When opponents of proposed right to repair laws talk about cybersecurity, they usually sound ominous: opening up access to service manuals, software updates, or diagnostic tools will somehow invite hackers in. But talk to actual cyber security experts and you get a very different story. A vibrant and healthy market for repair isn’t a cybersecurity risk. In fact, it should be considered a cybersecurity imperative!
That was the message of a recent podcast discussion I hosted to talk about a ground-breaking law that took effect January 1st: the state of Colorado’s right to repair law which extends to technology sold in so-called “business to business” technology sales (aka “enterprise IT”).
I was joined in the studio by Billy Rios, a world-renowned security researcher and co-founder of QED Secure Solutions and Andrew Brandt a noted cybersecurity expert and one of the main forces behind the new non-profit Elect More Hackers. Also joining us was Danny Katz, the Director of Colorado Public Interest Research Group (COPIRG), a guiding force behind the passage of Colorado’s electronics right to repair law.
Andy, Billy, Danny and I had a wide-ranging conversation on the cybersecurity impacts of right to repair laws: whether they create cyber risk—as electronics industry groups like TechNet argue – or whether the opposite is true: that a right for technology owners to repair their property is an essential part of modern cyber defense.
There was a clear consensus: a right to repair isn’t a cyber risk. The real cyber risks to businesses in Colorado and elsewhere come from vendors’ poorly built and maintained software – rife with exploitable vulnerabilities and vulnerable configurations, as well as customer “lock in” that makes service and repair expensive and hard to come by.
Cybersecurity Depends on Repair
I opened our conversation by stating the obvious: the right to repair is often discussed in the context of phones or home appliances, but the stakes are just as high in enterprise technology: servers, routers, switches, firewalls, and industrial control systems that run modern businesses. These enterprise IT systems are the backbone of modern businesses and critical infrastructure, representing trillions of dollars in global economic activity.
In Colorado—the only state with a robust right to repair law covering business technology—those systems underpin hundreds of thousands of jobs. Preventing organizations from repairing or maintaining them or hiring independent professionals to do so isn’t just costly; it directly undermines resilience.
If you can’t fix or service critical equipment quickly, securely, and locally, you end up running outdated, unpatched systems. And in cybersecurity, vulnerable, unpatched systems are the low-hanging fruit attackers love.
Danny Katz from Colorado PIRG talks about the many ways that manufacturers complicate even basic repairs like fixing a fan, power cord, or motherboard component by requiring special codes for parts authorization.These unnecessary barriers – often erected in the name of preventing the use of stolen or pirated parts – mostly serve to prevent business-to-business repair facilities from performing straightforward fixes -with broad implications for businesses. Imagine, Katz said, if you could only bring your car to the dealer you purchased it from for service and maintenance?
Hackers Aren’t Waiting for Repair Manuals
Billy Rios brought a cybersecurity expert’s perspective. Having spent years breaking into systems—from medical devices to power infrastructure—he’s seen firsthand how vulnerabilities actually get exploited. Attackers don’t need repair manuals or diagnostic software. They reverse-engineer firmware, buy equipment on secondary markets, or exploit known flaws that vendors never fixed.
Locking down repair access won’t stop attackers. It mainly blocks defenders. Rios emphasized that many of the most serious vulnerabilities he’s uncovered existed because manufacturers tightly controlled access while failing to invest in long-term security maintenance. When only the vendor can repair a system—and they don’t—the risk compounds over time, especially since cyber criminal and nation-backed hacking crews already have obtained and hacked into the software and firmware of interest to them.
Transparency Makes Systems Safer
Andrew Brandt zoomed out to the policy level. In cybersecurity, transparency is a feature, not a flaw. The industry has learned—sometimes the hard way—that hiding system internals doesn’t make software or hardware safer. It makes weaknesses harder to find and easier to exploit silently.
Brandt noted that independent researchers, repair technicians, and security professionals all play a role in discovering flaws before attackers do. Right to repair laws expand that ecosystem of scrutiny and accountability.
From a workforce perspective, this matters too. We already face a shortage of skilled defenders. Restricting who can legally interact with or analyze systems only shrinks the pool further.
Who Benefits from the Fear Narrative?
A recurring theme in the discussion was skepticism about who’s pushing the “repair equals risk” argument. Large manufacturers often frame right to repair as a cybersecurity issue, but the incentives are clear: controlling repair preserves lucrative service monopolies and keeps customers locked in.
The same companies warning about hypothetical cyber threats are often slow to patch known vulnerabilities or support aging hardware. In that context, invoking “critical infrastructure risk” looks less like security stewardship and more like market protection.
Security Through Obscurity Is Failing. Repair Is Part of the Fix.
The takeaway from the conversation is blunt: in a world of constant cyber threats, the ability to repair, maintain, and update systems is not optional. It’s foundational.
