Please note that all submissions to the site are subject to the wiki's licence, CC 4.0 BY-SA, as found here
Security through obscurity: Difference between revisions
Added a source |
Added formatting and improved readability. |
||
Line 3: | Line 3: | ||
== Obscurity Cannot Improve Security == | == Obscurity Cannot Improve Security == | ||
Obscurity in practice | Obscurity in practice involves intentionally altering the appearance of something to make it difficult to understand, while keeping its end function unchanged. In software development, obscurity is often used because it can be implemented automatically, however it is also possible to apply obscurity in hardware. Companies use various methods to achieve this, such as: | ||
# Software Refactoring: companies may refactor computer code in production by renaming values from human intelligible to machine intelligible. As an example the function "sendKey()" may be renamed to "f_019278()" throughout the entire codebase. This does not truly promote security because any person can reverse-engineer what the code does and come up with their own naming schemes for the renamed values. A prime example of this is Minecraft whose source code is refactored in production. Minecraft's code refactoring has been bypassed years ago and projects such as the [https://docs.spongepowered.org/5.1.0/en/plugin/internals/mcp.html Minecraft Coder Pack] provide environments where intelligible code is viewable. | # '''Software Refactoring:''' companies may refactor computer code in production by renaming values from human intelligible to machine intelligible. As an example the function "sendKey()" may be renamed to "f_019278()" throughout the entire codebase. This does not truly promote security because any person can reverse-engineer what the code does and come up with their own naming schemes for the renamed values. A prime example of this is the video game Minecraft, whose source code is refactored in production. Minecraft's code refactoring has been bypassed years ago and projects such as the [https://docs.spongepowered.org/5.1.0/en/plugin/internals/mcp.html Minecraft Coder Pack] provide environments where intelligible code is viewable. | ||
# Software Obfuscation: companies may obfuscate computer code by changing the instructions. This may include adding instructions that do meaningless actions or replacing actual instructions with more complicated ones. The end result of obfuscation is always | # '''Software Obfuscation:''' companies may obfuscate computer code by changing the instructions. This may include adding instructions that do meaningless actions or replacing actual instructions with more complicated ones. The end result of this obfuscation is always that the end functionality of the program is unchanged even though the steps are different and possibly unintelligible. This can also involve adding decoy code that has no purpose at all and merely exists to slow reverse-engineering. | ||
# Software Encryption: companies may provide software in an encrypted format that must be decrypted before running. A problem to this form of obscurity is that the consumer will need a key to decrypt the program and run it so a reverse-engineer could obtain this key and read the program. | # '''Software Encryption:''' companies may provide software in an encrypted format that must be decrypted before running. A problem to this form of obscurity is that the consumer will need a key to decrypt the program and run it, so a reverse-engineer could obtain this key and read the program. | ||
# Physical Refactoring: companies may remove identifying information from physical components or change component appearance. Notably in the [[Tom Evans Audio Copyright Strike]] identifying numbers were scraped from nearly all components to make repair more difficult. [https://www.youtube.com/@MendItMark Mend it Mark] was able to reverse engineer the entire product regardless. | # '''Physical Refactoring:''' companies may remove identifying information from physical components or change component appearance. Notably in the [[Tom Evans Audio Copyright Strike]], identifying numbers were scraped from nearly all components to make repair more difficult. [https://www.youtube.com/@MendItMark Mend it Mark] was able to reverse engineer the entire product regardless. | ||
# Confidential Schematics: companies, like [[Apple]] may keep schematics confidential | # '''Confidential Schematics:''' companies, like [[Apple]], may keep schematics confidential, however this will not deter someone with enough time and resources from reverse engineering a product and creating schematics of their own. | ||
# Physical Obfuscation: companies can design physical products | # '''Physical Obfuscation:''' companies can design physical products so that they have the same functionality but are unintelligible. As an example, consider a set of scissors that can only be moved by a giant [[wikipedia:Rube_Goldberg_machine|Rube Goldberg Machine]]. The scissors still cut paper but the steps taken to cut the paper is ridiculously overcomplicated. | ||
Ultimately, vulnerabilities will exist in functionality regardless of how a product's appearance is changed. Obscuring product information merely increases the amount of time it will take to reverse-engineer a product and does not actually provide any benefit to security. | Ultimately, vulnerabilities will exist in functionality regardless of how a product's appearance is changed. Obscuring product information merely increases the amount of time it will take to reverse-engineer a product and does not actually provide any benefit to security. | ||
== Relation to Consumer Rights == | == Relation to Consumer Rights == | ||
Sometimes, companies choose to withhold details about their products in the name of "security" | Sometimes, companies choose to withhold details about their products in the name of "security," and in the process, consumer rights are often taken away. These decisions make diagnosing problems and repair more difficult, making consumers lose the ability to confirm that their product functions exactly as expected rather than unexpectedly and in potentially malicious ways. These decisions can take away consumer control over the product they bought after security through obscurity is implemented. Moreover, since this practice only obfuscates or attempts to conceal instead of actually implementing proper security, the workings of the device are often reverse-engineered in a short amount time.[https://wiki.rossmanngroup.com/wiki/Reverse_Engineering_Bambu_Connect] Due to the IP protections afforded by laws like the [[DMCA]], which make sharing of reverse engineered solutions unlawful, the only real benefit to the company is removal of consumer rights.<ref>https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure</ref> | ||
== List of Security Through Obscurity Instances == | == List of Security Through Obscurity Instances == |
Revision as of 21:36, 20 January 2025
Security through Obscurity is a practice where companies obfuscate or hide the logic behind their product to supposedly enhance their security.
