Please note that all submissions to the site are subject to the wiki's licence, CC 4.0 BY-SA, as found here

Security Through Obscurity

From Consumer Action Taskforce
Revision as of 19:19, 20 January 2025 by Jack Andersen (talk | contribs) (Added a new section "Obscurity Cannot Improve Security" with a more detailed explanation for why obscurity does not promote real security. Improved the "Relation to Consumer Rights" section. Added a list of instances where a companies have instantiated "Security through Obscurity". The list is very bare-bores but I figured it would be a good idea to start it.)
Jump to navigationJump to search

Security through Obscurity is a practice where companies obfuscate or hide the logic behind their product to supposedly enhance their security.

Obscurity Cannot Improve Security

Obscurity in practice is intentionally changing the appearance of something such that it becomes difficult to understand without changing its end function. Obscurity is commonly used in the software development as it can be done automatically but it is possible for obscurity to be implemented in hardware as well. There are many ways that companies go about doing this:

  1. Software Refactoring: companies may refactor computer code in production by renaming values from human intelligible to machine intellgible. As an example the function "sendKey()" may be renamed to "f_019278()" throughout the entire codebase. This does not truly promote security because any person can reverse-engineer what the code does and come up with their own naming schemes for the renamed values. A prime example of this is Minecraft whose source code is refactored in production. Minecraft's code refactoring has been bypassed years ago and projects such as the Minecraft Coder Pack provide environments where intelligible code is viewable.
  2. Software Obfuscation: companies may obfuscate computer code by changing the instructions. This may include adding instructions that do meaningless actions or replacing actual instructions with more complicated ones. The end result of obfuscation is always such that the end functionality of the program is unchanged even though the steps are different and possibly unintelligible. This can also involve adding decoy code that has no purpose at all and merely exists to slow reverse-engineering.
  3. Software Encryption: companies may provide software in an encrypted format that must be decrypted before running. A problem to this form of obscurity is that the consumer will need a key to decrypt the program and run it so a reverse-engineer could obtain this key and read the program.
  4. Physical Refactoring: companies may remove identifying information from physical components or change component appearance. Notably in the Tom Evans Audio Copyright Strike identifying numbers were scraped from nearly all components to make repair more difficult. Mend it Mark was able to reverse engineer the entire product regardless.
  5. Confidential Schematics: companies, like Apple may keep schematics confidential. This will never stop someone with enough time and resources from reverse engineering a product and creating schematics of their own.
  6. Physical Obfuscation: companies can design physical products such that they have the same functionality but are unintelligible. As an example, consider a set of scissors that can only be moved by a giant Rube Goldberg Machine. The scissors still cut paper but the steps taken to cut the paper is ridiculously overcomplicated.

Ultimately, vulnerabilities will exist in functionality regardless of how a product's appearance is changed. Obscuring product information merely increases the amount of time it will take to reverse-engineer a product and does not actually provide any benefit to security.

Relation to Consumer Rights

Sometimes, companies choose to withhold details about their products in the name of "security". In the process, consumer rights are often taken away. These decisions make diagnosing problems more difficult and repair more challenging. In addition, consumers lose the ability to confirm that their product functions exactly as expected rather than in unexpected and potentially malicious ways. These decisions can take away consumer control over the product they bought and paid for after the security through obscurity is implemented. Moreover, since this practice only obfuscates or attempts to conceal, instead of actually implementing proper security, the workings of the device are often reverse-engineered in a short time. See: Reverse Engineering Bambu Connect

List of Security Through Obscurity Instances

Retrieved from "https://wiki.rossmanngroup.com/index.php?title=Security_Through_Obscurity&oldid=3596"