Right to repair doesn’t weaken security. It strengthens it by:
- Reducing downtime and exposure from unpatched systems
- Enabling faster incident response and recovery
- Encouraging independent security research and oversight
- Increasing competition and accountability among vendors
For businesses and critical infrastructure operators, repair isn’t a liability. It’s a line of defense.
]]>It’s January and that means one thing: the CES Worst In Show awards. If you’re not hip to Worst In Show, its an effort by those of us who care about things like consumer rights, cybersecurity and sustainability to pull back the covers a bit on firehose of glowing press releases and “cool new technology” unveiling that happens every January at the Consumer Electronics Show (CES) in Las Vegas.
Together with groups like iFixit, PIRG, Electronic Frontier Foundation and Consumer Reports -not to mention leading thinkers like Cory Doctorow- Secure Repairs looks to highlight the less celebrated qualities of “cool new stuff” – privacy violations, lack of repairability, environmental sustainability as well as just “who the heck asked for this?!”
You can watch the full awards presentation here:
And then there are the cybersecurity risks. Secure Repairs is in its fifth year as one of the Worst In Show judges. Our past nominees for Worst in Show include hackable home routers by TP-Link and sensor rich, but insecure robot vacuums by Ecovacs.
Worst In Show For Cyber: MERACH Ultra Tread
Which brings us to this year’s CES “Worst in Show” winner when it comes to cybersecurity. The award for 2026 goes to MERACH, a China-based company that makes home exercise equipment. At CES this week, MERACH unveiled its latest product: the MERACH Ultra Tread—a series of home treadmills featuring a built-in conversational AI coach.
MERACH UltraTread
You Can’t Spell Privacy Without AI?
It’s 2026. Smart home exercise equipment is commonplace. Whether its Peloton’s high end stationary cycles, or Tonal’s “all in one” wall mounted home gyms, the integration of internet connectivity, sensors, and now large language model AI are standard features. What’s left unsaid is how these common features significantly raise the security stakes for the equipment manufacturers.
It goes without saying that sensor rich, Internet connected exercise equipment, that collects personal and financial information, biometric and health data is a rich potential target for malicious actors. Add large language model AI to the equation and the risks only get more concerning, given the way AI can correlate data and make inferences from the wealth of information seemingly innocent devices like treadmills and stationary cycles.
A Bomb In the Privacy Policy
Which brings us to MERACH’s Ultra Tread, an “LLM-powered treadmill.” While the inner workings of the Ultra Tread’s firmware and MERACH’s accompanying apps are almost certain to contain security risks (they’re common in smart home products), we needed look no further than MERACH’s official privacy policy to conclude that this product deserved this year’s “Worst in Show” title for cybersecurity.
In compliance with data privacy laws such as California’s Merach’s privacy policy provides details about the great variety of data its devices collect from customers.
But, in the section of the Privacy Policy related to security, the company makes a startling confession: “we cannot guarantee the security of your personal information.”
Yes, Merach said it tries to secure the data it collects, employing “a number of technical, organizational, and physical safeguards designed to protect the personal information we collect.” “However,” Merach goes on “the security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information.”
This striking admission highlights a level of vulnerability that is concerning for a product intended to be part of a user’s daily routine. And it does not seem to be the norm. For example, Peloton, another maker of smart, Internet connected home exercise equipment, has a far more comprehensive and nuanced take on data privacy and security. On the issue of the “Security of Your Information,” Peloton’s Privacy Policy reads:
“We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. We maintain commercially reasonable administrative, technical and physical safeguards (which vary depending on the sensitivity of the personal information) designed to protect against unauthorized use, disclosure or access of personal information.” – Peloton Privacy Policy
Is that a guarantee? Absolutely not. And the fate of data stored on Peloton and Merach devices may be the same. But Peloton’s statement at least makes clear that the company is not ‘tossing in the towel’ and takes the job of protecting its customers data seriously.
Watch my presentation of the award here:
Why This Matters
In an era awash with data hungy smart devices and the accompanying data breaches, security is paramount. As Secure Repairs has made clear: the responsibility falls on manufacturers to ensure robust protection mechanisms are in place. Products such as the MERACH Ultra Tread, with capabilities to collect extensive data including health and biometric information, should meet the highest standards of cybersecurity to ensure consumer safety.
The company may simply be ‘saying the quiet part out loud,’ as the saying goes. But the failure to guarantee data protection exposes users to potential risks, from identity theft to privacy invasions.
This year’s “Worst in Show” decision serves as a warning to consumers to dig deeper into the smart products you are considering buying. And it is another critical reminder for manufacturers about the importance of cybersecurity. As technology continues to integrate deeper into our personal lives, the standards for privacy and data protection must evolve correspondingly. Products that do not meet these standards will face scrutiny and consequence.
For those attending CES and engaging with the latest tech innovations, it’s a reminder to prioritize asking difficult questions about data security and privacy for every product showcased. Let’s strive for a secure and resilient future together!
