Feds snub open source for 'smart' radios

New FCC rules say open-source code for next-gen mobile tech has "high burden" to show it's secure. Some industry and security experts beg to differ.

Mobile-gadget makers are starting to take advantage of software-defined radio, a new technology allowing a single device to receive signals from multiple sources, including television stations and cell phone networks.

But a new federal rule set to take effect Friday could mean that radios built on "open-source elements" may encounter a more sluggish path to market--or, in the worst case scenario, be shut out altogether. U.S. regulators, it seems, believe the inherently public nature of open-source code makes it more vulnerable to hackers, leaving "a high burden to demonstrate that it is sufficiently secure."

If the decision stands, it may take longer for consumers to get their hands on these all-in-one devices. The nascent industry is reluctant to rush to market with products whose security hasn't been thoroughly vetted, and it fears the Federal Communications Commission's preference for keeping code secret could allow flaws to go unexposed, potentially killing confidence in their products.

By effectively siding with what is known in cryptography circles as "security through obscurity," the controversial idea that keeping security methods secret makes them more impenetrable, the FCC has drawn an outcry from the software radio set and raised eyebrows among some security experts.

"There is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify," Bernard Eydt, chairman of the security committee for a global industry association called the SDR (software-defined radio) Forum, said in an e-mail interview this week.

The Forum, which represents research institutions and companies such as Motorola, AT&T Labs, Northrup Grumman and Virginia Tech, urged the FCC to back away from that stance in a formal petition (PDF) this week.

Those concerns were endorsed by the Software Freedom Law Center, which provides legal services to the free and open-source software community, staff attorney Matt Norwood said in an interview this week.

Still, in a white paper released Friday, the group says there's also good news for its developers in the FCC's rule: because it focuses narrowly on security-related software, it appears that programmers would not be restricted from collaboration with hardware makers on the many other kinds of open-source wireless applications. (Many 802.11 wireless routers that are under the FCC's control already rely on open-source systems for network management.)

Software-defined radios--also known as "smart" or cognitive radios--are viewed by some as the foundation for the next generation of mobile technology. Traditional radios use electronic hardware to process signals--for example, to transform a particular type of radio waves into a radio station's musical broadcast or to screen out interference.

Expanding radio's scope
But software-defined radios put the brains of the operation into software that manages the signals being sent or received by the radio hardware. With that approach, new software downloads, as opposed to more labor-intensive hardware changes, could let radios do more than ever before.

Imagine, for instance, a single gadget that can deliver TV shows, terrestrial radio stations, cell phone calls and broadband, depending on how it's programmed; or a cell phone equipped with the intelligence to detect the strongest signals in a particular area and change the phone's settings to subscribe to them, regardless of whether they belong to a GSM, CDMA or some other type of network.

Although the software-defined radio industry has generally found welcoming treatment on the FCC's part so far, some security experts said the agency's recent take on open-source software is unjustified.

"Obscurity works best when the hackers can't test their attacks," said Peter Swire, an Ohio State University law professor who has written about the tensions between closed and open approaches to computer security. "For software like this, used in distributed devices, there should be no extra burden on open source."

There's also no clear evidence that the number of vulnerabilities in open-source software differs dramatically from that of proprietary software, said Alan Paller, director of research for the SANS Institute, which provides computer security training. (Some earlier studies have found that the generally more intensive scrutiny of open-source code can help keep its quality higher and vulnerabilities lower.)

"They should be defining it as software with reliable maintenance or software without reliable maintenance--that's the fundamental security issue," Paller said in a telephone interview. "If I don't have somebody I can call when I find out there's a vulnerability in my software, I'm dead."

Already in military use
The term software-defined radio hasn't exactly made it into public consciousness yet, but the technology has been gaining traction in military and public safety spheres. Perhaps the highest-profile example is the Pentagon's Joint Tactical Radio System project, which is designed to give soldiers in the field the ability to shuttle voice, data and video across multiple networks.

Commercial offerings, however, remain in the early stages. About three years ago, the FCC awarded its first specialized software-defined radio license to a small firm called Vanu. That company went on to produce the first commercially available base station that can support multiple wireless standards--GSM, CDMA, iDEN and others--from a single piece of hardware, which it markets as a more cost-effective, time-efficient approach. According to the FCC, some CDMA mobile phone networks and wireless local area network devices are also using the technology in some form.

Featured Video

Behmor's app controlled coffee maker links to the Web for better brewing

The $329 Behmor Connected Coffee Brewer boasts the guts of an SCAA-approved drip coffee maker melded with a Wi-Fi radio, plus Internet links and mobile app control all in the interest of creating better pots of java.

by Brian Bennett