RED - Radio Equipment Directive 2014/53/EU - Long Term strategy for Europe?

Hello,
From time to time OpenWRT is mentioned as causing or being affected by potential issues with compliance to the RED directive (Example in German: Heise.de).

This can be regarded as a potential issue for replacing the initial Firmware with OpenWRT, because manufacturers might decide to comply with article 3(3)i by making it hard to replace their firmware (locked-down hardware). TP-Link did so in the past when they tried to be more FCC compliant Example: Routers affected by FCC restrictions

The relevant article says:

  1. Radio equipment within certain categories or classes shall be so constructed that it complies with the following essential requirements:
    ...
    (i) radio equipment supports certain features in order to ensure that software can only be loaded into the radio equip­ment where the compliance of the combination of the radio equipment and software has been demonstrated.
    ...

Mostly, we might cause non-compliance because OpenWRT might allow users to exceed TX-power or devices might not correctly apply DFS (~radar detection). The difference to the original-manufacturers-compliance is not large and this might reduce our efforts if we just need to show OpenWRT does not invalidate the original-manufacturers-decalartion-of-conformity.

Whats the long term strategy for us?

  1. Simply ignore and rely on unlocking hardware?
  2. Offer regional builds that comply with the relevant regulation?
  3. Reach out and cooperate with manufacturers?

I am pretty sure, ignoring this topic will put us in a bad, defensive position and might lead to Regulators constraining us, so that's probably not a long term solution.

We as individuals are IMHO allowed to replace firmware as long as we do not cause interference. But this is not so easy anymore if OpenWRT is to be used in a commercial setup. More important: original-manufacturers might decide they need to lock us out, thus giving us a hard time reusing and improving their hardware.

I am interested in your opinions. What can we do?

2 Likes

Isn’t this the normal EU states governments way if dealing with Brussel? At least until Great Britain took it a step further and bailed out😄

But to be honest we already broke both CE by opening the case and adding a serial port and EEC rules by changing the EMC values already. So why not go for a hat trick😎
FCC is a US thing so that no one cares about.

But I don’t really see the manufacturers cooperating with Open source firmware developers since they don’t do it to begin with “if you install anything else on this device the warranty expires” thing…

Thank you for replying, but I do not agree that this a viable long-term-solution and I just added it as "keep-it-as-it-is" option.

Long term, manufacturers will have to lock devices down even more than just that, if we gain too much popularity and people are using OpenWRT at a larger scale. End users are not supposed to be able to change the radio-equipment-setup as demonstrated to be compliant according to the RED.

Long term, projects that allow end-users to make modifications that are considered "against the law" might be regarded illegal. If we are not prepared this could hit us. In case we are not prepared at all, it might hit us even harder.

The European directives are aimed mainly towards market actors (manufacturers, importers) that put devices onto the market and not end-users. We, as end-users & developers & security-researchers, need to worry if we really cause RF-interference. Just opening an enclosure does not automatically cause non-compliance, it just voids some manufacturer warranties, but compliance is normally still OK. Also, we as single users might be responsible for a couple of devices, while a manufacturer sells thousands of devices. Adding too high gain antennas or tinkering with the EEPROM values for RF-power, that's something potentially invalidating the DoC (Declration of Conformity).

I am hoping to spark off better ideas than the ones currently coming to my mind. Cheers!

I would say they sell billions of devices per year in EU.
How many people of the whole population of EU do you believe exist that has the geek level of know how and will power to actually make this modification to a router?
100 or maybe 1000?

We will not reach any magic level of popularity since the standard living person simply doesn’t give a shit about the firmware in the router. They don’t even change the original password.

And if the EU market gets locked devices from the manufacturers, what do you think happens then?

Ebay and Amazon to the rescue and then the few that really want a router with OpenWRT buy devices from abroad with out hardware lock since they most often only need 12V DC adapter or any other DC adapter to run.

But this law about radio transmitters has been local laws for ever since radios was invented so it isn’t something new anyway.

Option 3. is the only sane long term strategy, imho.

@flygarn12 You seem confident things will remain as they right now. Perhaps we however find an even better answer.

@jow Do you have ideas how this could be expanded & build upon?

For instance: Do you know why Buffalo and GL.inet are using OpenWRT without making it difficult to replace it with vanilla OpenWRT? Did OpenWRT developers help them and in the end they saved development effort? Is that something OpenWRT could offer other manufacturers as well so both parties (manufacturer and OpenWRT) have an advantage from that?

1 Like

I have lived very long in this EU thing and lived before EU thing. My experience for all these directories that is spraying out from Brussel is to cool down until anything is actually implemented EU wide so we see what the real end result became.
And to see how the world respond.