]]>FOR IMMEDIATE RELEASE
Boston, MA — November 9, 2025 — Secure Repairs, a coalition of more than 400 cybersecurity professionals advocating for the right to repair, has joined leading organizations in filing an amicus brief urging the U.S. Court of Appeals for the First Circuit to affirm a February, 2025 ruling by a district court judge that rejected efforts by the auto industry to declare Massachusetts’s 2020 Right-to-Repair law a violation of federal authority.
The brief, filed on September 24th, 2025 and signed by iFixIt, Repair.org, The U.S. PIRG Education Fund Inc., Securepairs.org, Professor Jonathan Askin and The FULU Foundation is in support of the Massachusetts Attorney General in ALLIANCE FOR AUTOMOTIVE INNOVATION, v. ANDREA JOY CAMPBELL, ATTORNEY GENERAL
FOR THE COMMONWEALTH OF MASSACHUSETTS before the U.S. Court of Appeals for the First Circuit. The brief asks the Appeals Court to affirm a February Federal District Court ruling that holds that Massachusetts’s 2020 R2R law is not preempted by the Motor Vehicle Safety Act and instead fits alongside federal vehicle safety and cybersecurity rules.
The lawsuit in question was filed in December, 2020 by the auto industry group The Alliance for Automotive Innovation shortly after Massachusetts voters overwhelmingly approved a ballot measure that sought to expand of the state’s existing automotive right to repair law to give vehicle owners and independent repair shops access to wireless telematics data needed to assist with maintaining and repairing vehicles.
Among the key points made in the amicus brief is that there is not security in obscurity and that automakers’ argument that by restricting access to telematic and diagnostic data they enhance vehicle cybersecurity and safety is not backed by facts.
And, as Secure Repairs members have noted in testimony at both the state and federal level: the automakers’ position conflicts with mainstream information security practices that emphasize the importance of transparency.
Despite the auto industry’s “black box” approach to software design, real-world car hacks are common and do not rely on access to the data covered by the Massachusetts automotive right to repair law – data that is critical for vehicle repairs. In fact, shutting owners and independent repair pros out doesn’t meaningfully reduce cyber risks but does allow vulnerabilities to linger.
Events in recent years underscore that automakers’ eagerness to restrict access to maintenance and repair data has not benefitted vehicular cybersecurity. Incidents such as the remote hack of a Jeep Cherokee by researchers Charlie Miller and Chris Valasek, as well as more recent exposure of such as those targeting Kias and a wide range of other vehicles.
The brief also makes the case that granting access to data and promoting safety are not diametrically opposed. In fact, existing federal and state regulations already require both strong security and consumer access to data including laws governing electronic health records, credit reporting, and telephone call records. In each, federal rules mandate authentication, auditing, and controls without locking consumers out of their own data. The same balance can be struck for vehicle telematics, the brief states.
In the end, a strong right to repair preserves a longstanding right of owners to maintain what they bought and own; it checks aftermarket monopolies (e.g., firmware locks, VIN-binding, part serialization), lowers prices, improves service availability/turnaround, stimulates innovation (user-led fixes/mods), supports small repair businesses, and reduces waste. Massachusetts voters strongly backed the 2020 measure with nearly three quarters of voters (74%) voting in favor of the ballot measure. The past five years have seen similar laws are spreading nationwide—underscoring the stakes if preemption were accepted.
Secure Repairs is honored to have been a contributor to to the amicus brief. “Repair restrictions aren’t just a consumer issue — they’re a cybersecurity issue,” said Paul Roberts, the founder of Secure Repairs. “When manufacturers lock down repair tools and information, they make it harder for users and independent professionals to fix vulnerabilities, maintain devices, and keep systems secure. We need repair policies that make technology safer, not more fragile.”
Secure Repairs’ participation in the amicus brief builds on its ongoing advocacy for public policy that recognizes repair as a cornerstone of cybersecurity. Founded in 2018, the group brings together information security professionals, academics, and technologists who recognize that transparency and access to repair information are essential to protecting users and systems alike. Secure Repairs has supported legislative and regulatory efforts across the United States to balance manufacturers’ interests with the public’s right to maintain, repair, and secure their own technology.
“Secure Repairs’ mission has always been to connect the dots between right to repair and cybersecurity,” Roberts said. “The same principles that make software secure — openness, testing, and transparency — also make repair safe and reliable. This brief makes that case clearly.”
For more information on Secure Repairs’ advocacy and to read the full amicus brief, visit securepairs.org.
About Secure Repairs
Secure Repairs is a coalition of information security professionals, researchers, and technologists advocating for policies that recognize repair as fundamental to cybersecurity and consumer protection. Founded by journalist and security researcher Paul Roberts, the organization works to advance secure, transparent, and sustainable technology repair practices.
Media Contact:
Paul Roberts, Founder
Secure Repairs
[email protected]
Secure Repairs applauds Tuesday’s ruling by US District Court Judge Denise J. Casper to reject a lawsuit filed by the Alliance for Automotive Innovation challenging the state’s automotive right to repair law.
