FCC: SDR open source? Troppo insicuro

State pensando a un progetto SDR open source? Sappiate allora che forse state andando contro le direttive della FCC americana in materia e potreste rendere più arduo il percorso di certificazione dei prodotti basati sul vostro software. A volte i regolatori più illuminati, o comunque più efficienti, possono prendere decisioni controverse. Sembra che sia successo oggi con la pubblicazione da parte della FCC americana della Final Rule dal titolo "Cognitive Radio Technologies and Software Defined Radios" (Volume 72, Number 108 del Federal Register del 6 luglio 2007). In questo regolamento si legge a un certo punto il seguente comma:

3. With regard to Cisco's second request, the Commission recognizes that some manufacturers may wish to use open source software (e.g., GNU/Linux) in developing SDRs. The use of such software may have advantages for manufacturers such as lower cost and decreased product
development time.
However, as Cisco notes, open source software may be subject to licensing agreements that require the party modifying the code to make the source code publicly available. The Commission did not address the possibility of manufacturers using open source software to implement security measures. However, it recognizes that hardware and software security measures that interact with the open source software need not be subject to an open source agreement. The Commission hereby states that it is its policy, consistent with the intent of Cognitive Radio Report and Order and Cisco's request, that manufacturers should not intentionally make the distinctive elements that implement that manufacturer's particular security measures in a software defined radio public, if doing so would increase the risk that these security measures could be defeated or otherwise circumvented to allow operation of the radio in a manner that violates the Commission's rules. A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio.

A quanto sembra di capire, la FCC (che aveva già legiferato in materia di radio cognitiva nel 2001 e 2005) su input del colosso delle reti IP Cisco (che aveva presentato una sua memoria), oggi incoraggia a *non* sviluppare applicazioni SDR in parte basate su componenti open source, a meno di non prendere le opportune misure di sicurezza per impedire modifiche che possano sfociare in dispositivi non conformi con le normative dettate dalla FCC stessa. Il codice open è per sua natura esposto agli attacchi e quindi insicuro. Sembra che la FCC voglia dirci: se una radio è definita dal software, c'è il rischio che se questo software viene modificato, la radio si comporterà in modo non previsto dalla normativa. Un dispositivo basato su un software poco robusto, potrebbe incontrare difficoltà nell'assicurarsi le necessarie autorizzazioni. Mi chiedo quali possano essere le vere ragioni di un attacco così esplicito a un approccio che si sta rivelando sempre più efficace e in grado di garantire lo sviluppo di software di alta qualità e rapidamente disponibile. In genere le authority di tutto il mondo lodano l'open source per i suoi alti potenziali di neutralità e interoperabilità. La decisione odierna della FCC sembra quasi capovolgere questo punto di vista.
CNet ha pubblicato al proposito un ottimo articolo di Anne Broache, che ha intervistato via mail i rappresentanti dell'SDR Forum. L'associazione dei costruttori di cognitive e software defined radio sostiene che i concetti di "protezione" ("security through obscurity") propugnati dalla FCC sono addirittura pericolosi e hanno depositato (vedi link successivo) una richiesta di emendamento del testo appena pubblicato dal Federal Register. Dal suo canto la Software Freedom Law Center ha pubblicato sulla questione un white paper più ottimistico, affermando che in altra parte del suo documento la FCC incoraggia lo sviluppo di applicazioni SDR open source. I programmatori indipendenti non hanno nulla da temere. La Commissione, affermano i legali di SFLC, si rivolgerebbe solo ai costruttori di apparati, non agli sviluppatori, che possono tranquillamente continuare a sviluppare software SDR in modalità FOSS. A loro volta i manifatturieri possono usare componenti open, ma devono farlo in modo da ridurre i rischi di violazione e senza rendere aperte le misure di sicurezza adottate. Open sì, ma con un po' di mordacchia.
Ora, il focus di questa discussione è molto sbilanciato sul versante dei prodotti Wi-Fi e presumibilmente WiMax, ma le considerazioni hanno senso anche per dispositivi come telefoni cellulari e terminali per la radio e la tv digitale. Le fonti che ho citato osservano che tutta questa prudenza da parte del regolatore americano rischia soltanto di rallentare il time to market dei futuri prodotti SDR. Dire che la radio "intelligente" non può essere al tempo stesso "aperta" e "sicura" (come se l'SDR servisse solo ai militari) tradisce uno strano modo di pensare.

Feds snub open source for 'smart' radios

By Anne Broache
(http://news.com.com/Feds+snub+open+source+for+smart+radios/2100-1041_3-6195102.html)
Story last modified Fri Jul 06 08:10:42 PDT 2007

Mobile-gadget makers are starting to take advantage of software-defined radio, a new technology allowing a single device to receive signals from multiple sources, including television stations and cell phone networks. But a new federal rule set to take effect Friday could mean that radios built on "open-source elements" may encounter a more sluggish path to market--or, in the worst case scenario, be shut out altogether. U.S. regulators, it seems, believe the inherently public nature of open-source code makes it more vulnerable to hackers, leaving "a high burden to demonstrate that it is sufficiently secure."
If the decision stands, it may take longer for consumers to get their hands on these all-in-one devices. The nascent industry is reluctant to rush to market with products whose security hasn't been thoroughly vetted, and it fears the Federal Communications Commission's preference for keeping code secret could allow flaws to go unexposed, potentially killing confidence in their products. By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts. "There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.
The Forum, which represents research institutions and companies such as Motorola, AT&T Labs, Northrup Grumman and Virginia Tech, urged the FCC to back away from that stance in a formal petition (PDF) this week. Those concerns were endorsed by the Software Freedom Law Center, which provides legal services to the free and open-source software community, staff attorney Matt Norwood said in an interview this week. Still, in a white paper released Friday, the group says there's also good news for its developers in the FCC's rule: because it focuses narrowly on security-related software, it appears that programmers would not be restricted from collaboration with hardware makers on the many other kinds of open-source wireless applications. (Many 802.11 wireless routers that are under the FCC's control already rely on open-source systems for network management.) Software-defined radios--also known as "smart" or cognitive radios--are viewed by some as the foundation for the next generation of mobile technology. Traditional radios use electronic hardware to process signals--for example, to transform a particular type of radio waves into a radio station's musical broadcast or to screen out interference.