1 Like

@flygarn12 That is an opinion, thank you. I do not share that view.

I think OpenWRT has a lot to offer for manufacturers. Of course article 3(3)i is annoying and not in our favour. IT is good to see the FSFE, Netzpolitik.org, etc working on showing why this must be changed and I wish them all the best.

In the past manufacturers were facing issues like:

  • outdated kernel and thus vulnerabilities
  • long release cycles until their firmware is updated, leaving users and interconnected devices vulnerable for extended period of time.
  • sometimes no updates at all

However, if the draft delegated article finds its way to being compulsory legislation, especially then OpenWRT would be very useful for manufacturers and save them a lot of development effort in order to comply:
It would require manufacturer to protect users from cyber security risks (Points (d), (e) and (f) of Article 3(3) of Directive 2014/53/EU aim at ensuring that the concerned radio equipment protect the user from elements of cyber security risks.)
With OpenWRT necessary requirements to comply are already present. If not using Linux in internet-connected-devices, few other embedded operating systems offer the same level of security AND broad support in terms of developers/hardware support. It would be not cost effective for manufacturers to implement their own system and basically redo a lot of the work OpenWRT already did.

Using OpenWRT as foundation to build their own software on would put manufacturers in a better position, because:

  • They do not have to start from a board-support-package or scratch
  • Quite recent kernel and packages, thus having fixes against the CVEs
  • a robust update mechanism

And if they show compliance to the radio and non-radio functions with the OpenWRT-based-derivate this would in return justify why OpenWRT does not invalidate automatically their declaration of conformity if changes do not affect the radio functions. When accepting patches this would be a good check to classify if this might potentially affect radio-functions and thus compliance. If not, no costly retesting is necessary at all.

Wikipedia lists several manufacturers already using OpenWRT in (some) of their products. Does anyone have an insight or contacts why these companies are using it and how they like it? This might be something where we can shape a win-win for manufacturers and this project while still meeting the (future) legal requirements.

Edit #1: This idea (using OpenWRT as a cost-effective choice for manufacturers and showing compliance to RED that way, thus allowing us to freely modify parts of the software not affecting compliance to the RED) aligns quite well with the aims of the "Cybersecurity-strategy" of Germany: https://www.bmi.bund.de/SharedDocs/downloads/DE/veroeffentlichungen/2021/06/entwurf-cybersicherheitsstrategie-2021.pdf;jsessionid=D9F56CCC29300376F3A06BD8FC7782A5.2_cid295?__blob=publicationFile&v=1
That document says in chapter 8.2.9 that Open-Source can be used to achieve "Security by design" and as we know only Open-Source gives transparency. This transparency can only be achieved by publishing the sourcecode. In contrast closed-software reduces public traceability, auditability and thus acceptance of implementations in products for the majority of security-interested-citizens - which makes the Cybersecurity concept fall short of its aim to be widely acceptable if it would deem solely closed-source-software acceptable. For security the preference on products that are open, auditable, approachable is logical. The commercial aspect (free, non-paid software) is something that can be seen differently and is not a necessary needed to achieve transparency.

Also considering the way we are taking with WiFi ac and now ax... The simple fact that we have proprietary firmware that are really external system that communicate with the router, in theory the rule should already be followed... But it's too generic... Nowadays it's hard to violate regulation as the firmware internally will simply reject it.

3 Likes

Some routers (Linksys WRT3200ACM, for example) have locked the radio firmware to a specific region and settings, so any third party router firmware is also locked.

OEM firmware is overwhelmingly Linux-based these days, and a great deal of it is OpenWRT based. (Including my EOL Zyxel access point.)

There's a case to be made that standard FOSS license agreements should preclude locking out third-party firmware. In other words, if you base your OEM firmware on FOSS, you must permit installation of FOSS firmware, or be in violation.

2 Likes

@Ansuel: Partially true, because suddenly there is something like this Firmware-hack, where the WiFi-card-Firmware-blob suddenly can do all sorts of things.

I mean, vendors are already busy locking (or so far trying) to lock their devices (AVM is experimenting with EFI, Xiaomi AX devices have RX pin disabled, etc.). Long term it will be more and more difficult to gain access...

We could perhaps agree on fundamental rules, that we do not invalidate the radio-compliance in binary builds. People gaining the expertise to compile their own firmware can always circumvent software limitations and this should also remain in their responsibility. Such clever people can be expected to be smart enough to know if what they are doing is legal or not.

@Cheddoleum: I agree, and OpenWRT could also do their part and NOT make it very easy to violate radio-limits just by entering incorrect settings. If the binary builds would be compliant, that could be used to show that we are at least not invalidating radio-compliance for the average user that does not compile his own firmware.