Obscurity Cannot Improve Security
Obscurity in practice involves intentionally altering the appearance of something to make it difficult to understand, while keeping its end function unchanged. In software development, obscurity is often used because it can be implemented automatically, however it is also possible to apply obscurity in hardware. Companies use various methods to achieve this, such as:
- Software Refactoring: companies may refactor computer code in production by renaming values from human intelligible to machine intelligible. As an example the function "sendKey()" may be renamed to "f_019278()" throughout the entire codebase. This does not truly promote security because any person can reverse-engineer what the code does and come up with their own naming schemes for the renamed values. A prime example of this is the video game Minecraft, whose source code is refactored in production. Minecraft's code refactoring has been bypassed years ago and projects such as the Minecraft Coder Pack provide environments where intelligible code is viewable.
- Software Obfuscation: companies may obfuscate computer code by changing the instructions. This may include adding instructions that do meaningless actions or replacing actual instructions with more complicated ones. The end result of this obfuscation is always that the end functionality of the program is unchanged even though the steps are different and possibly unintelligible. This can also involve adding decoy code that has no purpose at all and merely exists to slow reverse-engineering.
- Software Encryption: companies may provide software in an encrypted format that must be decrypted before running. A problem to this form of obscurity is that the consumer will need a key to decrypt the program and run it, so a reverse-engineer could obtain this key and read the program.
- Physical Refactoring: companies may remove identifying information from physical components or change component appearance. Notably in the Tom Evans Audio Copyright Strike, identifying numbers were scraped from nearly all components to make repair more difficult. Mend it Mark was able to reverse engineer the entire product regardless.
- Confidential Schematics: companies, like Apple, may keep schematics confidential, however this will not deter someone with enough time and resources from reverse engineering a product and creating schematics of their own.
- Physical Obfuscation: companies can design physical products so that they have the same functionality but are unintelligible. As an example, consider a set of scissors that can only be moved by a giant Rube Goldberg Machine. The scissors still cut paper but the steps taken to cut the paper is ridiculously overcomplicated.
Ultimately, vulnerabilities will exist in functionality regardless of how a product's appearance is changed. Obscuring product information merely increases the amount of time it will take to reverse-engineer a product and does not actually provide any benefit to security.
Relation to Consumer Rights
Sometimes, companies choose to withhold details about their products in the name of "security," and in the process, consumer rights are often taken away. These decisions make diagnosing problems and repair more difficult, making consumers lose the ability to confirm that their product functions exactly as expected rather than unexpectedly and in potentially malicious ways. These decisions can take away consumer control over the product they bought after security through obscurity is implemented. Moreover, since this practice only obfuscates or attempts to conceal instead of actually implementing proper security, the workings of the device are often reverse-engineered in a short amount time.[1] Due to the IP protections afforded by laws like the DMCA, which make sharing of reverse engineered solutions unlawful, the only real benefit to the company is removal of consumer rights.[1]
List of Security Through Obscurity Instances
- Bambu Lab Authorization Control System (Encryption and patching through asarmor)
- Tom Evans Audio Copyright Strike (Physical Refactoring, Confidential Schematics)