Expanding radio's scope

But software-defined radios put the brains of the operation into software that manages the signals being sent or received by the radio hardware. With that approach, new software downloads, as opposed to more labor-intensive hardware changes, could let radios do more than ever before. Imagine, for instance, a single gadget that can deliver TV shows, terrestrial radio stations, cell phone calls and broadband, depending on how it's programmed; or a cell phone equipped with the intelligence to detect the strongest signals in a particular area and change the phone's settings to subscribe to them, regardless of whether they belong to a GSM, CDMA or some other type of network. Although the software-defined radio industry has generally found welcoming treatment on the FCC's part so far, some security experts said the agency's recent take on open-source software is unjustified. "Obscurity works best when the hackers can't test their attacks," said Peter Swire, an Ohio State University law professor who has written about the tensions between closed and open approaches to computer security. "For software like this, used in distributed devices, there should be no extra burden on open source." There's also no clear evidence that the number of vulnerabilities in open-source software differs dramatically from that of proprietary software, said Alan Paller, director of research for the SANS Institute, which provides computer security training. (Some earlier studies have found that the generally more intensive scrutiny of open-source code can help keep its quality higher and vulnerabilities lower.) "They should be defining it as software with reliable maintenance or software without reliable maintenance--that's the fundamental security issue," Paller said in a telephone interview. "If I don't have somebody I can call when I find out there's a vulnerability in my software, I'm dead."

Already in military use

The term software-defined radio hasn't exactly made it into public consciousness yet, but the technology has been gaining traction in military and public safety spheres. Perhaps the highest-profile example is the Pentagon's Joint Tactical Radio System project, which is designed to give soldiers in the field the ability to shuttle voice, data and video across multiple networks. Commercial offerings, however, remain in the early stages. About three years ago, the FCC awarded its first specialized software-defined radio license to a small firm called Vanu. That company went on to produce the first commercially available base station that can support multiple wireless standards--GSM, CDMA, iDEN and others--from a single piece of hardware, which it markets as a more cost-effective, time-efficient approach. According to the FCC, some CDMA mobile phone networks and wireless local area network devices are also using the technology in some form. The new FCC rule, prompted in part by a petition last June from Cisco Systems, builds on software-defined radio ground rules established in 2001 and 2005.
The FCC has always worried that the technology's flexible nature could allow hackers to gain access to inappropriate parts of the spectrum, such as that used for public safety. So the regulators required manufacturers to submit confidential descriptions showing that their products are safe from outside modifications that would run afoul of the government's rules. Cisco's petition asked the regulators to clarify how use of open-source security software, whose code is by definition public, fit into that confidentiality mandate. In response, the FCC decreed that open-source security software, too, cannot be made public if doing so would raise the risk that the FCC's rules could be sidestepped. Then the commission added: "a system that is wholly dependent on open-source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software-defined radio." In its filing this week, the SDR Forum asked the FCC to allow radio makers to discuss their code in public, as long as they weren't intending to encourage rule-breaking. The group also urged a neutral stance on the security of open-source software, arguing that "academic inquiry and industry discussion coupled with a market test," not regulators, should decide. The Cisco representative who petitioned the agency for the rule changes was not available for an interview with CNET News.com this week. Robert Pepper, the company's senior technology policy director, said he believed Cisco was comfortable with the new rule. An FCC spokesman said the commission had received and would review the SDR Forum's filing, but it was unclear when it would respond.
The FCC's latest move isn't the first time the open-source side of software radio has faced potential limits. A few years ago, the agency issued rules that would have made it illegal to manufacture TV tuners and PCs that did not support the controversial "broadcast flag," an anticopying regime backed by the entertainment industry.
A federal appeals court threw out the rules. But if left in place or revived by Congress, they would threaten the ability of consumers to build their own unrestricted radio signal receivers, using the likes of a free software radio toolkit known as GNU Radio. An attorney for the Software Freedom Law Center, which provides legal services to free and open-source software developers, said the regulators could have done far worse in their latest rule: the FCC acknowledged that the open-source platform may have "advantages," such as lower costs and development time, and it didn't outright ban open-source applications. "I was gratified at least to see they've moved away from...all the rhetoric a few years ago about how the GPL is a virus and free software is un-American," said Software Freedom Law Center's Norwood.
The lingering concern from the manufacturers' side is that as long as the FCC discourages open discussions of security tactics, consumers will encounter delays or fewer choices in the new gadgets--or products laced with bugs that could have been caught with more collaboration. The SDR Forum has cited the Secure Socket Layer (SSL), a widely used technique for securing e-commerce transactions, and the National Institute of Standards and Technology (NIST)'s public hash algorithms as evidence that open processes often yield the most highly successful security techniques. Without similar freedoms for software radio makers, "there may be some people that will shy away or may delay some (software radio) pieces that go out there because they have this extra burden they have to go through," said Bruce Oberlies, chairman of the SDR Forum's regulatory committee.