In comments submitted to the Federal Trade Commission, Microsoft Corp. is arguing that repairing its devices could jeopardize the cyber security of Trusted Platform Module (TPM) security chip. Don’t believe them.
The argument comes in an unsigned letter to the FTC from Microsoft and dated May 31st. The statement was submitted ahead of Nixing the Fix, an FTC workshop on repair restrictions that is scheduled for mid-July.
Microsoft was one of a number of companies that submitted comments to the Commission critical of so-called “right to repair” efforts at the state level to legally mandate that manufacturers make diagnostic information, tools and replacement parts available to owners and independent repair professionals.
Scare ’em – just don’t repair ’em
The Redmond, Washington company, which makes a wide range of electronic devices ranging from X-Box gaming systems to Surface laptops said that repair poses a threat to the security of its devices.
“The unauthorized repair and replacement of device components can result in the disabling of key hardware security features or can impede the update of firmware that is important to device security or system integrity,” Microsoft wrote.
Specifically, Microsoft suggests that unscrupulous independent repair technicians with access to its devices could disable the Trusted Platform Module or other security protections.
“If the TPM or other hardware or software protections were compromised by a malicious or unqualified repair vendor, those security protections would be rendered ineffective and consumers’ data and control of the device would be at risk,” the company wrote. “Moreover, a security breach of one device can potentially compromise the security of a platform or other devices connected to the network.”
Please trust Nobody
So, basically, Microsoft is saying there’s a chance that if you give someone your Surface Pro or X-Box to repair, that person could, instead, break into it and siphon your sensitive data. Moreover, if they compromised your device, it could be used to infect other, similar devices like – say – NotPetya.
All of that is undeniably true. Let’s review some other statements that are also true:
- If you give someone your watch to repair, they could instead steal your watch.
- If you invite someone into your home to repair your dishwasher they could, instead, pilfer your jewelry and credit cards.
- If you leave your car at an auto repair shop, they could not fix it and instead take it for a joy ride or use it to commit a crime.
- If you hire a managed service provider to do your network security they could, instead, compromise your network and steal your intellectual property.
In other words: the provisioning of repair or any other commercial service – requires trust between the customer and the service provider. There is, actually, no way to get around this, though you can use contracts to make your expectations clear and impose penalties for bad behavior. You can also use insurance to hedge your risk. Welcome to capitalism.
As we know: firms like Microsoft, Lexmark, LG, Samsung and others use arguments like this all the time and then not too subtly imply that their authorized repair professionals are more trustworthy and honest than independent competitors. But that’s just hot air. They have no data to back up those assertions and there’s no way that their repair technicians are more trustworthy than owners, themselves.
In short, the foundation of Microsoft’s argument to the FTC (and the technology industry’s broadly) is “fear the other.” I know “fear of the other” has a tremendous amount of cultural currency these days, but it is really a crappy foundation for making public policy. Hopefully the FTC recognizes this, as well.
TPM FUD Busting: the Redmond Mix
As for the underlying argument about repair threatening Microsoft’s device security model? Well, that’s wrong, also.
First, it’s worth recalling how the TPM works. The TPM – or Trusted Platform Module – is a secure, tamper-proof cryptographic chip that is installed on many modern desktop, laptop and mobile devices. The TPM technology isn’t owned by any one company. Rather, its a standard developed by a consortium of companies known as the “Trusted Computing Group.” A number of companies make TPMs including Intel, ATMEL, Infineon and others.
What do TPMs do? Basically, each TPM is manufactured with a unique RSA key burned in. That becomes a hardware (vs. software) -based “root of trust,” and ensures the integrity of other software and hardware installed on the system with the TPM. TPMs carry out cryptographic operations on the system, like generating, storing and provisioning cryptographic keys on the device, managing device authentication and so on.
As Microsoft notes in its excellent write up on TPMs: they are mostly used for system integrity measurements and for cryptographic key creation and use. In the last 10 years, Microsoft, Google, Apple and other device makers have made heavier use of TPMs during the boot process to make sure that the boot code that is loaded such as device firmware and the resident operating system are authentic and have not been compromised by malware. In general, TPMs make it much, much harder for malicious actors to subvert the integrity of the operating system and applications.
