Consumer advocates and proponents of
right to repair laws in 17 states have a new enemy to worry about.
The Security Innovation Center, with backing of powerful tech
industry groups, is arguing that letting consumers fix their own
devices will empower hackers.*
a survey last weekwarning of possible privacy
and security risks should consumers have the right to repair their own
devices. It counts powerful electronics- and software industry
organizations like CompTIA, CTIA, TechNet and the Consumer Technology
Association as members.
group’s sponsored survey of more than 1,000 Americans was fielded by
Zogby and suggests consumers are wary of the security of smart home
and other Internet of Things devices. Almost two thirds of American
consumers say that the explosive growth of Internet-connected products
is making them more concerned about their privacy and security,
according to the organization’s survey of 1,015 Americans. A similar
share felt that they would not know if an Internet of Things device
they owned had been compromised, while 84 percent told survey takers
that they value the security of their data over convenience or speed
underlying message in the results is that security, not convenience is
paramount for consumers of connected devices. That seems tailored to
counter efforts in 17 states to expand consumer protection laws,
giving the owners of connected devices from phones to automobiles the
right to repair them.
Massachusetts, for example, proposed legislation in thestate
of Representativesis being considered that
would extend an existing state right to repair law for automobiles to
a wide range of consumer electronic devices. Manufacturers would be
required to make diagnostic codes, technical manuals and, in some
cases, software available to both device owners and independent repair
an interview with The Security Ledger, Josh Zecher, the Executive
Director of The Security Innovation Center, acknowledged that Security
Innovation Center’s main purpose is to push back on efforts to pass
right to repair laws in the states.
said the group thinks such measures are dangerous, citing the “power
of connected products and devices” and the fact that they are often
connected to each other and to the Internet via wireless networks.
Zecher said that allowing device owners or independent repair
professionals to service smart home devices and connected appliances
could expose consumer data to hackers or identity thieves.
the legislation we’ve seen, we believe there’s troubling policy in
there,” Zecher told The Security Ledger in a phone conversation. “If
everyone is writing to the (operating system) and doing other patches,
there’s the potential for embedding malware or additional code that’s
not there from the manufacturer.”
whether Security Innovation Center was opposed to consumers having the
right to repair devices they purchased and owned, Zecher said the
group did oppose that right on the grounds of security, privacy and
say ‘It’s just my washing machine. Why can’t I fix it on my own?’
But we saw the Mirai botnet attack last year…Those kinds of products
in the wrong hands can be used to do bad things.” – Josh Zecher,
Executive Director, Security Innovation Center
owners should continue to have multiple options to repair
their products. That is what iFixIt does,” Zecher wrote in an email,
mentioning the popular self-repair website. “However, changes to a
product should not compromise the privacy, security and physical
safety of individuals and businesses.”
warned, for example, that stalkers could commandeer smart home devices
to spy on occupants by taking advantage of open platforms like those
proposed by Right to Repair laws. “Many of the bills don’t exclude
security functions from diagnostic information,” Zecher said, noting
the requirement under many right to repair laws that manufacturers
make diagnostic information from devices available to owners. “That
could allow a reset of security related functions, or you could have
security data lost via mishandling.”
group’s concerns extend to public disclosure of software
vulnerabilities, as well. “In our principles on our website we explain
that ‘the public disclosure of information about product alterations
should be weighed against the public interest of choice, consumer
security, privacy and intellectual property protection,'” Zecher
he said, are less fearful of expensive vendor lock-in than of having
their information stolen from connected devices.
should be free to fix our stuff,” said CalPIRG Director Emily Ruschin
a statement. “But companies use their power to make things
harder to repair. This survey shows that people are clearly looking
for more options to repair their phones.”
of insecure, connected devices like Internet connected cameras,
digital video recorders, home routers and toys pose a security and
privacy risk. With lax oversight of such devices,many
linger online: vulnerable or infected, posing a threat to the
larger online ecosystem.
Zecher said that manufacturers were making progress on security.
Device makers were being “pushed by security experts and privacy
advocates to build security and privacy into the foundation of
products,” he said.
the group iFixitsaid that many of the
findings of the survey were the result of stilted questions. “I got
the study and the questing were pretty amusingly biased,” Wiens said
noted that the group is seeing progress on right to repair initiatives
at the state level. Washington State’s Right to Repair Bill (HB 2279)
cleared a committee there by a vote of 7-2 and could be voted on this
month. In Massachusetts, right to repair legislation will be heard in
April and is considered “very much alive,” according to a source with
knowledge of the debate.
making good progress,” Wiens said.
(*) Updated with new comments from Josh
Zecher regarding do-it-yourself repair and vulnerability disclosure.