MAYTON Declaration of software Security Requirements Letter Federal Communications Commission Authorization and Evaluation Division 7435 Oakland Mills Road Columbia, MD 21046 Date: 2024-03-29 SUBJECT: FCC UNII Software Security Description for FCC ID: 2BAG8-AUTOPROX To Whom It May Concern:
The information within this section of the Operational Description is to show compliance per the Software Security Requirements laid out within KDB 594280 D02 U-NII Device Security. An applicant must describe the overall security measures implemented in the device that ensure that the device cannot be modified by any RF-related software changes by third parties to operate outside the authorized RF parameters without further approval from the FCC. The following description of the RF-related software addresses the following questions in the operational description for the device and demonstrates how the device meets the RF-security requirements. Software Security description - General Description Answer There is no downloadable software provided by the manufacturer that can modify critical radio transmitter parameters. Cannot be modified or overridden by third parties. Radio frequency parameters are embedded at the time of production in the factory per FCC approved. These parameters are therefore fixed at the factory such that they will not exceed the authorized values. The firmware is programmed at the factory and cannot be modified by third parties. The firmware is programmed at the factory and cannot be modified by third parties therefore no encryption is necessary. Only the frequency passed through the test can be changed. 20 MHz : 36, 40, 44, 48 40 MHz : 38, 46 Third parties do not the capability to operate in any manner that is violation of the certification in the U.S. No. The device does not permit third-party software or firmware installation. Not Applicable. This device is not modular device. Question 1. Describe how any software/firmware updates for elements than can affect the devices RF parameters will be obtained, downloaded, validated and installed. For software that is accessed through manufacturers website or devices management system, describe the different levels of security as appropriate. 2. Describe the RF parameters that are modified by any software/firmware without any hardware changes. Are these parameters in some way limited such that any other software/firmware changes will not allow the device to exceed the authorized RF characteristics?
3. Describe in detail the authentication protocols that are in place to ensure that the source of the RF-related software/firmware is valid. Describe in detail how the RF-related software is protected against modification. 4. Describe in detail any encryption methods used to support the use of legitimate RF-
related software/firmware. 5. For a device that can be configured as a master and client (with active or passive scanning), explain how the device ensures compliance for each mode? In particular if the device acts as master in some band of operation and client in another; how is compliance ensured in each band of operation?
1. Explain if any third parties have the capability to operate a U.S.-sold device on any other regulatory domain, frequencies, or in any manner that may allow the device to operate in violation of the devices authorization if activated in the U.S. 2. Describe, if the device permits third-party software or firmware installation, what mechanisms are provided by the manufacturer to permit integration of such functions while ensuring that the RF parameters of the device cannot be operated outside its authorization for operation in the U.S. In the description include what controls and/or agreements are in place with providers of third-party functionality to ensure the devices underlying RF parameters are unchanged and how the manufacturer verifies the functionality. 3. For Certified Transmitter modular devices, describe how the module grantee ensures that host manufacturers fully comply with these software security requirements for U-NII devices. If the module is controlled through driver software loaded in the host, describe how the drivers are controlled and managed such that the modular transmitter RF parameters are not modified outside the grant of authorization. General Description Third-Party Access Control In addition to the general security consideration, for devices which have User Interfaces (UI) to configure the device in a manner that may impact the operational RF parameters, the following questions shall be answered by the applicant and the information included in the operational description. The description must address if the device supports any of the country code configurations or peer-peer mode communications discussed in KDB 594280 Publication D01. Software Configuration Description Guide User Configuration Guide Question 1. Describe the user configurations permitted through the UI. If different levels of access are permitted for professional installers, system integrators or end-users, describe the differences. a. What parameters are viewable and configurable by different parties?
b. What parameters are accessible or modifiable by the professional installer or system integrators?
(1) Are the parameters in some way limited, so that the installers will not enter parameters that exceed those authorized?
(2) What controls exist that the user cannot operate the device outside its authorization in the U.S.?
c. What parameters are accessible or modifiable by the end-user?
(1) Are the parameters in some way limited, so that the user or installers will not enter parameters that exceed those authorized?
(2) What controls exist so that the user cannot operate the device outside its authorization in the U.S.?
d. Is the country code factory set? Can it be changed in the UI?
(1) If it can be changed, what controls exist to ensure that the device can only operate within its authorization in the U.S.?
e. What are the default parameters when the device is restarted?
2. Can the radio be configured in bridge or mesh mode? If yes, an attestation may be required. Further information is available in KDB Publication 905462 D02. 3. For a device that can be configured as a master and client (with active or passive scanning), if this is user configurable, describe what controls exist, within the UI, to ensure compliance for each mode. If the device acts as a master in some bands and client in others, how is this configured to ensure compliance?
4. r a device that can be configured as different types of access points, such as point-to-point or point-to-multipoint, and use different types of antennas, describe what controls exist to ensure compliance with applicable limits and the proper antenna is used for each mode of operation.
(See Section 15.407(a)) Answer The UI is accessible to anyone using the device. But the UI never gives access for specific operation parameters which are frequency of operation, power settings, antenna types settings, receiver thresholds, or country code settings. Nothing to control the radio operation parameter for professional installer/end-user. There is not any Wi-Fi parameter which is accessible or modifiable to the professional installer. This device is not subject to professional installation. This device is not subject to professional installation. This device is not subject to professional installation The end user cannot change the antenna gain and country code, those settings are programmed at factory production time. Yes. The system firmware is programmed and protected in flash memory. The professional installer/end-user cannot access the flash memory. There is a country code regulatory parameter to limit product to operate the device outside its authorization in the U.S. Default country code is set in the factory and no UI is provided for modification. Programmed for default mode which is always FCC compliant. Always set for default for all start-ups, resets, timeouts or other host or network events. Always FCC compliant Not supported. This is a client device. This device is not an access point. Sincerely, Clients signature:
Clients name & title: Lim DooYoung / senior executive Contact information / address: +82 010-4188-7773 / 404, Annam-ro, Bupyeong-gu, Incheon, Republic of Korea