Feds snub open source for 'smart' radios

New FCC rules say open-source code for next-gen mobile tech has "high burden" to show it's secure. Some industry and security experts beg to differ.
Written by Anne Broache, Contributor
Mobile-gadget makers are starting to take advantage of software-defined radio, a new technology allowing a single device to receive signals from multiple sources, including television stations and cell phone networks.

But a new federal rule set to take effect Friday could mean that radios built on "open-source elements" may encounter a more sluggish path to market--or, in the worst case scenario, be shut out altogether. U.S. regulators, it seems, believe the inherently public nature of open-source code makes it more vulnerable to hackers, leaving "a high burden to demonstrate that it is sufficiently secure."

If the decision stands, it may take longer for consumers to get their hands on these all-in-one devices. The nascent industry is reluctant to rush to market with products whose security hasn't been thoroughly vetted, and it fears the Federal Communications Commission's preference for keeping code secret could allow flaws to go unexposed, potentially killing confidence in their products.

By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts.

"There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.

The Forum, which represents research institutions and companies such as Motorola, AT&T Labs, Northrup Grumman and Virginia Tech, urged the FCC to back away from that stance in a formal petition (PDF) this week.

Those concerns were endorsed by the Software Freedom Law Center, which provides legal services to the free and open-source software community, staff attorney Matt Norwood said in an interview this week.

Still, in a white paper released Friday, the group says there's also good news for its developers in the FCC's rule: because it focuses narrowly on security-related software, it appears that programmers would not be restricted from collaboration with hardware makers on the many other kinds of open-source wireless applications. (Many 802.11 wireless routers that are under the FCC's control already rely on open-source systems for network management.)

Software-defined radios--also known as "smart" or cognitive radios--are viewed by some as the foundation for the next generation of mobile technology. Traditional radios use electronic hardware to process signals--for example, to transform a particular type of radio waves into a radio station's musical broadcast or to screen out interference.

Expanding radio's scope
But software-defined radios put the brains of the operation into software that manages the signals being sent or received by the radio hardware. With that approach, new software downloads, as opposed to more labor-intensive hardware changes, could let radios do more than ever before.

Imagine, for instance, a single gadget that can deliver TV shows, terrestrial radio stations, cell phone calls and broadband, depending on how it's programmed; or a cell phone equipped with the intelligence to detect the strongest signals in a particular area and change the phone's settings to subscribe to them, regardless of whether they belong to a GSM, CDMA or some other type of network.

Although the software-defined radio industry has generally found welcoming treatment on the FCC's part so far, some security experts said the agency's recent take on open-source software is unjustified.

"Obscurity works best when the hackers can't test their attacks," said Peter Swire, an Ohio State University law professor who has written about the tensions between closed and open approaches to computer security. "For software like this, used in distributed devices, there should be no extra burden on open source."

There's also no clear evidence that the number of vulnerabilities in open-source software differs dramatically from that of proprietary software, said Alan Paller, director of research for the SANS Institute, which provides computer security training. (Some earlier studies have found that the generally more intensive scrutiny of open-source code can help keep its quality higher and vulnerabilities lower.)

"They should be defining it as software with reliable maintenance or software without reliable maintenance--that's the fundamental security issue," Paller said in a telephone interview. "If I don't have somebody I can call when I find out there's a vulnerability in my software, I'm dead."

Already in military use
The term software-defined radio hasn't exactly made it into public consciousness yet, but the technology has been gaining traction in military and public safety spheres. Perhaps the highest-profile example is the Pentagon's Joint Tactical Radio System project, which is designed to give soldiers in the field the ability to shuttle voice, data and video across multiple networks.

Commercial offerings, however, remain in the early stages. About three years ago, the FCC awarded its first specialized software-defined radio license to a small firm called Vanu. That company went on to produce the first commercially available base station that can support multiple wireless standards--GSM, CDMA, iDEN and others--from a single piece of hardware, which it markets as a more cost-effective, time-efficient approach. According to the FCC, some CDMA mobile phone networks and wireless local area network devices are also using the technology in some form.

The new FCC rule, prompted in part by a petition last June from Cisco Systems, builds on software-defined radio ground rules established in 2001 and 2005.

The FCC has always worried that the technology's flexible nature could allow hackers to gain access to inappropriate parts of the spectrum, such as that used for public safety. So the regulators required manufacturers to submit confidential descriptions showing that their products are safe from outside modifications that would run afoul of the government's rules. Cisco's petition asked the regulators to clarify how use of open-source security software, whose code is by definition public, fit into that confidentiality mandate.

In response, the FCC decreed that open-source security software, too, cannot be made public if doing so would raise the risk that the FCC's rules could be sidestepped. Then the commission added: "a system that is wholly dependent on open-source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software-defined radio."

In its filing this week, the SDR Forum asked the FCC to allow radio makers to discuss their code in public, as long as they weren't intending to encourage rule-breaking. The group also urged a neutral stance on the security of open-source software, arguing that "academic inquiry and industry discussion coupled with a market test," not regulators, should decide.

The Cisco representative who petitioned the agency for the rule changes was not available for an interview with CNET News.com this week. Robert Pepper, the company's senior technology policy director, said he believed Cisco was comfortable with the new rule. An FCC spokesman said the commission had received and would review the SDR Forum's filing, but it was unclear when it would respond.

The FCC's latest move isn't the first time the open-source side of software radio has faced potential limits.

A few years ago, the agency issued rules that would have made it illegal to manufacture TV tuners and PCs that did not support the controversial "broadcast flag," an anticopying regime backed by the entertainment industry.

A federal appeals court threw out the rules. But if left in place or revived by Congress, they would threaten the ability of consumers to build their own unrestricted radio signal receivers, using the likes of a free software radio toolkit known as GNU Radio.

An attorney for the Software Freedom Law Center, which provides legal services to free and open-source software developers, said the regulators could have done far worse in their latest rule: the FCC acknowledged that the open-source platform may have "advantages," such as lower costs and development time, and it didn't outright ban open-source applications.

"I was gratified at least to see they've moved away from...all the rhetoric a few years ago about how the GPL is a virus and free software is un-American," said Software Freedom Law Center's Norwood.

The lingering concern from the manufacturers' side is that as long as the FCC discourages open discussions of security tactics, consumers will encounter delays or fewer choices in the new gadgets--or products laced with bugs that could have been caught with more collaboration.

The SDR Forum has cited the Secure Socket Layer (SSL), a widely used technique for securing e-commerce transactions, and the National Institute of Standards and Technology (NIST)'s public hash algorithms as evidence that open processes often yield the most highly successful security techniques.

Without similar freedoms for software radio makers, "there may be some people that will shy away or may delay some (software radio) pieces that go out there because they have this extra burden they have to go through," said Bruce Oberlies, chairman of the SDR Forum's regulatory committee.

Editorial standards