility to install third-party firmwares (e.g. from Open Source projects) from the software update mechanism. This change in particular led to the investigation that now resulted in a settlement. In the arrangement, TP-Link commits to paying a $ 200,000 civil penalty and to implement a long-term compliance plan to ensure future compliance with the regulations.

Bitter Pill

The FCC explicitly refers to Open Source software when saying third-party software shouldn’t be prohibited. What seems to be a triumph for Free Software, leaves a bad taste when read in more detail:

“TP-Link agrees to investigate software and hardware solutions that would enable customers to install and operate third-party firmware on TP-Link routers, while maintaining the integrity of critical radio parameters.” (2nd paragraph on page 1 of the decision)

Requiring manufacturers to make sure radio parameters are maintained while at the same time allowing for the installation of third-party firmwares leaves only a technical solution similar to “trusted computing”, in which software to be installed needs to be crypotographically signed. If manufacturers want to make sure that third-party software is only installable – or can access the radio module – after their prior approval (and signature), this is the only way.

This scenario is not only a bad dream for amateur radio enthusiasts who use inexpensive, consumer-grade hardware for SDR, using modified software. It should also send shivers through SME electronics producers that rely on readily available, commercial radio equipment and customized software to create applications that technically don’t allow for complex cryptographic signature checks.

“Secure Boot” is a mechanism ensuring only signed operating systems can be installed and run on modern personal computer hardware. In 2012, Linux distributions as well as the Free Software Foundation Europe warned users may lose control over their own computers through Secure Boot.

Community WiFi projects such as Freifunk in Germany and Free Software supporters have warned in April that directive 2014/53/EU will establish similar requirements in the EU.