Right to repair movement and security concerns

There’s been a lot of talk around right to repair legislation so far this year, in both the US and Europe. And recently, Biden signed an order to have the FTC begin reviewing unnecessarily restrictive repair policies.

One of the main points I’ve seen people make against the order (besides John Deere yelling about tractor safety issues :wink:) is with regards to security. Thus far these repair restrictions have generally meant more limited access to things like device parts and manuals, and sometimes even software. But those things are likely to become more readily available now, and easy access to that info could pose risks for various devices, including cars.

People in the healthcare industry seem to have similar concerns, especially since we’ve already seen instances of people exploiting vulnerabilities in IoT medical devices. There’s also the issue of whether more third party repair services will lead to an increase in personal data breaches.

On the other hand, these repair restrictions have been used historically to hinder or outright block security research. In many cases security researchers have had to obtain prior permission when using devices for research purposes, and that’s just not always feasible. Having those restrictions lifted could help teams expand their research and make bigger strides in security technology.

So, what do you guys think? I’d be interested in hearing your thoughts on whether these updates will be an overall positive for the industry, especially for things like security research.

5 Likes

I think these concerns come across as fairly archaic and/or disingenuous. Any company bringing this up as a security concern is essentially saying they practice security through obscurity. Bad actors are eventually going to figure out how any new device/software works so they can profit from exploiting it, opening it up means more people will have a chance to catch any flaws and alert the manufacturer so the flaws can hopefully be fixed before they are exploited.

I’d be willing to bet most of this is just rhetoric companies are using to try and maintain a hold on lucrative and anti-competitive repair practices.

Personal data breaches are an understandable concern, but hopefully this just spurs manufacturers to make encrypting and locking down data on devices easier and more accessible to general users.
There will probably be some growing pains, but if this is successful then it will be a win for both consumers and security researchers.

4 Likes

I agree with Julian, hiding flaws behind red tape does not make them secure. Requiring repair manuals to be available forces companies to make better products because those flaws that they are going to publicly facing. Look at the work that is done in the DEFCON villages like the car hacking or voting booth villages, these are people that are not looking to profit from the found vulnerabilities but to report them to the company because they want the products they use to be better and safer. The people profiting from corner cutting are the companies at the end user’s expense. If I found a part in a repair manual that was vulnerable to breakage, I’d find a way to reinforce it to protect my investment then report it to the company to help others in my community. Restricting public access of repair manuals never stopped a phreak from getting their hands on one, the companies would just rather spend their money on legislated resources instead of product improvement. I remember when computers back in the 80’s use to come with a manual containing the schematics of the motherboard with them, funny thing is my Macintosh Plus that came with that still boots while modern computers only last a couple years. Going back to the security concerns makes me think of lock picking. People get really nervous when they see how easy it is to exploit the physical vulnerabilities in a lock (even my 10 year old son does it) but i just remind them that locks are just a false sense of security and we must rely on security in layers verses just slapping a lock on something, in turn my education makes them more secure.

TL;DR
I feel more secure knowing what my vulnerabilities are and either accepting the risk or putting in compensating controls to mitigate them than being ignorant and thinking that there is no risk.

3 Likes

I feel that the horse has already left the barn on this. Last year Massachusetts amended a “right to repair” law to mandate open access to vehicle telemetry data via referendum. The primary argument used against it was “your mechanic will spy on you”, which is basically the same argument as “we can’t give you information because we don’t trust your judgement”. It passed with 75% approval. The argument against was extremely disingenuous since mechanics could get access to most of the data if they paid punitive fees to the manufacturer anyway.

Another thing to keep in mind is the hobbyist community. With any connected device, this community is extremely motivated and capable since it’s filled with technology and security professionals who want access and control over their own systems and devices. Today we see companies engaged in a cat and mouse battle with these communities where they black-list user agents and change client-ids while the community is decompiling mobile apps, setting up MITM ssl inspection, etc. This just creates noise in monitoring and management systems which prevents the vendor from differentiating between reverse-engineering activity and actual malicious attacks.

1 Like

Yeah, I think that’s the case for a lot of them.

Although I did hear about a few places that suddenly opened up their tools/parts to third party repair shops for the first time in the last year or so. Wonder if it’s related to the Big Happening of 2020 :thinking:

That’s pretty much how I feel about it. It’s not like it’s in their best interest to improve/extend the life of a device, anyway.

Side note, I recently found this site which has a ton of repair guides for cars, PC’s, game consoles, etc. so you can DIY stuff. A friend of mine was using it since they had some issues with their Switch and didn’t want to deal with Nintendo.