Judge Casper’s prompt ruling in the case, upholding the legality of a 2020 ballot measure that expanded Massachusetts auto right to repair law to give vehicle owners access to wireless data needed for vehicle repair and maintenance respects the will of the 74% of Massachusetts voters who approved the ballot measure in November, 2020.
“This ruling has been a long time coming. We at Secure Repairs are happy to see that Judge Casper saw through empty arguments by the auto industry regarding cyber risks in vehicle repair and endorsed the will of Massachusetts voters,” said Paul Roberts, the founder of Secure Repairs.
Expert defeats industry lies about repair and cyber risk
Secure Repairs would also like to thank Craig Smith, a Secure Repairs member and expert in the cybersecurity of vehicle systems. Craig donated his time to provide expert testimony at the request of the Massachusetts Attorney General, using his deep knowledge of telematics and cyber security to defuse erroneous auto industry arguments that access to repair data via vehicle telematics systems posed a cybersecurity risk. Craig’s testimony in 2021 was critical to the court’s understanding that a system for providing owners and independent repair professionals secure access to telematics data for the purposes of repair and maintenance is achievable, and that industry arguments that it was “impossible” to build had no basis in reality.
“The ability to send commands to in-vehicle components can be given in a way that
preserves security and enables independent shops and vehicle owners to make
necessary repairs,” Mr. Smith testified.
“Craig’s testimony helped win the day. We here at Secure Repairs are deeply thankful to him for donating his time and cyber expertise on behalf of Massachusetts voters and defending our right to repair our stuff,” said Paul Roberts, the founder of Secure Repairs. “Bay State car owners who visit their corner repair shop, or repair their own vehicle in their driveway in the years ahead should tip their hat to Craig for his help defeating auto industry lies about cyber risk and repair that threatened to rob them of their right to decide who gets to fix their car.”
At issue in the case was whether the expanded automotive right to repair law’s call for standardized and independent system for accessing vehicle telematics networks posed a cyber security risk, or ran afoul of federal auto safety laws.
Craig testified that automakers were fully capable of building such a system, and that providing a standardized platform for access by independent repair shops and vehicle owners would not increase cybersecurity risks. Even noted auto cyber expert Bryson Bort who testified on behalf of the auto industry agreed that manufacturers could build such a secure system if they devoted the needed time and resources to modify vehicle telematics’ architectures to comply. In fact, automakers already possess the needed ingredients for such a system. Trial evidence showed that preexisting defined diagnostic functions used by companies like GM and FCA and the preexisting UDS protocol would hasten the process of creating the vendor neutral telematics platform called for by the law.
Auto industry cyber practices: a dumpster fire
While automakers pound their chest in the courtroom about their high standards for cybersecurity and commitment to data privacy, a string of reports by security researchers have exposed gaping holes in the cybersecurity of vehicle telematics systems in the months since the AAI filed its lawsuit in late 2020.
Those include a string of reports by the researcher Sam Curry, including the 2023 report Web Hackers versus the Auto Industry, and a report published in January 2025 that documented a now-patched flaw in Subaru’s STARLINK connected vehicle service that allowed him to access vehicle location information and driver data for millions of cars with nothing more than the vehicle’s license plate number, or the owner’s email address, Zip code and phone number.
Add to that the September, 2023 report from the Mozilla Foundation that declared cars “the Worst Product Category We Have Ever Reviewed for Privacy.”
As the Alliance for Automotive Innovation looks to appeal this case, Secure Repairs hopes that future courts look at the consensus among cybersecurity experts about the ability of OEMs to comply with the law, as well as the larger background of widespread industry disregard for accepted data- and application security practices as they weigh that appeal.
Secure Repairs: Cyber pros fighting for a right to repair
Since 2019, Secure Repairs members have donated their time and energy to advocate for a legal right to repair, and to dispel industry lies that repair poses a cybersecurity risk: testifying at countless state houses, the FTC’s 2019 Nixing the Fix symposium, and before the US Congress. Our members have provided powerful testimony that dispels the notion – promoted by industry – that a right to repair our stuff poses cybersecurity risks. Secure Repairs members make it clear that manufacturers have the knowledge and wherewithal to build smart devices that are both cyber secure and support owner- and independent repair – dispensing with harmful and expensive repair monopolies or “disposable tech” favored by industry.
Secure Repairs will continue its work to inform policy makers and the public about the true nature of cyber risk in the smart, connected stuff that populates their homes, workplaces and public spaces. The source of that risk? Low quality software and a lack of incentives for software publishers to prioritize security and data privacy over cool features and time to market.
Repair is not a cyber risk.
Paul Roberts, Founder
Secure Repairs
paul (at) securepairs (dot) org
Signal: paulroberts.18
Well, it’s that time of year again – the start of a new year, which means one thing if consumerism is your thing: the annual Consumer Electronics Show (CES), which kicked off this week in Las Vegas.
