July 6, 2007 4:00 AM PDT

Feds snub open source for 'smart' radios

Mobile-gadget makers are starting to take advantage of software-defined radio, a new technology allowing a single device to receive signals from multiple sources, including television stations and cell phone networks.

But a new federal rule set to take effect Friday could mean that radios built on "open-source elements" may encounter a more sluggish path to market--or, in the worst case scenario, be shut out altogether. U.S. regulators, it seems, believe the inherently public nature of open-source code makes it more vulnerable to hackers, leaving "a high burden to demonstrate that it is sufficiently secure."

If the decision stands, it may take longer for consumers to get their hands on these all-in-one devices. The nascent industry is reluctant to rush to market with products whose security hasn't been thoroughly vetted, and it fears the Federal Communications Commission's preference for keeping code secret could allow flaws to go unexposed, potentially killing confidence in their products.

By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts.

"There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.

The Forum, which represents research institutions and companies such as Motorola, AT&T Labs, Northrup Grumman and Virginia Tech, urged the FCC to back away from that stance in a formal petition (PDF) this week.

Those concerns were endorsed by the Software Freedom Law Center, which provides legal services to the free and open-source software community, staff attorney Matt Norwood said in an interview this week.

Still, in a white paper released Friday, the group says there's also good news for its developers in the FCC's rule: because it focuses narrowly on security-related software, it appears that programmers would not be restricted from collaboration with hardware makers on the many other kinds of open-source wireless applications. (Many 802.11 wireless routers that are under the FCC's control already rely on open-source systems for network management.)

Software-defined radios--also known as "smart" or cognitive radios--are viewed by some as the foundation for the next generation of mobile technology. Traditional radios use electronic hardware to process signals--for example, to transform a particular type of radio waves into a radio station's musical broadcast or to screen out interference.

Expanding radio's scope
But software-defined radios put the brains of the operation into software that manages the signals being sent or received by the radio hardware. With that approach, new software downloads, as opposed to more labor-intensive hardware changes, could let radios do more than ever before.

Imagine, for instance, a single gadget that can deliver TV shows, terrestrial radio stations, cell phone calls and broadband, depending on how it's programmed; or a cell phone equipped with the intelligence to detect the strongest signals in a particular area and change the phone's settings to subscribe to them, regardless of whether they belong to a GSM, CDMA or some other type of network.

Although the software-defined radio industry has generally found welcoming treatment on the FCC's part so far, some security experts said the agency's recent take on open-source software is unjustified.

"Obscurity works best when the hackers can't test their attacks," said Peter Swire, an Ohio State University law professor who has written about the tensions between closed and open approaches to computer security. "For software like this, used in distributed devices, there should be no extra burden on open source."

There's also no clear evidence that the number of vulnerabilities in open-source software differs dramatically from that of proprietary software, said Alan Paller, director of research for the SANS Institute, which provides computer security training. (Some earlier studies have found that the generally more intensive scrutiny of open-source code can help keep its quality higher and vulnerabilities lower.)

"They should be defining it as software with reliable maintenance or software without reliable maintenance--that's the fundamental security issue," Paller said in a telephone interview. "If I don't have somebody I can call when I find out there's a vulnerability in my software, I'm dead."

Already in military use
The term software-defined radio hasn't exactly made it into public consciousness yet, but the technology has been gaining traction in military and public safety spheres. Perhaps the highest-profile example is the Pentagon's Joint Tactical Radio System project, which is designed to give soldiers in the field the ability to shuttle voice, data and video across multiple networks.

Commercial offerings, however, remain in the early stages. About three years ago, the FCC awarded its first specialized software-defined radio license to a small firm called Vanu. That company went on to produce the first commercially available base station that can support multiple wireless standards--GSM, CDMA, iDEN and others--from a single piece of hardware, which it markets as a more cost-effective, time-efficient approach. According to the FCC, some CDMA mobile phone networks and wireless local area network devices are also using the technology in some form.

CONTINUED: Previous hurdles…
Page 1 | 2

See more CNET content tagged:
radio, open source, Cisco Systems Inc., signal, cell phone

8 comments

Join the conversation!
Add your comment
Not Bad
Not a bad article for c-net. This one actually has some
journalistic value.

