Security by Obscurity and the Right to Repair

The right-to-repair movement is gaining traction in the U.S. as many states are considering legislation that would allow consumers and third parties to repair electronic equipment without voiding manufacturer’s warranties. The issue has even crept into presidential politics, as several candidates are taking up the cause, and organizations like securepairs.org are gaining grassroot followers.

The right-to-repair idea itself is pretty simple. Legislation under consideration would require manufacturers to make repair resources – that is, the same manuals and components that authorized service and maintenance partners receive – available to consumers. This would in turn give them the ability to fix their property – be it through parts, software or a network of third-party resources, not just designated manufacturer partners.

Opponents, on the other hand, argue that opening up this proprietary information to the public is an attack on the manufacturers’ Intellectual Property rights and makes them vulnerable to counterfeiting and reverse engineering. They also argue that third-party repairs could be unsafe for consumers and technicians – for example, with respect to repairing electronics that use lithium-ion batteries.

The right to repair legislation "would force all electronics manufacturers to reveal sensitive technical information about thousands of Internet-connected products including security cameras, computers, smart home devices, video game platforms, smartphones and more – putting consumers and their data at risk," wrote Earl Crane, a senior cybersecurity fellow at the University of Texas, Austin. He added that manufacturers "would have to share codes, tools, and supply chain access to anyone who purchases a product."

Opponents also argue that giving the “keys to the kingdom” to the public opens the door for malicious actors who would then have the ability to tamper with these devices for any number of nefarious purposes.

Securepairs.org refutes that argument by dismissing the notion of security through obscurity, an assumption that obscurity equates or enhances security. A robust system, they say, will still be secure even if people know how it works. Releasing repair manuals and spare parts shouldn’t undermine an already sound smartphone. The group further argues that right-to-repair laws would make devices safer by allowing consumers to quickly replace failing parts or update buggy software.

Their argument against security by obscurity, of course, is based on the core principle of modern information security, first articulated by the Dutch cryptographer Auguste Kerckhoffs. He stated that a “cryptosystem should be secure even if everything about the system, except the key, is public knowledge” (Kerckhoffs’ Principle). Verifiable security is the product of secure design and thorough testing and improvement, not secrecy. Systems that rely on secrecy rather than provable security are destined to fail.

Kerkhoffs’ Principle is well known to Wibu-Systems, as it is the foundation upon which our award-winning Blurry Box cryptography was built to protect software from hackers. The basic principles of Blurry Box cryptography are the use of one or more secure keys in a dongle and the fact that software is typically complex. Its goal is to make the effort required to illicitly copy software higher than the effort needed to completely rewrite the same software. Blurry Box cryptography uses seven published methods that greatly increase the complexity and time required for an attack to be successful. In the end, it would be easier and less expensive for the would-be attacker to develop similar software from scratch.

We don’t know how the Right to Repair movement will progress, but if you would like to know more about Kerckhoffs’ Principle and how it is used to protect software, visit our website or download a white paper, Blurry Box Encryption Scheme and why it Matters to Industrial IoT.