Below is the text of opening testimony provided by Paul Roberts, founder of Secure Repairs (securepairs.org) at the July 18, 2023 hearing by the House Judiciary Subcommittee on Courts, Intellectual Property titled “Is There A Right to Repair?”
A video of the hearing is available online and can be viewed here.
July 14, 2023
Chair Darrell Issa, Ranking Member Hank Johnson, and Honorable Members of the Subcommittee on Courts, Intellectual Property, and the Internet of the Committee on the Judiciary
Congress of the United States
House of Representatives
2138 Rayburn House Office Building
Washington, DC 20515-6216
Chair Issa, Ranking Member Johnson, and subcommittee members:
My name is Paul Roberts and I am the founder of Secure Repairs (securepairs.org), an organization of more than 350 cyber security and information technology professionals who support the right to repair. I am speaking to you today on behalf of our members to make clear that the fair access to repair materials sought by right to repair laws, does not increase cyber risk. In fact, it can contribute to healthier and more secure ecosystems of smart, connected devices.
No Cyber Risk In Repair
Proposed right to repair legislation considered by this Congress such as the REPAIR Act and the Fair Repair Act simply ask manufacturers that already provide repair information and tools to their authorized repair providers to also provide them at a fair and reasonable price to the owners of the devices – and to third parties those owners may hire.
By definition, the information covered by right to repair laws is not sensitive or protected, as evidenced by the fact that manufacturers distribute it widely to hundreds, thousands or tens of thousands of repair professionals working on behalf of their authorized providers. That includes everything from auto mechanics working at dealerships to hourly workers staffing the Geek Squad at Best Buy.
Hacked via schematics? Not a thing.
Also: we have yet to find any evidence that the types of information covered by right to repair laws – schematic diagrams, service manuals, diagnostic software and replacement parts – act as a portal to cyber attacks. The vast majority of attacks on Internet connected devices – from broadband routers to home appliances and automobiles – exploit weak device configurations or vulnerabilities in embedded software produced and managed by the manufacturer.
An epidemic of hackable stuff
These security weaknesses are epidemic. A recent study of the security of IoT devices by Phosphorus Labs, a cybersecurity company, found that 68% of Internet of Things devices contained high-risk or critical software vulnerabilities.
As an example, I’d like to call attention to the work of a group of independent researchers led by Sam Curry who published a report, “Web Hackers Vs. The Auto Industry,” in January 2023 that disclosed wide ranging, exploitable flaws in vehicle telematics systems by 16 manufacturers. At a leading GPS supplier to major automakers, the researchers claimed to have obtained full access to a company-wide administration panel that gave them the ability to send arbitrary commands to an estimated 15.5 million vehicles.
Hacks like this take place without any access to repair materials. Nor is there any evidence that providing access to repair software will open doors to new attacks. As an example: a diagnostic routine that identifies a failed component or reveals the operating temperature of a device doesn’t provide access to the kinds of sensitive data that hackers are interested in.
Improve security by empowering owners and independent researchers
We are experiencing an epidemic of insecure, hackable Internet connected devices. In response, we need a reset. For the last 25 years, Section 1201 of the DMCA has given manufacturers an incentive to deploy software locks widely, and to limit access to security researchers. During that time, many manufacturers have pursued a model of “security through obscurity:” limiting access to their platforms as a stand-in for actually designing and building secure software that can withstand scrutiny.
Section 1201 has also enabled what one researcher has described as “dark patterns” in the design and manufacture of hardware. Those include locking out customers from access to administrative features and practices like “part pairing,” in which manufacturers couple replaceable components like screens, sensors and cameras to specific device hardware. Such schemes make manufacturers and their authorized providers the gatekeepers to repairs, and effectively bar competition from owners and independent repair professionals.
A Right to Repair is key to a secure Internet of Things
As the Internet of Things ages and manufacturers gradually step away from their responsibility to support and maintain deployed products, reforms to Section 1201 and the passage of right to repair laws can nurture a market based response: a diverse ecosystem of small, aftermarket service providers that step into the shoes of OEMs: supplying needed software updates and security patches, servicing and repairing deployed devices and so on.
Such policy changes will also foster a range of business and employment opportunities up and down the economic ladder.
Repair: Pro-Consumer, Pro-Competition, Pro-Environment
To sum up: federal right to repair legislation like the REPAIR Act and the Fair Repair Act will greatly improve the quality of life for consumers, families, and communities, while promoting small businesses and reducing e-waste throughout the country. On behalf of our more than 350 members, I urge this committee to support the passage of right to repair legislation and reforms to Section 1201 of the DMCA.
I would be happy to answer any questions you may have about cybersecurity and the right to repair.
Paul Roberts | paul [at] securepairs [dot] org