Gov. Hochul Got It Wrong on Cybersecurity And Repair

SecuRepairs.org (pron. “Secure Repairs”), a group of information technology and cybersecurity professionals who support a right to repair, celebrates the signing, on December 28th, of New York Senate Bill 4104-A, the Digital Fair Repair Act, by Governor Kathy Hochul.

An End To Big Tech’s 8 Year Win Streak

Governor Hochul’s long awaited signature making the Digital Fair Repair Act law is a victory for the many individuals and organizations who have been pushing for the enactment of right to repair laws. It also definitively marks an end to an eight year winning streak by manufacturers and Big Tech firms who, since 2014, have prevented more than 100 pieces of legislation in 40 states from even being voted on by a legislature, let alone signed into law by a governor. 

Make no mistake about it: passage of the Digital Fair Repair Act is a watershed and a huge victory for right to repair advocates and a big “L” for technology and manufacturing monopolies that are looking to extend their control over aftermarket parts, service and repair. We should all be happy to see it pass into law. 

A Group Effort

SecuRepairs would like to give credit to those most responsible for this success: the bill’s sponsors in the New York State Legislature Pat Fahy of the New York State Assembly and state Senator Neil Breslin; Gay Gordon-Byrne and her staff at The Repair Coalition for their tireless work to get the bill through the legislature and negotiate for final passage with Governor Hochul’s staff; US PIRG and Nathan Proctor, the Senior Right to Repair Campaign Manager; iFixit and Kyle Wiens who marshaled both energy and resources to fight for passage. We also give thanks to SecuRepairs members who offered their time, expertise and advice to New York legislators and Governor Hochul’s staff to help them understand the truth about the cybersecurity risks facing electronics and why a right to repair and right to repair laws have no impact on cyber risks or attacks.

For Gov. Hochul: Fiction Trumped Fact on Cybersecurity and Repair

While we celebrate passage of the first right to repair law in the country, we are deeply disappointed that passage came at the cost of last minute amendments to the Digital Fair Repair Act that will severely limit its impact and constrain the ability of New York consumers, not to mention New York businesses, schools, hospitals and other organizations to exercise the important new rights enshrined in the law.

We are particularly saddened to see that the Governor, despite being briefed by our members, opted to take lobbyists for manufacturers and Big Tech firms at their word: parroting industry talking points about cybersecurity risks in her signing statement. The Governor celebrated the exclusion of a requirement to provide consumers with “passwords, security codes and materials to override security features” in order to carry out repairs.

As we noted in our written communications with the Governor’s staff and in a face to face briefing with Governor Hochul’s staff in October: OEM language about security features will have no bearing on device security or attacks on connected devices. It merely masks transparent efforts of manufacturers to put themselves in the position of deciding who can have access to devices post-sale and, therefore, who can and cannot service, maintain and repair them. That serves their business interests, but will have no impact on the security of deployed devices.

SecuRepairs reminded the Governor’s staff, in our communications, that the Digital Fair Repair Act merely requires manufacturers that already provide such codes and passwords to their authorized repair providers to provide the same information to the owners of covered devices and independent repair providers they may wish to hire.

Looked at another way: manufacturers argued (successfully) that they should be free to share repair information with their business partners, but withhold that same information from their customers, the owners of the devices. That defies belief and the success of that cynical argument with the Governor is a huge blow to the people of New York. 

Repair Information Not A Source Of IoT Attacks

We also explained in detail to Governor Hochul’s staff, during the phone conversation in October, that the kinds of information covered by the Digital Fair Repair Act (schematic diagrams, service manuals, diagnostic software, replacement parts) play little to any role in attacks on connected devices. That’s true, as well, of the types of information carved out of the law by Governor Hochul such as administrative codes needed to accomplish repairs, successfully pair replacement parts and so on.

The vast majority of attacks on Internet connected devices (home routers, DVRs, webcams, connected equipment, home appliances, etc.) exploit software vulnerabilities (disclosed or undisclosed) in embedded software released by the manufacturer. Alternatively, hackers exploit weak configurations, like default administrative usernames and passwords that are common to devices and (often) publicly known, but never changed. They also, frequently, exploit open communications ports (Telnet, UDP, etc.) that are vulnerable to “brute force” attacks, and so on.