Every year, with holiday wrapping paper still strewn about homes, CES brings thousands of vendors and tens of thousands of attendees to the Las Vegas Convention Center to tout the latest toys, home appliances, television sets and other gadgets destined for the shelves (virtual and physical) of retailers. It’s an orgy of consumerism: a celebration of cutting edge tech, “OMG!” features and cool product design, with rivers of “Best of CES!” coverage in the mainstream media, on gaming Less talked about: restrictive product designs that frustrate repairs, lax data collection and protection that violates consumer privacy and – of course – balky software that makes smart, connected devices easy prey for hackers.
That’s why, for the past few years, a few of us fighting for a more secure, resilient and sustainable future have gathered on the edges of CES to make our choices of the “Worst in Show” – a ceremony that highlights some of the consequences of our current obsession with tech.
This year’s Worst In Show features Cindy Cohn of the Electronic Frontier Foundation who awarded the product with the worst privacy, Stacey Higginbottom of Consumer Reports to award the CES product with the worst environmental impact, Kyle Wiens of iFixit to award CES’s least repairable product, Nathan Proctor of PIRG to award the (esteemed) “Who Asked for This?!” award, and Gay Gordon-Byrne of Repair.org to anoint the overall “Worst in Show for CES.
As in past years, Secure Repairs founder Paul Roberts was chosen to nominate the worst in show on the issue of cybersecurity. The winner: TP-Link.
The Winner (?) TP-Link
If you don’t know them, TP-Link is a China based maker of small office, home office (SOHO) routers and other home networking equipment. It is the biggest seller of wi-fi and SOHO routers in the US with about a 65% market share. At CES this year, the company is announcing a number of product updates including its new Deco BE68 Wi-Fi 7 router.
Unlikely to get much mention at CES are the deep concerns about the security of TP-Link’s products. In recent years, hacks of TP-Link devices have been a common theme in China’s state-sponsored hacking campaigns, which are targeting U.S. businesses, government agencies and critical infrastructure. Malicious actors – both cyber criminal and nation-state – compromise these devices using known-and-unpatched, or previously undiscovered (“zero day”) software flaws that allow remote attackers to take control of the devices. TP-Link devices are rife with such flaws. Microsoft in October reported that a malicious network of compromised SOHO routers it calls CovertNetwork-1658 was used by Chinese state actors to conduct password spraying attacks. That network was made up of thousands of compromised SOHO routers, the vast majority of them manufactured by TP-Link. That prompted the Departments of Justice and Commerce to launch investigations into TP-Link’s ties to China’s government and military.
Don’t get me wrong – security flaws in SOHO devices aren’t unique to TP-Link. Not by a long shot. But here’s the difference: as a China based company, TP-Link is required by law to disclose flaws it discovers in its software to China’s Ministry of Industry and Information Technology (MIIT) before making them public. That potentially gives China state actors a window in which to exploit the publicly undisclosed flaw in order to gain access to targeted environments. That fact, and the coincidence of TP-Link devices playing a role in state sponsored hacking campaigns raises the prospects of the U.S. government declaring a ban on the sale of TP-Link technology at some point in the next year. And for that reason TP-Link is this year’s winner of the CES “worst in show” for cybersecurity.
You can watch the video of Secure Repairs founder Paul Roberts presenting the award for the least secure CES device -and the rest of the worst in show awards above!
]]>The right to repair “movement” in the U.S. started with automobiles back in 2012, when voters in Massachusetts passed a ballot measure granting them a right to repair their cars.
That law – which required automakers to give owners and independent garages access to the same information, software and other resources that they provided to their dealerships and authorized repair shops – became a de-facto national right to repair cars, after the auto industry agreed to a memorandum of understanding that recognized the right in all 50 states. It also became a template for the other right to repair bills that started being introduced in state houses – everything from the wheelchair right to repair bill that passed in Colorado (and, more recently, California), to the broad electronics right to repair bills passed in New York, Minnesota, California, Colorado and Oregon.
Behind that ballot measure? The Auto Care Association – an industry group that represents independent repair shops, aftermarket parts manufacturers and suppliers and more. In the years since, the Auto Care Association has become a powerful force promoting right to repair – including the REPAIR Act, a proposed federal automotive right to repair.
Recently, Secure Repairs founder Paul Roberts was invited on the Auto Care Association’s Auto Care On Air: Traction Control podcast to talk about the state of the fight for a right to repair, and about the work Secure Repairs has done to promote both federal and state-level right to repair laws.
Paul speaks with host Stacey Miller about the critical importance of repairability across industries like automotive, agriculture, and personal electronics. Paul and Stacey also take on the myths surrounding the security risks of repair, the EU’s comprehensive right to repair laws with state-level initiatives in the United States and the paradox of right to repair laws with vast, bipartisan support that languish and die in state houses and on Capitol Hill.
Check out the podcast here or on your favorite podcast service!
]]>A robot vacuum cleaner manufactured by the China-based firm Ecovacs is the recipient of the “Worst in Show” for security at this year’s Consumer Electronics Show (CES) in Las Vegas.
