Will ‘Right to Repair’ imperil IoT Security?

In-brief: the firm Pen Test Partners notes that there are security arguments against expanding right to repair laws. But do they stand up to scrutiny? 

We here at Security Ledger have covered the right to repair movement in the U.S. and abroad, where consumer advocates are looking to strengthen legal protections for customers who want to repair or otherwise tinker with software driven products. That’s because, in the near future, almost every product will be software driven and we’ve seen evidence, already, that certain manufacturers see anti-piracy laws like the Digital Millennium Copyright Act as a way to squeeze out independent repair shops and lock in lucrative maintenance revenue for the full lifespan of their products.

Already, we see the down side of such schemes, as farmers in the US heartland have resorted to pirated firmware to disable onerous copyright protection and anti-tamper (anti-tinker?) features in their tractors and other farm equipment.

But with expanded “right to repair” legislation in the EU pending, and bills up for consideration in a number of U.S. states, its worth asking whether the right to repair is an unallied good? That’s a question that the folks over Pen Test Partners in the UK ask in a blog post published Wednesday. Their answer: ‘almost certainly not.’ From the article:

From a skeptical perspective, this sounds like the manufacturers are trying to go back to the pre-2003 days, where independent servicing of your car would void the manufacturer warranty. But there is a degree of truth in their claims.

From the safety side, with so many complex devices interacting to make life-or-death decisions tens of times a second, it’s easy to see why manufacturers don’t want third-parties modifying their ECUs. Manufacturers are already struggling with code quality issues – see the Toyota unintended acceleration findings – and compounding this with third-party code or aftermarket ECUs makes things even more challenging.

Imagine if a serious car accident involved a vehicle with custom ECU code. How do you determine which ECU caused the problem? Who is liable? Investigating accidents could suddenly become a lot more complex.

From the security side, several high-profile hacks – including the Miller and Valasek remote Jeep takeover and the TenCent Tesla hack   – have involved delivering malicious firmware updates. How do you protect a vehicle from malicious firmware updates whilst allowing the owner to make changes?

Car makers will also be investing considerable money developing new features, including driver assist and (eventually) autonomous driving technologies, Pen Test Partners notes. That technology will reside on vehicles and, thus, be available to reverse engineers. “How do you allow users to update the firmware without leaking all the details to competitors,” the company asks.

I’m not so sure. Preventing someone who purchased a $50,000 tractor from repairing their own equipment is wholly different from preventing pirates from ripping a song or Hollywood movie. And we know that the social and economic costs of too much DRM (digital rights maintenance) are high. In addition to all the small repair shops  you are putting out of business, you’re heaping costs on purchasers of technology because, owning a monopoly on repair, manufacturers have no incentive to lower their costs. And, while we can all conjure worst case scenarios in which malicious actors abuse their access to critical components to cause mayhem, there is no guarantee that vendor security features will be sufficient to stop such attacks anyway.

Pen Test Partners sees analogues between connected products, such as smart vehicles, and smart phones, comparing Apple’s restrictive ecosystem with Android’s more open one. As with Android, making connected products easy to unlock and tinker with is that consumers will make poor or poorly informed security decisions – like the Android user who jailbreaks her phone just to access cracked applications in unofficial Android application stores – often sources of malicious code. “How do we distinguish between those who can safely unlock a phone for the purpose of repair/tinkering and those who don’t?”

The message may be to leave it to consumers to figure it out. As with phones, there are consequences to insecure behavior that will become evident to consumers who engage in them. The vast majority of consumers, it is safe to believe, will not. Pen Test Partners argument ends up being a somewhat more subtle take on “security through obscurity” – the idea that by keeping the functioning of their devices (cars, appliances, farm equipment) obscure, manufacturers will keep it secure. But history has ample evidence that this is not the case.

Manufacturers are fighting hard against right to repair bills in the U.S., killing off legislation in places like Minnesota. My assumption is that they’re not hiring lobbyists and fighting this hard out of concern for the public, but out of fear for their bottom line. We’ll see what happens in the weeks ahead!

Source: Could ‘Right to Repair’ heighten the risk for IoT and smart devices? | Pen Test Partners

Comments are closed.