• fiercekitten@lemm.ee
    link
    fedilink
    English
    arrow-up
    89
    ·
    8 months ago

    Parts pairing is prohibited only on devices sold in 2025 and later. And there are carve-outs for certain kinds of electronics and devices, including video game consoles, medical devices, HVAC systems, motor vehicles, and—as with other states—“electric toothbrushes.”

    What’s a good-faith argument for exempting these devices? Or was it simply successful lobbying in protecting corporate interests.

    • Ottomateeverything@lemmy.world
      link
      fedilink
      English
      arrow-up
      70
      arrow-down
      1
      ·
      8 months ago

      I could see an argument about medical devices, HVAC, and vehicles… But I don’t think I’d agree with them. Except maybe medical.

      Consoles and toothbrushes though? What the fuck?

      • Melt@lemm.ee
        link
        fedilink
        English
        arrow-up
        22
        ·
        8 months ago

        I guess console because they want the whole thing intact to enforce DRM?

      • FiniteBanjo@lemmy.today
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        4
        ·
        8 months ago

        I don’t see any argument for vehicles, tbh. HVAC tinkering is almost exclusively high voltage so that makes just a little sense, don’t want people swapping a 350 volt AC capacitor with a 250 volt DC capacitor and having it blow up, but Vehicles means a manufacturer can do everything imaginable to limit part availability and kill aftermarket parts purely for profits.

        • atrielienz@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          2
          ·
          8 months ago

          I do for things like ECUs that are programmed to the vin to prevent theft or tampering that would allow an attack vector for the vehicle.

        • bluGill@kbin.social
          link
          fedilink
          arrow-up
          5
          arrow-down
          11
          ·
          8 months ago

          Vehicles need it because the keyless entry radio needs to pair with the engine start. Otherwise a thief can steel a car in a few minutes by bringing their own computers.

          • FiniteBanjo@lemmy.today
            link
            fedilink
            English
            arrow-up
            27
            arrow-down
            1
            ·
            edit-2
            8 months ago

            I guarantee you keyless start cars aren’t more secure because of paired parts. The encryption for the fob’s signal isn’t the result of a paired part.

            • T156@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              ·
              8 months ago

              Particularly as a lot of newer thefts just use an amplifier to boost the key signal, and fake the key being in the car. Part pairing wouldn’t help at all there.

            • atrielienz@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              3
              ·
              8 months ago

              Define more secure. More secure than what? A non-keyless entry car of the same year and model? A car from ten years ago that doesn’t have parts and modules that do a handshake and will immobilize the vehicle if the system is tampered with?

              • FiniteBanjo@lemmy.today
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                2
                ·
                8 months ago

                I’m not arguing that it is more secure. That’s what others said. I’m arguing it is a non-factor in security. Nearly unbreakable encryption methods exist without any reliance on physical part-pairing. The only benefit from it is the manufacturer profiting more off of it as users become more reliant on the manufacturer in case of device failure and replacement.

                • atrielienz@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  8 months ago

                  I think the immobilization is key here and not something I would trust from any third party. If a third party has access to the encryption method, so does a hacker with the right tools.

                  Additionally, it’s configured to the VIN specifically so you can’t steal or buy genuine parts with a key you have access to and swap them into a vehicle that those parts don’t belong to. Chop shops have the ability to do this in the event that these modules aren’t configured properly and don’t require the right validation from other modules.

                  • FiniteBanjo@lemmy.today
                    link
                    fedilink
                    English
                    arrow-up
                    3
                    arrow-down
                    2
                    ·
                    edit-2
                    8 months ago

                    Encryption can be done purely between first and second party if you want to rely on the manufacturer for some reason, or if you’re really the complete owner you should have full access to the vehicle’s systems via physical connection and credentials. There is no need for third parties, for a comparison you don’t just give out your email account access or computer password do you?

          • Passerby6497@lemmy.world
            link
            fedilink
            English
            arrow-up
            10
            arrow-down
            1
            ·
            8 months ago

            Otherwise a thief can steel a car in a few minutes by bringing their own computers.

            …you mean like they do currently?

