A coalition of 260 cybersecurity experts is taking advantage of a Federal Communications Commission (FCC) public comment period to push for router makers to make their source code available "in a buildable, change-controlled source code repository" online as a conditioned for being licensed for use in the US.
The request comes amid a wider debate on how the FCC should ensure that Wi-Fi routers’ wireless signals don’t “go outside stated regulatory rules” and cause harmful interference to other devices like cordless phones, radar, and satellite dishes.
The experts reasoned that closed-source router firmware could expose users across the internet to security vulnerabilities. If these routers’ firmware were available for scrutiny online, the thinking goes, the wider community of experts and developers could work together to battle vulnerabilities without having to wait for router makers to release a patch—if they bother to do so at all.
“In our letter [PDF], the scientists and engineers most deeply concerned with the internet have finally spoken with one voice, loud enough, maybe, to make a difference,” Dave Taht, co-founder of Bufferbloat, an initiative to improve router performance, told Motherboard. Taht, who lead author of letter to the FCC, said that manufacturers often ship routers that are vulnerable to known exploits, putting consumers and the wider internet at risk as soon as the routers are turned on. Making the matter worse is how few consumers bother to upgrade their firmware if patches are released.
Paul Vixie, the CEO of computer security firm Farsight Security, told Motherboard about one recent router vulnerability that allowed hackers to redirect their victims’ internet traffic to an ad server under their control. “Now, most people may not care about who gets what advertising revenue,” Vixie said, ”but the fact that [traffic] can be redirected at scale for hundreds of thousands of victims means that people [may end up] going to a phishing site.”
Motherboard attempted to contact Linksys and Belkin, two of the largest consumer router brands, about their thoughts on open-sourcing their routers. While Belkin did not respond to Motherboard’s request for comment, a Linksys spokesperson said the company was “currently in talks with the FCC” but had nothing further to say on the matter.