ASUS Malware Fiasco Proves Arguments Against Right to Repair Are Bogus

Last year, ASUS’s software update tool—which is installed on millions of the company’s Windows laptops—was compromised by hackers.  In a rather incredible piece of reporting, Kaspersky Labs and Kim Zetter at Motherboard uncovered that malware was installed on an estimated 500,000 ASUS laptops.

The report found that the malware, dubbed ShadowHammer, used ASUS’s legitimate cryptographic keys to sign the update—making it look like it was a genuine update from ASUS. Computers around the world automatically installed the update. This is as dire as a security breach can get: manufacturers are supposed to be the ultimate source of trusted code for your computer! The company has since patched the vulnerability. But the damage is done. Can we still trust OEM software to automatically update? The answer is less clear than it used to be.

ShadowHammer on ASUS laptop
Image from Kaspersky Labs showing the malware signed by AsusTek’s root certificate

It gets worse. Motherboard reports that the hijack happened as early as June of last year and ASUS didn’t do a thing about it, even after the company was warned about the problem. How are customers supposed to view ASUS as a trusted and transparent brand when they have to rely on security reporters to tell them they’ve been hacked?

There is a jaw-dropping level of hypocrisy happening here. We’ve spent the last few years fending off anti-Right to Repair arguments by manufacturers claiming that they’re the only ones who can be trusted to repair your computer. In a letter to legislators in Washington state, a group of trade associations that represent electronics companies, including ASUS, said, “With access to technical information, criminals can more easily circumvent security protections, harming not only the product owner but also everyone who shares their network.” 

That’s probably not true. But it is true that with access to ASUS root certificates, criminals can easily “circumvent security precautions, harming not only the product owner but also everyone who shares their network.” Perhaps these companies should spend less time lobbying against your right to fix your computer, and more time securing their networks.

Asus laptop with ShadowHammer
Photo by Matt Collamer on Unsplash

These arguments are delusional. No one company can secure every aspect of the use of their products on their own. Maintaining our technical infrastructure requires an ecosystem. Their lobbyists claim it’s imperative they keep a closed lid on repairs for security reasons—but clearly, that didn’t save them from this debacle. After the ASUS hijack, it’s going to be increasingly difficult for legislators to empathize with manufacturers.

What to Do If You Have an ASUS Computer

If you have an ASUS laptop, you should check to see if it was one of the unlucky ones by using Kaspersky’s online tool, and make sure you have the latest version (3.6.8) of the Live Update software installed.

While the ASUS malware was installed on hundreds of thousands of laptops, the hijackers are said to have only targeted a few hundred machines, mostly in Russia. Right now, the chances are low that your specific laptop was targeted. The dormant malware is not disruptive—yet—but the malware still provides a backdoor on all infected machines.

The bottom line: if we can’t trust OEM software in the first place, then we should at least be able to choose our own trusted support network. It’s time that we take back the right to repair and secure our systems.