As for Microsoft’s contention about the TPM being jeopardized by repair – I’m not sure what they’re getting at. There’s nothing inherent in repair or the things called for in right to repair laws like providing diagnostic software, diagnostic codes, schematics and replacement parts that puts the integrity of the TPM or the trust model it anchors at risk. Nor does the TPM require that the devices it secures remain pristine: using the same hardware and software configuration as when they were sold by the OEM.
After all, TPMs are in Dell computers. Dell makes diagnostic software and diagnostic codes and schematics available for their hardware and I haven’t heard Microsoft or anybody else suggest that a TPM on a repairable Dell laptop is any less secure than the TPM on an unrepairable Microsoft Surface.
In fact, Microsoft itself has been promoting the TPM while putting its Windows operating system and Office software on TPM enabled desktops and laptops that allow owners to add, remove and service hardware and software components with abandon. At no time did the company suggest that changing the configuration of the system undermined the security of the TPM.
As for hacking the TPM? TPM hacks certainly exist, but they’re not for the faint of heart. One of the more recent involved researchers (and I quote) “abusing power interrupts and TPM state restores to obtain valid hashes for components involved in the boot-up process, which the attacker then feeds back to the same SRTM-configured TPM, tricking it into thinking its running on non-tampered components.”
In other words, if the rogue independent repair technician trying to grab data or pictures off your Surface Pro also happens to have a Ph.D in computer science or physics and the resources of a university lab behind her, you might have something to worry about. Otherwise, not so much.
The secret life of Epoxy
The difficult thing is that Microsoft’s arguments, while cynical, aren’t preposterous. As fellow Securepairs supporter Mr. Gary McGraw pointed out to me in a recent conversation: if Microsoft wants to design its hardware so that it can’t be repaired, or so that simple repairs “break” the security model of the device, they can do that.
“It depends on your security goals,” says McGraw. “You can’t really say that there aren’t any security goals that might be met by, say, gluing stuff together. Because there are a number of hardware based attacks that you can address by trying to prevent people from tampering with the hardware.”
OEMs like Microsoft can tamper proof their design in any number of ways: by where they seat the chip inside the device; by what components they put on top of it; by how many layers they have in the chip and how many nanometers apart they are.
“All those decisions are design decisions,” notes McGraw. “And they may meet your goals of ‘Well, I want this to be tamperproof because this is where I store cryptographic material that are important for certain aspects of this security design.’ The real challenge is that it is probably possible to do a different security model that doesn’t require that tamper proof capability in order to get done what you want to get done.”
The problem is that there is enough squishiness around these questions that, in essence, Microsoft, Apple and other OEMs can just make an argument that their security model requires their devices to be “tamper proof” and un-serviceable. Debating that will quickly lead into a technical thicket involving cryptography and secure processor design and the quirks of the OSI stack that few technology professionals, let alone state lawmakers want to enter.
What this means for right to repair
From the standpoint of a right to repair advocate, I actually think Microsoft’s argument about needing to preserve the integrity of its devices is mostly besides the point. There’s plenty of hand waving and portentous talk there to scare FTC folks, which is probably what they intended. Substantively, though, their arguments don’t really undermine the core argument being made by right to repair advocates.
In short: if Microsoft wants to make devices that nobody can service and repair without breaking their security model, they’re entitled to do that. They can make Surface Pros so hardened and tamper proof that merely opening them will destroy them.
What they can’t do is make devices that are repairable, and then lock out everyone but their own service technicians. In short: if its safe and possible for a Microsoft authorized technician to service a Surface Pro, then it is safe and possible for an owner of the device to do so, or an independent repair technician. Full stop.
In other words, Microsoft can’t have its repair cake and eat it too: it can’t argue that it designs hardware to be long lived and repair-able, then arbitrarily constrain the rights and ability of its own customers to service their own property, using security and safety as their argument.
Conversely, it can’t argue in good faith that its devices are just too sophisticated, tamper proof and secure for owners to service, but then make tools, diagnostic codes and schematics available to their authorized techs to service them.
That’s the anti-competitive (and I would argue “anti social”) behavior that right to repair laws address. Noodling arguments about TPMs do nothing to blunt the force of that argument.