The Worst in Show for security was awarded by Secure Repairs founder Paul F. Roberts to Ecovacs, which this week unveiled its X2 Combo vacuum at CES – an update of its Deebot X2 Omni robot vacuum.
Why the Ecovacs Deebot X2 Combo? “What we have here is an autonomous, wheeled, in home surveillance device equipped with cameras, microphones, LIDAR, voice recognition features and built in AI models for object identification. It harvests untold amounts of information from within your home,” Roberts said at the Worst In Show awards ceremony on Thursday.
Ecovacs leave a trail of problems
A device harvesting that amount of sensitive personal information – images, sound, maps of personal living spaces – better have top-shelf security right? Alas, no. A presentation on the Ecovacs Deebot X1 in December at the Chaos Communications Conference in Hamburg, Germany by researchers Dennis Giese and Braelynn Luedtke revealed that the vacuums are easily hackable. Among other things, they found that user data – possibly including images- stored on the vacuums in unencrypted form. Also, remote access to the robot vacuum’s live video feed was secured via a mobile app that could be easily bypassed. The researchers also found that the Ecovacs factory reset feature does not fully erase all information from the device.
In all, the research on the Ecovacs robotic vacuums found lots of low-hanging fruit: sloppy bash scripts, lax security for harvested data such as maps and images, heavy reliance on “self signed” certificates and reliance on the MD5 for securing PINs and passwords -a widely deprecated encryption algorithm.
Furthermore, Ecovacs offers no bug bounty program, nor a proper “front door” for security researchers who might discover problems with Ecovacs products, Giese and Luedtke said. While the company claims that it will acknowledge reports submitted by independent researchers on a public bulletin board it maintains, the researchers were unable to locate said bulletin board, calling that claim into question.
Beneath the glitz: a security morass
The research suggests that the cybersecurity of these powerful, sensor rich smart home devices should be a cause of deep concern for consumers. It also points to the quietly growing risks facing consumers as more and more devices make the transition from “dumb” mechanical instruments to smart, Internet connected and software driven products.
As the research on the Deebot X1 suggests, a sober security reality lurks beneath the glitz, glamor and shiny exteriors of devices at CES. It includes poorly designed and insecure application code, deployment of lax security practices and blurry lines around the collection, storage and retention of user data.
Worst In Show: shining a light on CES’s Underbelly
Now in its third year, the Worst In Show Awards features a panel of dystopia experts who review CES news releases, punch through the hype and reveal the subtle ways that products jeopardize our safety, encourage wasteful overconsumption, and normalize privacy violations. In addition to the “Worst in Show” for cybersecurity, this year’s event saw Worst In Show awards for Privacy (awarded by Cindy Cohn, Executive Director, Electronic Frontier Foundation); Repairability, selected by Kyle Wiens (CEO, iFixit); environmental impact, selected by Shanika Whitehurst, Consumer Reports; and the new category of “Enshittification” selected by Cory Doctorow (Sci-Fi author, Electronic Frontier Foundation and Pluralistic.net).
Check out all the results at the Worst In Show website!
]]>Secure Repairs (securepairs.org), an organization of cybersecurity and information technology professionals who support a legal right to repair, celebrates passage this week of California Senate Bill 244, the Right to Repair Act.
Secure Repairs sends its thanks and congratulations to California state Sen. Susan Talamantes Eggman as well as CalPIRG, iFixit, and the Repair Coalition, state consumer and environmental advocacy groups and the many residents and small business owners who testified in favor of SB 244 before California lawmakers.
“Nothing says success like having the 5th largest economy in the world embrace robust consumer right to repair protections,” said Paul Roberts, the founder of Secure Repairs.
“From the Low Riders of East Los Angeles; to back yard garage start ups like HP and Apple Computer; to its tens of thousands of small, family owned businesses, the Golden State has long been a mecca for entrepreneurs, tinkerers and do-it-yourselfers. The passage of Senate bill 244 into law will ensure that Californian consumers and businesses will be able to benefit from a vibrant marketplace for repair and maintenance, fueled by ready access to the information, tools and parts to keep their technology running (or help others to do so.) In the long term, it ensures that the deep well of talent, expertise and entrepreneurial spirit that has enriched so many lives in the Golden State will not be sidelined by wrong-headed, anti-competitive and environmentally unfriendly business practices,” Roberts said.
With the passage of similar laws in New York and Minnesota, this latest victory in California means that states representing roughly 25% of US GDP have enacted broad electronics right to repair laws. And how this bill passed – -with votes of 39-0* in the Senate and 65-1 in the California Assembly- shows that the right to repair is an issue that enjoys broad and bipartisan support. As California has made even more evident: right to repair is an issue whose time has come.
As it has done throughout the country this year, Secure Repairs submitted written testimony in favor of Senate Bill 244 in April and attended a hearing in June to advocate for passage. We hope that our testimony helped dispel myths that access to repair information and tools somehow increase cyber risks. It does not.