As much as I like the idea of open source software in general, I
can see the FCC's point. You can not have companies and
individuals distributing devices that can be easily altered to
interfere with the public service or military bands. Think what
would happen if some kid changed his device to broadcast on
the police or EMS band and sent them to the wrong location.
This is one situation where the security scheme should be kept
within the industry or even the company. In their ruling, as
reported by c-net, the FCC recognizes that no device is
unhackable however, they are basically saying that if you are
going to do this you should make it as difficult as humanly
possible. Part of that idea is to not tell the world how you are
securing the device. Yea, it is a mass distributed device and
somebody can get in their and play with the firmware and rig it
to do anything in the realm of reason (and probably a few not so
much in it) but, if you don't tell them how they did it then you
have just made their job harder.

It was noted and I would put an emphasis on it here that the
FCC did not put limits on the development of the technology
itself. They probably don't really care how you pick up signals.
And they don't limit how you pick up open air signals anyway
given they are down link signals only (nearly all open air systems
are). To be clear, I am defining an open air system as an open,
free broadcast that requires no specialized equipment beyond
what is normally available on the open market and no
subscription or encryption key. And besides military bands,
people have been able to pickup police and other public service
bands for years without issue. So I don't think that now they are
going to suddenly reverse thirty years of precedent because the
idea is being adapted to new technology.

However, this system can also be used to pick up closed
broadcasts (anything not in the definition above). This is where
the need for tighter security comes in. Nobody should be able
to easily hack in a device and illegitimately pick up a proprietary
or secured broadcast. This is the crux of the FCC's argument.
And they are basically saying that in their view, the best way to
secure anything is to not tell everyone how you are doing it.
This does not prohibit those working on the device from
discussing how to secure it, it just limits it to intra-industry
dialogue. That is how most things are done anyway.

And on top of this they even say you can use open source code
for security but, since everybody knows about it you are going
to have to work harder to secure it and then prove that. This is
not at all an unreasonable statement.
Posted by BrandonEubanks (33 comments )
Reply Link Flag
I concur, well spoken and well put. This articles is perhaps the least biased open source vs closed source I have seen to date.
Posted by add1kt (1 comment )
Link Flag
Software Freedom Law Center paper
The Software Freedom Law Center white paper is posted at <a class="jive-link-external" href="http://www.softwarefreedom.org/resources/2007/fcc-sdr-whitepaper.html" target="_newWindow">http://www.softwarefreedom.org/resources/2007/fcc-sdr-whitepaper.html</a>
Posted by jrgarrison (1 comment )
Reply Link Flag
Thank you.
We've added a link to the white paper.
Posted by Zoe Slocum (42 comments )
Link Flag
FCC the stupid people in the Room
After 4 year in Army and 20 years in Telecommunication in Field never seem so many stupid people that keep telling you how unsafe open source code is after after time and time again
they been proved wrong
Most of the code they use on their network was based on secure code made by companies with a history of high level breaches . But we are to understand. When Technology is based on Lawyers and not engineers we all lose in America.
Posted by cohaver (189 comments )
Reply Link Flag
FCC seems to walk backward into history...
They still must learn that open source is the best way to ensure it has industrial strength security. (* LOL *)

Everybody (with exception of the FCC of course) knows this.

If the code is made open source, everybody will look for ways to crack into it... they will look for vulnerabilities not otherwise locatable without the source code.

The best way to get a security scan is to hand your source over to hackers... (* GRIN *) If there's a flaw or weakness in the code... THEY WILL FIND IT.

But if you hand the source code over to say Microsoft or any other 3rd party security screener... they may or may not find ALL of the flaws and you've got to pay for those scans as well. (* CHUCKLE *)

I think what the problem the feds are facing is that with open source, the bad guys get their hands on good code and modify it such that the feds cannot tap into it any more and "THAT" is why they're snubbing it. (* LOL *)

FWIW
Posted by wbenton (522 comments )
Reply Link Flag
Obscurity is not security
The Feds are following the oldest myth in security. Obscurity has nothing to do with security. If the FCC wants to disallow smart radios then let them give real reasons for doing so. Telling us it is because Open Source a complete lie based on a myth.

Open Source has bugs like any other software development model but they are found and fixed much faster. There's a reason why no one in there right mind would take a laptop running Windows to Defcon or any of the other computer security trade shows.

<a class="jive-link-external" href="http://articles.techrepublic.cbsi.com/5100-10877-6064734.html" target="_newWindow">http://articles.techrepublic.cbsi.com/5100-10877-6064734.html</a>
Posted by jabbotts (492 comments )
Reply Link Flag
One exception
Security through obscurity is quite effective when it comes to passwords and private keys. :)
Posted by ralfthedog (1589 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.