Cybersecurity experts battle for right to repair

A battle is playing out between manufacturers and users over who has the right to repair a product – and tech companies are using cybersecurity concerns as a weapon.

Across the US, states have been mulling right-to-repair legislation that would let users repair their own devices, opening up access to verified parts and technical documentation. It’s a reaction to moves by manufacturers such as Apple to lock down the repair process to authorized partners.

Earlier this week, California State Assembly Democrat Susan Talamantes Eggman pulled proposed right-to-repair legislation from consideration by the State’s Privacy and Consumer Protection Committee because it didn’t have the support it needed. She accused industry lobbyists of shooting down the bill, telling Motherboard:

Manufacturers had sown enough doubt with vague and unbacked claims of privacy and security concerns.

Privacy, security and injury

According to the site, vendors and industry associations had been lobbying lawmakers to argue that the right to repair was a bad idea. Apple warned that people trying to repair their own iPhones might puncture the battery and injure themselves.

Industry group CompTIA had also approached lawmakers with a letter sounding the cybersecurity alarm. It warned them that opening up repair rights to the general public could make products less secure. This is similar to claims it made in March 2017, when it sent a statement to the Nebraska Legislature protesting a potential right-to-repair bill in that state. The Nebraska letter pointed out that hackers are constantly trying to break into devices, adding:

Any weakening of the current standards, including sharing sensitive diagnostic tools and proprietary hardware data, could expose customers to risk.

Not so, say cybersecurity professionals. Last November, technology journalist Paul Roberts founded, an advocacy group that supports right-to-repair legislation. This week, it announced support from over 20 cybersecurity rock stars, who will speak out for right-to-repair legislation across the US.

These spokespeople include Bruce Schneier, a ‘public interest technologist’ and cybersecurity expert who is a board member of the Electronic Frontier Foundation (EFF), and Katie Moussouris, CEO of Luta Security. Dan Geer, the CISO of the CIA’s non-profit venture arm, In-Q-Tel, is also on board, as is Chris Wysopal, CTO at Veracode and former member of the L0PHT collective. L0PHT was an elite hacker group who testified to US Congress in 1998, warning them early about the dangers of not securing internet-facing products and services. We all know how that went.

In an open letter written back in February, supporter Joe Grand explained why the vendors’ cybersecurity argument doesn’t wash with him. Grand, who was a member of L0PHT along with Wysopal, is also a computer engineer with experience in designing and manufacturing hardware.

He said:

When implementing security to modern day best practices, having physical access to a device should not weaken security in most situations, particularly during the ordinary business of repair. Devices with well-planned security initiatives will isolate components that are critical to security within a physically protected and access-controlled area.

He cites Apple’s Secure Enclave technology, which stores hardware security secrets, along with similar processor-level measures from Intel, which stores hardware security data in a trusted platform module (TPM).

In fact, he argues that opening up the right-to-repair and providing access to original parts and documentation actually lowers the risk of compromise.

Those that repair devices may be innocent, unwitting parties in a malicious attack by being forced to obtain components from unverifiable sources of questionable quality.

A long way to go

There have been some positive moves for right-to-repair advocates recently. In October, the Library of Congress and Copyright Office created an exemption to the Digital Millennium Copyright Act (DMCA), allowing people to circumvent TPMs and other electronic locks in smartphones and home systems for maintenance or repair purposes. So you won’t get hauled off to jail for hacking your own Apple T2 chip.

Still, right-to-repair advocates have a long way to go.

Using security as an argument against right-to-repair also opens up another question: what about software patches? Patches are a kind of repair supposed to make software more secure. They normally come from the software’s vendor, but if the vendor doesn’t release a patch in time or the program reaches the end of its support period, should others be allowed to create patches for their proprietary software?

What are your views on the effects of user repair on cybersecurity? Should vendors make it easy for people to repair their products by publishing technical documentation and selling verified parts to customers, or are they right to keep their technical repair secrets locked up tight?