A DEF CON® Hacking Conference demonstration highlighted the collision between the popular right-to-repair movement with the equally popular demand for secure electronic devices. It also sets up the cybersecurity industry against the device-makers in a battle for who controls the market.
An Australian hacker called Sick Code showed how he could access code in John Deere farm equipment through the touch screens. The stated purpose was so farmers could modify and repair the equipment themselves and intended to support the right to repair. At the same time, it revealed a path for a hacker to take control of the system.
Conflicting goals
Tech industry claims repairs to internet-connected devices (ICT) by users or unauthorized repair shops to effect repairs, without voiding warranties, make them vulnerable to ransomware attacks. Data can be stolen and infected with malware. They also believe they would be more open to remote attacks.
Industry lobbyists lost the argument in New York State, which passed a right-to-repair law. It is still an uphill fight in California. Senate Bill 393 represented the most comprehensive attempt to allow people to get devices repaired rather than replaced. The bill, however, died in committee in May with a rare unanimous bi-partisan vote.
The advocates for the bill claimed the committee members caved to pressure from the tech industry and pointed to an FTC 2021 report from the FTC discounting the industries’ argument. The argument was that independent repair shops could plant malware and steal personal information from devices. That was an admittedly shallow argument. The FTC pointed out that authorized repair shops were just as likely to do the same but there had been no evidence of that actually happening.
That, however, is not quite true. One of the big stories before in 2020 was Hunter Biden’s laptop. An authorized repairman downloaded the data from the device and sold it to the Trump campaign. There is evidence that the contents were manipulated with the help of Chinese nationals to embarrass the Bidens.
But from a cybersecurity aspect, that isn’t the point.
Legacy of negligence
ICT Security is a design afterthought dealt with by software patches. The problem is that if a human can find a defense, a human can find a way around that defense, intentionally or by accident.
A 2019 report from the Carnegie Endowment for International Peace explained, “The technologies are mostly dual use, in that they can be used as much to serve malicious or lethal purposes as they can be harnessed to enhance social and economic development. Most of them are inherently vulnerable to exploitation and disruption from both near and far.”
In the cybersecurity industry, however, there is strong support for the right to repair.
Walled gardens
“This security hot take is an industry straw man designed to protect the value of the customer revenue,” said Ian Thornton-Trump, CISO for Cyjax. “I support the right to repair. It’s more environmentally friendly than replacement, allows for a supply chain of repair shops, and can build a community of mod’ers.”
Thornton-Trump is not wrong. Apple has made a great deal of money keeping customers within their “walled garden.” On the other hand, Microsoft created a profitable entire supply chain of vendors dedicated to setting up, updating, and repairing poorly designed products. That model is very good for the cybersecurity industry.
“The modern threat is the data on the device and not the device function itself,” Thornton-Trump explained. “From the security discussion, it seems a diversion and begs the question are really wasting our time about what kind of proprietary screwdriver you need to open the damn thing?
John D. Flory III, CISO for Harbor Security, agreed. “Complete visibility is an absolute must in today’s environment. ICT introduces a new set of challenges for us. AI, deep learning, autonomous anomalistic detection, and response with human verifiable resources to validate are our best forms of defense.” Amazingly enough, all of those defenses are the primary products of the cybersecurity industry.
“Not my problem”
Nathan Proctor, senior right-to-repair campaign director for the California Public Interest Research Group (CALPIRG) admitted that the right to repair before the right to security may be putting the cart before the horse. “The devices should be designed to be secure. These products are massively deployed and undersecured,” he said. “But that’s not my problem.”
In the end, the ICT suppliers created this situation themselves. They build and sell products that are expensive and require users to be as tech savvy as any computer scientist. From a consumer perspective, buying new products every time a new device is released is unsustainable. The right-to-repair movement is a natural outgrowth of decades of designed-for-failure products.
“My view is to protect the data on the device with robust security controls, a minimal attack surface, and best practices,” Thornton-Trump concluded. “Stop with the dumb arguments when it comes to the right to repair. Vendors look stupid making this argument.”
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.