How do you balance the right to repair with the requirement to remain secure?
Images of jackbooted, militarized cops descending into dimly-lit basements where appliance techs slap grimy, roughshod parts of doubtful lineage together come to mind in the still-simmering fight – yes, it’s a fight – to allow people to work on the tech they already bought and own. You’d think this wouldn’t be a thing: If you buy a device, it’s yours, hopefully you won’t need to repair it or can have it easily repaired and the manufacturer can get on with making more new technology for when you’re ready for their next gizmo or gadget. Not so.
Step away from that screwdriver, back away from the digital gizmo, you may be breaking the law. Want to fix a security issue because the manufacturer won’t? That just might be criminal.
Aside from the pseudo-obvious dark imagery of hardened criminals hastily etching out makeshift tattoos in a somewhat non-sterile fashion in the prisons of the world being joined by a fresh batch of fix-it smartphone techs from our malls, the tech industry, in some parts, is arguing that if you lift a screwdriver or 3D print a replacement gear for the drive on your printer that you risk doing time.
It’s part of a weird dystopian view of what the future might look like, where you really only rent-with-license some new e-doodad and then when it fails you buy new stuff and don’t ask questions.
Well, really, you re-rent the objects you already “bought” via smarmy licensing from the manufacturer. And once they fail, you merely rinse-and-repeat. It’s as if Phillip K. Dick met Wall Street, trying to find the bleakest way to increase shareholder value.
But this fills the world with hordes e-junk in a cycle that shows no promise of slowing. Except the world is fighting back.
Two years ago you bought a dishwasher; now there are no parts to be had for simple, typical appliance repair items like water pumps, drives, or gears. Sometimes they’re glued together so you have to chisel them apart and hope for the best. Open a shop to help others and you’re doomed – watch for the coppers to come lock up your ratchet sets if you step too far into the seedy world of black-market repairs.
But the planet is fighting back; sometimes winning, sometimes not so much.
- In Norway, a one-man repair shop lost a multi-year legal battle against Apple. His crime? Importing recycled iPhone screens to repair phones, which Apple claimed were “counterfeits.”
- Farmers are learning how to reverse engineer their own tractors so they can perform repairs in the field, ranging from trading information in private Ukrainian forums to downloading debugging tools from a CalPoly student project.
- In New York City, independent Apple repairman Louis Rossman has testified before government multiple times about the right to repair.
EU legislators think high-tech goods should have a 10-year service life with widely available parts, tools and perhaps even repair documentation and are spearheading laws to enforce this. Oh, the sacrilege, if you ask some manufacturers; they say the EU shouldn’t meddle.
Pitting repairability against security
While the right to repair seems like a classic black-and-white situation pitting consumers against manufacturers, it is actually a more nuanced discussion, particularly if the device in question is meant to be attached to a network of some kind.
If so, there are several additional issues that come into play: Any device that utilizes a network connection in some fashion is, by definition, going to be exploitable over that connection.
As technology improves, flaws may be found in cryptographic protocols (or in their implementations), digital signatures may expire, and vulnerabilities may be found in operating systems or the applications that run on top of them. It may be possible to engineer a device with enough processing power, storage and other resources to last for ten years’ worth of updates to fix these types of issues, but there is a larger question of whether the device will still work well after a decade of updates and security patches. And that’s ignoring any additional code required to integrate with new standards, which still may cripple performance.
For IoT devices, these problems are manifest. These types of devices are typically manufactured with the bare amount of computing power to get the job done today, and rely heavily on the device manufacturer’s cloud for management. Control of the device may be performed by an app on a smart phone. All of these must not just continue to be maintained, but secured as well. And with all of that comes an increasing drain on processing and storage resources.
For devices powered by them, battery technology becomes an issue as well: Rechargeable batteries have finite charge cycles and as they degrade, so does their ability to store energy. This occurs even when they are sitting on a shelf and not being used. Having to keep manufacturing replacement batteries (and storing them in inventory) for a decade may cause an increase in the amount of electronic waste of these types of devices, which can be more difficult and hazardous to recycle than other types of components.
There’s still hope
So, how do we balance the right to repair with the requirement to remain secure? The answer might not be to just allow for devices to be repaired, but to be modular enough that they can be easily upgraded or have various parts reused. This has been common with desktop and server computers since they were introduced. Memory, expansion cards, storage and even processors could be replaced over time as usage demands and requirements change. This used to be true of laptops as well, although the gimmick of making them thinner every year like smartphones and using glue and other repair-unfriendly assembly methods is cause for concern. There are some hopeful signs, though.
For example, in 2016, Google, which owned Motorola at the time, announced Project Ara, a plan to make modular smartphones that could be upgraded in various ways. No products ever shipped, but Motorola eventually released their Moto Z family, which could be expanded by snapping on various backplates called Moto Mods. FairPhone is selling a modular platform, including smartphones you can assemble yourself, and PINE64 has released a smartphone capable of running different versions of Linux. A company called Framework has announced a modular laptop that can be upgraded and repaired, although it is unclear at this time if they will release the technical schematics needed to perform detailed troubleshooting.
While none of these products have achieved mainstream fame, and represent less well-known vendors (with the exception of Motorola), they do show that there is demand for electronic devices that are repairable, recyclable and upgradeable.
Will it eventually become mainstream? That will be driven by a combination of consumer sentiment and thresholds of infuriation. Stuck in the middle of a field with your e-tractor? You might just find yourself going rogue and reaching for the toolbox. And while we hope you don’t wind up doing time, we also hope manufacturers will focus on the future of innovation, not rearguard actions designed to thwart innovation, experimentation and progress, all while making the devices less secure and speeding their trajectory to the ever-bulging landfills in the name of bogus progress.
written by Cameron Camp, ESET We Live Security