A few days ago a Defcon 23 talk about “ProxyHam“, a privacy device meant to disassociate an IP address from a physical location, was abruptly cancelled by its presenter. No clear reason was provided for the cancellation. Almost immediately, public opinion rushed to fill the void with all manner of explanation, sadly careening down paths of wild conspiracy. I, however, believe there is a relatively simple explanation why the talk was cancelled.
I say “relatively simple” in jest, and you’ll soon discover why. When the talk was announced it received lots of attention, likely including attention from folks who are quite knowledgable in the matter of FCC regulations. I believe that once one or more of these folks suggested to the presenter, Ben Caudill, that his device was likely skirting the edge of legality (especially if he intended to market/sell it as a product), he decided it would be in his best interest to cancel. Regardless, theories are not what this post is about. This post is about the facts pertaining to the questionable legality of the ProxyHam device. I’ll preface this by saying that I don’t claim to be an expert; I’m merely a radio geek looking to dig up some truth.
Let’s start with the first point of confusion: the 900MHz band. There are many complexities in the FCC’s band allocations. Most bands have several allocated users and use cases, split between “primary” and “secondary” allocations. Indeed, the 900MHz band (comprising 902-928MHz) is one with many allocations. The primary user is the U.S. Navy, followed by several secondary users, including ISM and Amateur Radio.
The next point of confusion is the use of “ham” in the name. This led many (myself included, as a General-class licensed ham) to assume that the device was taking advantage of licensed Amateur Radio privileges in the 900MHz (33cm) band. As detail emerged about the device’s capabilities, however, it became clear that this couldn’t legally be the case. FCC regulations for Amateur Radio (Part 97) forbid the use of codes (read: encryption), meaning that the ProxyHam device couldn’t legally run an encrypted WiFi bridge as such a “privacy device” would surely need. There is much contention in the community about this point, but the rules are quite clear: the use of codes/ciphers meant to obscure the meaning of communication are only permitted for control signals. For example, in the case of ProxyHam, this means that only signals meant to control/operate the basestation could be encrypted if operating under Amateur Radio privileges.
With Amateur Radio ruled out, there remain only two potential possibilities for unlicensed operation of the ProxyHam device: industrial, scientific, and medical equipment (ISM) rules (Part 18), or generic unlicensed intentional radiator rules (Part 15). Right away, we can easily disqualify ISM: section 18.107(c) explicitly excludes telecommunications devices. That leaves us with the very complex rules of FCC Title 47 Part 15 as they pertain to unlicensed, low-power telecommunications emitters.
I’ve seen many conversations on Twitter indicating that people wrongly believe that consumer WiFi devices are ISM equipment since they operate in “ISM bands”. In reality, they’re actually unlicensed Part 15 devices operating as secondary users in shared band space (as described above), often coinciding with ISM allocations. Given the evidence presented so far the ProxyHam device must operate as a Part 15 device, and is thus required to meet a number of complex, not well understood rules. I am not familiar with the exact transmission modulation(s) used by the commodity device in question (Ubiquiti M900), but some quick research shows that it’s similar to 802.11n OFDM. Given that OFDM is a spread spectrum technology that’s not frequency hopping, it’s not immediately clear which section of Part 15 governs the device (read: after several hours of reading I sill haven’t figured it out). We have two options:
- Section 15.247: mostly refers to frequency hopping devices but in some instances mentions “digital modulation” and “spread spectrum” by themselves.
- Section 15.249: the catch-all for other intentional radiators in the 900MHz band.
In the first case, the device would be limited to a maximum of 1W (30dBm) output power. However, this is based on the use of a directional (beam) antenna with gain not exceeding 6dBi. When using a directional antenna with gain greater than 6dBi in 900MHz, you must lower the output power of the device by 1dB per dB over the 6dBi limit. In the case of the 16dBi Ubiquiti antenna seen in some ProxyHam photos (included below), this would mean lowering the output power of the M900 to 18dBm (down 10dB from the device’s maximum 28dBm power.
In the second case, the device would be limited to a maximum field strength of 50 millivolts per meter, measured at a distance of 3 meters. Actually measuring field strength requires specialized equipment that tends to be expensive.
As I’m sure you see by now, navigating the complexities of FCC regulations when it comes to these devices is neither easy nor straightforward. Just doing this research myself today left me in doubt about which regulations would actually apply to a device like ProxyHam, and I don’t think it’s a great leap to think that Mr. Caudill found himself in the same predicament. That said, I do believe that a device like ProxyHam (hopefully with a better name) is possible to build using off-the-shelf components, provided one is careful to conservatively adhere to the aforementioned regulations (adjusting power levels as needed).
If you’ve read this far, congrats and thanks! Hopefully you’ve learned something like I did while doing this research.
Image via Wired.