Blog

Right-to-Repair: Good or Bad for Cybersecurity?

May 07, 2019

A debate is raging over who has the right to repair electronic equipment without voiding manufacturers’ warranties. On one side, companies such as Apple, Lexmark and Verizon are seeking to quash “right-to-repair” legislation; on the other, supporters of right of repair initiatives are accusing the tech industry of scare tactics.

At issue is whether right-to-repair laws may impact cybersecurity considerations. Manufacturers argue cybersecurity would suffer by allowing unauthorized individuals to repair devices, however many cybersecurity professionals consider this claim an overreach. On May 2, cybersecurity advocacy group Securepairs.org issued a statement strongly supporting right-to-repair efforts.

Declaring that “fixable stuff is secure stuff,” the group argues while manufacturers keep replacement parts, documentation and diagnostic tools secret in the name of cybersecurity, their true intent is to spread fear.

“Keeping the workings of electronic devices secret does nothing to reduce the threat from motivated, resourceful hackers or cyber criminals” said Joe Grand, a member of the group, security expert and founder of the Grand Idea Studio.

Instead, Grand argues, the practice prevents equipment owners from maintaining and repairing their property as they see fit. “Manufacturers who support right to repair will actually improve, not weaken, security by providing access to documentation and genuine, high-quality replacement components,” he said.

Unsuccessful Attempts

Legislators in about 20 U.S. states have been working on right-to-repair laws. Sen. Elizabeth Warren, D-MA, a presidential candidate, has proposed national legislation. The U.S. Federal Trade Commission plans to hold a hearing on Warren’s proposal in July, but so far U.S. right-to-repair efforts have died on the vine. In May, the Ontario provincial parliament in Canada failed to pass Bill 72, Consumer Protection Amendment Act related to right to reply. Media cited “big tech lobbying” as a major reason for the bill failing to pass

“In every case, these (proposed US state) laws have been killed off in committee by business interests,” Paul F. Roberts, Securepairs.org and editor-in-chief of The Security Ledger , told TechNewsWorld .

A number of nations already recognize right-to-repair for consumers. Apple lost a landmark case in Australia in 2018 regarding the infamous Error 53 affecting its smartphones after consumers had the devices repaired at non-Apple authorized repairers.The European Union enshrined right-to-repair legislation in January 2019 aimed at whitegoods, but it is unclear how it will affect the tech industry . These initiatives were all passed, albeit with intense lobbying by the tech industry. 

Tech companies argue that right-to-repair initiatives will create security and privacy risks. They say manufacturers would be forced to disclose sensitive technical information about products that connect to the internet, including computers, smartphones and video game platforms.

Paul Paget, a cybersecurity consultant for the Security Innovation Center and former CEO of IoT security company Pwnie Express, wrote an opinion column in the Springfield, IL, State Journal-Register opposing a right-to-repair bill in Illinois.

“I’m sure that legislators do not realize it, but the current bill would force manufacturers to publish information that will make it easy for cybercriminals to do things like open your door to a stranger, talk to your child, order products online, and many other nefarious actions,” Paget wrote, arguing such a measure would make IoT implementations less secure.

But many in the cybersecurity community refute Paget’s arguments. Roberts launched Securerepairs.org in part to address claims by Paget and other opponents in opposing right-to-repair legislation.

Where do you fall in this debate? Do you feel that right-to-repair legislation will help or hurt cybersecurity in the long run?