Consumer advocates and proponents of right to repair laws in 17 states have a new enemy to worry about. The Security Innovation Center, with backing of powerful tech industry groups, is arguing that letting consumers fix their own devices will empower hackers.*
The group released a survey last week warning of possible privacy and security risks should consumers have the right to repair their own devices. It counts powerful electronics- and software industry organizations like CompTIA, CTIA, TechNet and the Consumer Technology Association as members.
The group’s sponsored survey of more than 1,000 Americans was fielded by Zogby and suggests consumers are wary of the security of smart home and other Internet of Things devices. Almost two thirds of American consumers say that the explosive growth of Internet-connected products is making them more concerned about their privacy and security, according to the organization’s survey of 1,015 Americans. A similar share felt that they would not know if an Internet of Things device they owned had been compromised, while 84 percent told survey takers that they value the security of their data over convenience or speed of service.
The underlying message in the results is that security, not convenience is paramount for consumers of connected devices. That seems tailored to counter efforts in 17 states to expand consumer protection laws, giving the owners of connected devices from phones to automobiles the right to repair them.
In Massachusetts, for example, proposed legislation in the state Senate and House of Representatives is being considered that would extend an existing state right to repair law for automobiles to a wide range of consumer electronic devices. Manufacturers would be required to make diagnostic codes, technical manuals and, in some cases, software available to both device owners and independent repair shops.
In an interview with The Security Ledger, Josh Zecher, the Executive Director of The Security Innovation Center, acknowledged that Security Innovation Center’s main purpose is to push back on efforts to pass right to repair laws in the states.
He said the group thinks such measures are dangerous, citing the “power of connected products and devices” and the fact that they are often connected to each other and to the Internet via wireless networks. Zecher said that allowing device owners or independent repair professionals to service smart home devices and connected appliances could expose consumer data to hackers or identity thieves.
“From the legislation we’ve seen, we believe there’s troubling policy in there,” Zecher told The Security Ledger in a phone conversation. “If everyone is writing to the (operating system) and doing other patches, there’s the potential for embedding malware or additional code that’s not there from the manufacturer.”
Asked whether Security Innovation Center was opposed to consumers having the right to repair devices they purchased and owned, Zecher said the group did oppose that right on the grounds of security, privacy and safety.
“People say ‘It’s just my washing machine. Why can’t I fix it on my own?’ But we saw the Mirai botnet attack last year…Those kinds of products in the wrong hands can be used to do bad things.” – Josh Zecher, Executive Director, Security Innovation Center
“Product owners should continue to have multiple options to repair their products. That is what iFixIt does,” Zecher wrote in an email, mentioning the popular self-repair website. “However, changes to a product should not compromise the privacy, security and physical safety of individuals and businesses.”
Zecher warned, for example, that stalkers could commandeer smart home devices to spy on occupants by taking advantage of open platforms like those proposed by Right to Repair laws. “Many of the bills don’t exclude security functions from diagnostic information,” Zecher said, noting the requirement under many right to repair laws that manufacturers make diagnostic information from devices available to owners. “That could allow a reset of security related functions, or you could have security data lost via mishandling.”
The group’s concerns extend to public disclosure of software vulnerabilities, as well. “In our principles on our website we explain that ‘the public disclosure of information about product alterations should be weighed against the public interest of choice, consumer security, privacy and intellectual property protection,'” Zecher wrote.
Consumers, he said, are less fearful of expensive vendor lock-in than of having their information stolen from connected devices.
Other surveys have found strong interest among consumers in do-it-yourself repair and independent repair of electronic devices. A survey of 164 independent repair shops nationally conducted by CALPIRG found a 37% increase in weekly battery replacement service requests in the month from December 20 2017 to January 22 2018, and a more than 100% jump in searches for iPhone repair from California residents during the same period.
“We should be free to fix our stuff,” said CalPIRG Director Emily Rusch in a statement. “But companies use their power to make things harder to repair. This survey shows that people are clearly looking for more options to repair their phones.”
Millions of insecure, connected devices like Internet connected cameras, digital video recorders, home routers and toys pose a security and privacy risk. With lax oversight of such devices, many linger online: vulnerable or infected, posing a threat to the larger online ecosystem.
Still, Zecher said that manufacturers were making progress on security. Device makers were being “pushed by security experts and privacy advocates to build security and privacy into the foundation of products,” he said.
But Kyle Wiens of the group iFixit said that many of the findings of the survey were the result of stilted questions. “I got the study and the questing were pretty amusingly biased,” Wiens said via email.
Wiens noted that the group is seeing progress on right to repair initiatives at the state level. Washington State’s Right to Repair Bill (HB 2279) cleared a committee there by a vote of 7-2 and could be voted on this month. In Massachusetts, right to repair legislation will be heard in April and is considered “very much alive,” according to a source with knowledge of the debate.
“We’re making good progress,” Wiens said.
(*) Updated with new comments from Josh Zecher regarding do-it-yourself repair and vulnerability disclosure. PFR 2/23/2018