The horrendous state of Internet of Things device security is no secret within the cybersecurity industry. A recent study of the security of IoT devices by Phosphorus Labs, a cybersecurity company, found that 68% of devices studied contained high-risk or critical software vulnerabilities. That’s consistent with a 2020 study by Palo Alto Networks that found that 57% of IoT devices are vulnerable to medium- or high-severity attacks while 98% of all IoT device traffic is unencrypted, exposing personal and confidential data and allowing attackers the ability to listen to unencrypted network traffic and collect personal or confidential information.

These aren’t oversights. Smart electronics are designed, sold and deployed without consideration of security. Manufacturers – to date – pay little or no penalties for such lax business practices. 

Repair: Pro Security, Pro Environment, Pro Consumer

In fact, right to repair laws – properly written – will pay security and data privacy dividends. That’s because they will put a check on manufacturers’ “fast fashion” business model that is predicated on rapid device “refresh” (that is: throw out the old device and buy a new one.) That business model produces low quality gear with low quality, vulnerable software and then limits OEM support – post sale – to months or years. For example, Google announced that it is ending support for its Pixel 4 phone just 3 years after its release. Privacy International noted that, under current law, device manufacturers currently have no obligation to maintain devices for any period of time. This “leav(es)  consumers with the choice between an unsecure (sp) device or a new purchase after the expiration date.” 

Backed by a robust right to repair law (New York’s law, as amended, falls short of that) consumers will benefit from a robust marketplace for electronics service and repair. That’s because maintaining old, discontinued devices after OEMs have walked away from the table (or gone out of business) is one potential “business model” that a right to repair will foster, while also giving consumers the benefit of more choices, lower prices and shorter wait time for maintenance and repair.

With the information and tools needed to apply security updates (aka “patches”) to devices is democratized, consumers will find it easier to keep deployed electronics safe from attack.

OEMs And Repair: Fox Meet Henhouse

We made all these points to Governor Hochul’s staff. We told them clearly, and from the perspective of cybersecurity experts, that the source of security problems with connected devices isn’t repair but a culture of insecurity among smart device makers, not to mention the absence of laws and regulations that compel action by setting a high bar for connected device security. Tooling, information and parts needed to conduct repairs on devices don’t play a role in “in the wild” attacks on connected systems. The Governor’s carve out on behalf of the electronics industry will do nothing to make the Internet of Things safer. 

Given the industry’s abject failure to produce, deploy and maintain secure device ecosystems, Governor Hochul siding with them in the name of cybersecurity, with her insistence on last minute amendments to the Digital Fair Repair Act is worse than letting the fox guard the henhouse. It’s like letting the fox convince you that the hens in the henhouse are dangerous raptors that pose a mortal threat to the farm without close scrutiny by Fox Security Services LLP.

On cybersecurity and repair, Governor Hochul blundered. Badly.

A Victory Worth Celebrating

The amendments pushed by Governor Hochul were onerous and, almost without exception, harmed the interests of New York consumers, small businesses, government and the environment to the advantage of large corporations and Big Tech firms. As offensive as the amendments were, however, supporters of the right to repair decided in the end that – to quote a German proverb – “better a sparrow in the hand than a dove on the roof.”

Despite its many flaws as amended, in other words, getting an electronics bill signed into law in one of the most populous states in the country was a major victory and opens the door to more right to repair bills passing in other states – hopefully with language that is informed by the facts and not OEM fiction on questions of cybersecurity and repair.

SecuRepairs will continue our work to make sure lawmakers have the facts on cybersecurity and repair. We look forward to helping to make the case that a robust right to repair will produce better- not worse security outcomes for families, communities, and businesses.

We hope lawmakers in other states are open to hearing that argument. Governor Hochul clearly was not.

Paul F. Roberts

Paul F. Roberts

Founder, SecuRepairs.org