As we have noted on numerous occasions, the kinds of information sought by such laws – schematic diagrams, service manuals, diagnostic software and administrative codes, replacement parts – do not figure in cyberattacks on connected devices. Rather, the vast majority of attacks on Internet connected devices like home routers, DVRs, webcams, and home appliances exploit software vulnerabilities in embedded software released by the manufacturer. Alternatively, hackers exploit weak configurations, like default administrative usernames and passwords that are common to devices and never changed, or wide-open and insecure communications ports that give remote hackers access to devices.
As longtime advocates for right to repair laws, we are heartened to see that California legislators looked past the hand-waving about cyber risk and data privacy, voting overwhelmingly to pass this critical consumer protection that will have an outsized impact on both Californian’s wallets and their environment. This is a great day for the great state of California.
Congratulations again to all those who worked to get The Repair Act passed. Onward!
Sincerely,
Paul F. Roberts
Founder, Secure Repairs
(*) Correction: an earlier version of this statement misstated the final vote in the California Senate. It was 39-0, not 30-0. PFR 9/15/2023
]]>The Culture of Repair Project is launching its Fall 2023 grants cycle on September 1st, offering resources to K-12 educators for creating programs and materials focused on teaching repair as a way to address environmental and societal challenges.
Grant amounts ranging from $1000 to $10,000; eligibility requires registration as a 501(c)(3) in the U.S. If you’re interested in applying for a grant, use the button below to learn more!
What is the Culture of Repair Project?
The Culture of Repair Project is about more than just diminishing resource usage in manufacturing, transporting and selling new products, and post-consumption. At a more fundamental level it’s about cultivating the well-being of individuals, communities, and the natural environment through changing our relationships with the material objects and social systems in our lives. It’s about reshaping our culture into one that takes care of and repairs what’s important to us, as a matter of course.”
What do projects look like?
Culture of Repair is an organization that is no stranger to using repair to educate and empower communities. Take their Education Pack for 14-18 Year Olds for example, which aims to raise awareness among students about the importance of repairing electrical and electronic devices for extending their lifespan and contributing to a more sustainable future; the pack comprises five modules with diverse learning goals and aids for teachers, emphasizing the role of repair in a circular economy and encouraging active student engagement in choosing repair practices.
Or take the Cultivating a Repair Mindset Toolkit, which offers strategies, classroom materials, and research findings to foster a repair-oriented mindset that transcends fixing physical objects and encourages broader problem-solving, systems thinking, and engagement with various aspects of life.
For this round of grants, Culture of Repair foundation said it is particularly interested in projects that make use of Culture of Repair’s collaboration with the Fab Lab Foundation. The foundation is interested in programs focused on repairing physical objects, addressing learning beyond technical skills, and those that are designed to have “multiplier effects.” A list of previous grant recipients is here.
Are you or someone you know interested in applying for grant funding? Use the button below to access the application.
]]>In a surprising reversal, Apple Computer – a longtime opponent of electronics right to repair laws – said it supports passage of a comprehensive right to repair law in California.
Apple endorsed SB 244, in a letter sent to Senator Susan Talamantes Eggman, one of the bill’s main sponsors.
“Apple writes in support of SB 244, and urges members of the California legislature to pass the bill as currently drafted,” Apple wrote to Eggman, the sponsor of SB 244 according to 404 Media, which obtained a copy of the letter. “
In a statement issued to TechCrunch, Apple said it decided to support SB 244 because it “includes requirements that protect individual users’ safety and security, as well as product manufacturers’ intellectual property. We will continue to support the bill, so long as it continues to provide protections for customers and innovators,” the company said.
The statement of support is seen as giving a boost to SB 244’s chance of passage in the California legislature. After passing the California Senate with a vote of 38-0 in May, the bill has been awaiting assembly appropriation suspense file approval – a kind of limbo – before going to a full assembly vote.
“Apple supports California’s Right to Repair Act so all Californians have even greater access to repairs while also protecting their safety, security, and privacy,” the company says in a statement provided to TechCrunch. “We create our products to last and, if they ever need to be repaired, Apple customers have a growing range of safe, high-quality repair options.”
Nathan Proctor, head of the Right to Repair Campaign at US PIRG credited the persistence and dedication of Sen. Eggman and other lawmakers.
“Slowly but surely, we pushed ahead, won new supporters, mobilized more people and overcame more obstacles,” said Proctor in a statement. “This campaign is built off regular people who know that the Right to Repair is the right thing to do, and took action in the face of resistance from the biggest companies in the world,” he said.
While Right to Repair legislation has died in committee in California for the last 5 years, public support for the Right to Repair in- and outside of the state has grown considerably. Voters in Massachusetts passed an expansion of their state automotive right to repair law by 74% to 26%. Lawmakers in New York, Colorado and Minnesota have subsequently passed Right to Repair laws covering electronics, agricultural equipment and power wheelchairs.