            • bluGill@kbin.social
              link
              fedilink
              arrow-up
              2
              arrow-down
              2
              ·
              8 months ago

              Which is why manufactures are now putting those pairs in so you cannot do that anymore.

          • themoonisacheese@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            1
            ·
            8 months ago

            If the security was so bad that removing part pairing would crash this, then it wasn’t secure to begin with. Same argument as apple pairing the fingerprint sensor, the emsensor is only doing the reading, not the authentication.

            • atrielienz@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              8 months ago

              They’re right though. The security in newer cars and anti-theft features require that a couple of different modules talk to and validate each other. That’s how it’s designed to work to prevent theft or hacking. When your ECU talks to your keyless entry module or what have you they perform a handshake. That ECU and keyless entry module talk to the vehicle’s starting system to validate that yes the correct key at the correct range is being used to send the signal to start the vehicle.

              • FiniteBanjo@lemmy.today
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                1
                ·
                edit-2
                8 months ago

                You don’t have to have paired parts for secure authentication. You just need parts that have been set up and authenticated beforehand. That is not the same as part pairing.

                • atrielienz@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  8 months ago

                  What’s to stop me from going to a junk yard, paying for a key and the modules in question, attaching them to a different car and stealing that car?

                  • FiniteBanjo@lemmy.today
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    arrow-down
                    3
                    ·
                    edit-2
                    8 months ago

                    Literally nothing stops you from doing that with paired parts. Nothing. Keyless cars get hacked, stolen, dismantled, and rebuilt all the time, just like any other car.

                    Encryption and authentication are equally secure with or without physical part pairing.

              • themoonisacheese@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                1
                ·
                8 months ago

                Again, if you’re so deep in the car that this matters, this is not the part that’s going to stop you, unless the car is so poorly built that the keyless entry module is readily available without taking apart the entire car. This is a non-problem.

                • atrielienz@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  8 months ago

                  It isn’t just one module. That’s what I’m trying to tell you. There’s a handshake. So replacing the Electronics control module or the Powertrain control module those modules have to be configured to the Vin. In my mother’s escape the PCM is in the wheel well behind a liner held in by plastic clips. None of those parts can be replaced without being configured to the VIN.

                  As for poorly designed cars, yeah. They’ve been making them for years and security has been evolving. Doesn’t mean we should set ourselves back in that arena because Joe wants to swap out his PCM with one from the junk yard.

                  CAN network injection can be achieved through the headlight well on some cars.

                  https://www.autoblog.com/2023/04/18/vehicle-headlight-can-bus-injection-theft-method-update/

                  • themoonisacheese@sh.itjust.works
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    ·
                    edit-2
                    8 months ago

                    I know that it isn’t just one module. What is the handshake achieving exactly? Because it’s not additional security from an attacker trying to replace the keyless entry module with a hacked one, and if it is doing that then this is a terrible security design and the actual solution is not to get to keep using this ‘security’ threat model.

      • brsrklf@jlai.lu
        link
        fedilink
        English
        arrow-up
        14
        ·
        8 months ago

        Good thing part pairing doesn’t exist for the Switch.

        Mine is the Ship of Theseus at that point.

      • oo1@kbin.social
        link
        fedilink
        arrow-up
        10
        ·
        8 months ago

        For toothbrushes, are they worried repair won’t re-seal it effectively so make it unsuitable for use in the wet environment?

        • liara@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          I hope you’re right and this isn’t about them getting ready to DRM brush handles to brush heads. Sonicare brush heads are ridiculously overpriced compared to the knock offs

        • oatscoop@midwest.social
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          Which is dumb, because there’s nothing stopping anyone from replacing the seals/glue when they put it back together. And at least in the USA manufactures have been covered for damages/harm resulting from a flawed consumer-based repair since since 1975.

        • Ottomateeverything@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          2
          ·
          8 months ago

          I mean, I don’t want the thing supplying the air I’m breathing to accidentally not burn all the gas and lead to carbon monoxide poisoning etc… Things like the ductwork and shit, for sure, but not like, a burner.

          • oatscoop@midwest.social
            link
            fedilink
            English
            arrow-up
            7
            ·
            8 months ago

            The great irony is it’s frequently the “ductwork” that’s the problem: plugged or badly installed exhaust pipes, which the manufacture has no control over. The rest are the appliance itself wearing out or failing with no warning.

