Skip to content
Naked Security Naked Security

Cybersecurity experts battle for right to repair

A battle rages between manufacturers and users over who can repair a product, with tech companies using security concerns as a weapon.

A battle is playing out between manufacturers and users over who has the right to repair a product – and tech companies are using cybersecurity concerns as a weapon.

Across the US, states have been mulling right-to-repair legislation that would let users repair their own devices, opening up access to verified parts and technical documentation. It’s a reaction to moves by manufacturers such as Apple to lock down the repair process to authorized partners.

Earlier this week, California State Assembly Democrat Susan Talamantes Eggman pulled proposed right-to-repair legislation from consideration by the State’s Privacy and Consumer Protection Committee because it didn’t have the support it needed. She accused industry lobbyists of shooting down the bill, telling Motherboard:

Manufacturers had sown enough doubt with vague and unbacked claims of privacy and security concerns.

Privacy, security and injury

According to the site, vendors and industry associations had been lobbying lawmakers to argue that the right to repair was a bad idea. Apple warned that people trying to repair their own iPhones might puncture the battery and injure themselves.

Industry group CompTIA had also approached lawmakers with a letter sounding the cybersecurity alarm. It warned them that opening up repair rights to the general public could make products less secure. This is similar to claims it made in March 2017, when it sent a statement to the Nebraska Legislature protesting a potential right-to-repair bill in that state. The Nebraska letter pointed out that hackers are constantly trying to break into devices, adding:

Any weakening of the current standards, including sharing sensitive diagnostic tools and proprietary hardware data, could expose customers to risk.

Not so, say cybersecurity professionals. Last November, technology journalist Paul Roberts founded securerepairs.org, an advocacy group that supports right-to-repair legislation. This week, it announced support from over 20 cybersecurity rock stars, who will speak out for right-to-repair legislation across the US.

These spokespeople include Bruce Schneier, a ‘public interest technologist’ and cybersecurity expert who is a board member of the Electronic Frontier Foundation (EFF), and Katie Moussouris, CEO of Luta Security. Dan Geer, the CISO of the CIA’s non-profit venture arm, In-Q-Tel, is also on board, as is Chris Wysopal, CTO at Veracode and former member of the L0PHT collective. L0PHT was an elite hacker group who testified to US Congress in 1998, warning them early about the dangers of not securing internet-facing products and services. We all know how that went.

In an open letter written back in February, securerepairs.org supporter Joe Grand explained why the vendors’ cybersecurity argument doesn’t wash with him. Grand, who was a member of L0PHT along with Wysopal, is also a computer engineer with experience in designing and manufacturing hardware.

He said:

When implementing security to modern day best practices, having physical access to a device should not weaken security in most situations, particularly during the ordinary business of repair. Devices with well-planned security initiatives will isolate components that are critical to security within a physically protected and access-controlled area.

He cites Apple’s Secure Enclave technology, which stores hardware security secrets, along with similar processor-level measures from Intel, which stores hardware security data in a trusted platform module (TPM).

In fact, he argues that opening up the right-to-repair and providing access to original parts and documentation actually lowers the risk of compromise.

Those that repair devices may be innocent, unwitting parties in a malicious attack by being forced to obtain components from unverifiable sources of questionable quality.

A long way to go

There have been some positive moves for right-to-repair advocates recently. In October, the Library of Congress and Copyright Office created an exemption to the Digital Millennium Copyright Act (DMCA), allowing people to circumvent TPMs and other electronic locks in smartphones and home systems for maintenance or repair purposes. So you won’t get hauled off to jail for hacking your own Apple T2 chip.

Still, right-to-repair advocates have a long way to go.

Using security as an argument against right-to-repair also opens up another question: what about software patches? Patches are a kind of repair supposed to make software more secure. They normally come from the software’s vendor, but if the vendor doesn’t release a patch in time or the program reaches the end of its support period, should others be allowed to create patches for their proprietary software?

What are your views on the effects of user repair on cybersecurity? Should vendors make it easy for people to repair their products by publishing technical documentation and selling verified parts to customers, or are they right to keep their technical repair secrets locked up tight?

10 Comments

I’m good with a right to repair (do we really need more laws?), but at the same time I don’t think a company should have to give up trade secrets to the general public. If you get hurt working on something you didn’t understand, boohoo. Some people don’t even know how to put out fires (don’t throw water on a grease or electric fire, simple example). It’s our own responsibility to know what we are doing (repair or putting out fires). If you don’t know, learn or don’t do it. Ohh you forgot to drain a Cap, hope it was under 1ma.
If fixing things is a crime unless authorized by the manufacturer, they are going to need to build a few million more prisons.

It’s all about $$$.
I am no technician, but have been fixing my own computers, tablets and phones since before the millennium. As well I have been repairing and providing virus cleaning for friends devices at no charge. At least, if I can’t repair it, I can tell them what is wrong so they can have it professionally serviced.
I currently have to repair my own two year old laptop as the battery is “ded” as the proverbial doornail. Documentation used to easy to get. Now however it is becoming more difficult to find for newer products. Whether manufacturers are just hiding it better or it is simply not being published, I don’t know.

Corporate secrets should not be forced to leak.
In the same breath, anti-repair measures should not be legal.

There’s a reasonable middle ground here

Every consumer should have the right to repair their own stuff. If the consumer does not posses the technical skills to repair, they should have the right to repair it anywhere they see fit. The industry as a whole should move to open standards which are verifiable and can be validated by orgs or individuals. This is a critical juncture for the future of tech. Be on the right side of history.

I agree that we should have the right to repair our stuff, but the saying ‘be on the right side of history’ is meaningless.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?