“After a decade of fighting against Right to Repair, Apple has decided to support our legislation,” said Repair.org Executive Director Gay Gordon-Byrne. “Its a huge win for the whole coalition that were dogged in their pursuit of legislation, and a proud moment for all of us watching the big guns fall — once again.”
Should it pass a vote in the California legislature, the bill has a good chance of being signed into law. It would be the nation’s most robust repair law to date, covering a wide range of consumer electronics and home appliances. As written, SB 244 would require manufacturers to provide parts, tools, and repair diagnostics necessary for both consumers and third-party repair providers to fix products. It would also set a term for availability of parts and updates: three years after the last date of product manufacture for products that cost between $50 and $99.99 and seven years for products that cost more than $99.99. The bill also empowers city, county, or state governments to bring cases over violations of the law in superior court, with funding provided by fines on manufacturers caught violating the law.
Other News
NHTSA walks back opposition to MA auto repair law, a letter from the National Highway Traffic Safety Administration (NHTSA) to Massachusetts’ Attorney General walks back a June warning to automakers not to comply with the state’s expanded vehicle right to repair law by providing owners and independent garages with access to vehicle telematic data needed for repairs.
The letter, dated August 22, was signed by Kerry Kolodziej, an Assistant Chief Counsel for Litigation and Enforcement at NHTSA – the same attorney who authored the June 13th letter to the lead counsel at 22 major U.S. automakers that argued that the Massachusetts law poses a safety risk and therefore violates the National Traffic and Motor Vehicle Safety Act, (Safety Act), 49 C.F.R. Chapter 301.
Bambu Lab, a company known for its 3D printers, faced a major outage in its cloud-based printing system on August 15, causing printers to repeatedly receive the same print jobs and reportedly damaging some machines; the incident has raised concerns about the company’s cloud reliance, privacy, intellectual property, and control issues, prompting questions about trusting the manufacturer’s approach and highlighting the need for a LAN mode as an alternative to cloud connectivity.
Apple has agreed to pay a battery-gate settlement of $310 million to $500 million to around 3 million users of pre-2018 model iPhones who filed complaints against the company for intentionally slowing down their devices through software updates, a practice known as ‘batterygate’; affected users who filed claims in 2017 can expect to receive around $65 each, as the iOS updates slowed down phones with aging batteries to prevent shutdowns, sparking claims of planned obsolescence by artificially limiting device lifespan to encourage replacement purchases, although Apple has denied wrongdoing and stated that the throttling was aimed at prolonging device lifespan.
Lagos, Nigeria has opened a ‘Trash for Cash’ zonal office to encourage the recycling of plastic waste into raw materials. The agency aims to raise awareness about the dangers of improper plastic disposal and advocate for the adoption of circular economy practices in Lagos State.
A new community art center called 32° East Arts Centre has opened in Kampala, Uganda. The center aims to promote local, sustainable, and community-based architecture, and serves as a space for artists to gather and collaborate. Designed by New Makers Bureau, the center covers a site area of 470sqm and has a gross internal area of 160 sqm.
The automotive industry’s reliance on new designs and frequent consumer purchases would be massively changed by an economic system favoring circularity. Circularity would mean ending planned obsolescence, shifting towards rational motives for buying new or used vehicles, and challenging the current model of exporting vehicles, as local refurbishment.
E-bike manufacturers continue to advocate for battery recycling rather than allowing independent repairs due to safety concerns. Advocates for Right to Repair laws argue that individuals should have the option to choose safe repair shops and manage the risks themselves. However, advocating for battery recycling over repair also highlights environmental benefits, such as reducing electronic waste and promoting a more sustainable and circular economy.
Approximately 50 million tons of electronic waste (e-waste) are discarded each year worldwide, with only 5% being recycled but creative initiatives like Esquinazo Recicla turn e-waste into art in Buenos Aires, emphasizing the need for responsible disposal to support a circular economy and a sustainable future.
An open source and modular waterwheel system has been developed by a group in Nepal, consisting of trapezoidal steel “buckets” that can be easily assembled using readily available resources, with the wheels generating between 120 to 1,400 Watts of power, and a software tool has been created to calculate optimal wheel dimensions and power output based on location characteristics.
France continues to roll out its ‘repair bonus’ initiative encouraging people to repair clothing to combat garment waste, offering reimbursements for repairs conducted at affiliated workshops; this effort is part of broader textile industry reforms in France, and while looking to Bangladesh’s long-standing upcycling practices for inspiration, it emphasizes the importance of minimizing waste, extending textile lifespans, and embracing circular economy principles to promote sustainability and reduce environmental impact
An event titled Electronics < > Ecologies: Repair on August 30th hosted by Griffith University. The event will discuss environmental concerns linked to technology consumption, emphasizing the need for electronic device repair to extend their lifespan, while also highlighting how proprietary software, especially from vertically-integrated companies, can impede the growth of a sustainable repair ecosystem, and it will bring together experts, industry practitioners, activists, and emerging researchers to discuss these issues and explore solutions for electronics repair on a global scale.
]]>