            I’ve repaired furnaces myself several times including replacing burners and exhaust fans – it isn’t rocket science. It’s no different than working on any other “dangerous” thing like a car. If someone somehow manages to fuck up so badly it hurts or kills someone that’s on them.

            • Ottomateeverything@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              8 months ago

              Yeah that’s totally valid. Agreed.

              But I also wouldn’t really trust third party parts for the appliance itself. I think once you do, that immediately becomes a possible problem. If it was in my house, I’d only buy from the manufacturer for something like that.

              But on the other hand, Idk that it’s necessarily wrong to legislate forcing these companies to allow it. I generally believe consumers should have the option on their own, but some things are too dangerous. I’d pretty much be against medical devices but HVAC is a little more uncertain to me.

          • PriorityMotif@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            8 months ago

            So you want to be stuck with the same thermostat forever? Imagine it comes with one of those Amazon ones with a persistent camera and microphone in it that you can’t opt out of.

            • n3m37h@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              3
              ·
              8 months ago

              A thermostat doesn’t have refrigerants/gasses in them. It’s nothing more than a complicated on off switch

              • PriorityMotif@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                8 months ago

                Yet, a WiFi thermostat that stops getting updates is an extreme risk to that system if an attacker can access it. They could easily create a situation that causes a fire or a gas leak.

                • Ottomateeverything@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  8 months ago

                  What… The… Fuck?

                  If your thermostat could cause a fire or gas leak, your HVAC system is flawed. This is entirely a fabricated concern. If anything, I’d chalk it up as reasons why maybe right to repair the HVAC isn’t a great idea. A properly setup HVAC wont let anything tell it to do that.

                  • PriorityMotif@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    8 months ago

                    You can overheat the furnace and then short cycle it repeatedly, same with the a/c. You could shut off the furnace and cause the pipes to burst. Run the a/c in the winter.

            • Ottomateeverything@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              8 months ago

              Firstly, I said this one was iffy to me.

              Second, the subtopic was HVAC and thermostats are like, the electronics that control the HVAC which I wouldn’t even really necessarily bucket into HVAC. It’s like HVAC adjacent.

              Third, this whole topic is about right to repair, not right to replace. So the on topic argument is “you want to be able to repair the same thermostat with off brand parts”, to which I say, yes? Probably? I don’t see how that’s a problem.

              And fourth, who the fuck would buy an Amazon thermostat, lmao.

              • PriorityMotif@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                8 months ago

                It’s about parts pairing. HVAC companies could pair the thermostat to the system and you wouldn’t be able to replace it with one of your choosing. People are buying smart TVs with Amazon and Google crap in them that came be removed or even bypassed in certain cases. Google owns nest, the most popular smart thermostat brand. Amazon has their own smart thermostat. People wouldn’t think twice about having that included with their new HVAC system. It would be a selling point, just like smart TVs and all the other crap out there that will stop getting updates in 5 years.

                • Ottomateeverything@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  8 months ago

                  That’s more “device” pairing than “parts” pairing. The thermostat to HVAC communication is a standard. Sure, if someone started forcing that, that’d be bad. But that’s more akin to Apple’s “iOS only works with MacBooks” type shit with Airdrop and such than it is to their “you can’t replace the camera in your phone unless it’s from us”. They’re both problems, but the one you’re describing is both not happening and a different issue. I’m not saying it won’t happen but it’s a different topic.

        • Fosheze@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          2
          ·
          8 months ago

          You need some sort of licensing to do most HVAC work anyways. Theres no point in forcing companies to make all the parts available to the average joe when the average joe can’t legally do the work anyways.

    • tyler@programming.dev
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      1
      ·
      8 months ago

      The goal of the bill was to get something with teeth passed. Fighting every lobby at once would be impossible, so they leave those devices out of it and will now be able to work on different laws for those things. At least that’s what I read they’re doing for the John Deere stuff at least. The legislators know it’s going to be a difficult battle, so they segmented the law to make it so that a failure in one spot wouldn’t cause a loss everywhere.