Open Source and Security: Are there Limits?


You might think that's a pretty ridiculous question to ask, since the canard about open source being less secure than closed source has been debunked many times. But it seems that some people didn't get the memo:

A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio.

This comes from the US Federal Communications Commission, no less, and involves the interesting area of “software-defined radio". But contrary to appearances, this is not just your usual “open is insecure, closed is secure” trope. Here are some more details of the FCC's reasoning:

The Commission's rules require that a software defined radio manufacturer take steps to ensure that only software that has been approved with a software defined radio can be loaded into the radio. The software must not allow the user to operate the transmitter with radio frequency parameters other than those that were approved by the Commission. The Commission's rules require that the manufacturer have reasonable security measures to prevent unauthorized modifications that would affect the RF operating parameters or the circumstances under which the transmitter operates in accordance with Commission rules. Manufacturers may select the methods used to meet these requirements and must describe them in their application for equipment authorization.

The Commission's concern is only with disclosure of those particular elements of a security scheme when such disclosure could facilitate defeating the security scheme. Thus, manufacturers can make whatever information they wish concerning their security methods public, provided they can demonstrate the implementation has a means of controlling access to the distinctive elements that could allow parties to defeat or circumvent the security methods.

The Commission emphasizes that it does not prohibit the use of open source software in implementing software defined radio security features. The Commission's concern with open source software is that disclosure ofcertain elements of a security scheme could assist parties in defeating the scheme.

It's an interesting question, which applies to many other areas that have hitherto depended on security by obscurity. Once you bring in free software, that won't work, at least not in the way it has. So the issue then becomes: how can these two aspects be squared?

Does it mean, for example, that some parts of the code need to be burnt into hardware so that they can't be changed? After all, the problem is not that people can *see* the radio frequency parameters, but that they might *change* them so as to interfere with other services. Burning them into ROM would allow them to be seen, but not changed (or at least, not easily). Or are there other, better solutions? Answers on the back of a radio packet...

Update: Bradley Kuhn has pointed out to me that this is in fact a long-running saga, and that the Software Freedom Law Center has written a long and useful document discussing the issues.

Follow me @glynmoody on Twitter or

"Recommended For You"

My security wish list for 2009 Open source code libraries as rife with vulnerabilities