Please note that all submissions to the site are subject to the wiki's licence, CC 4.0 BY-SA, as found here

Security through obscurity

From Consumer Action Taskforce
Jump to navigation Jump to search


⚠️ Article status notice: This Article's Relevance Is Under Review

This article has been flagged for questionable relevance. Its connection to the systemic consumer protection issues outlined in the Mission statement and Moderator Guidelines isn't clear.

If you believe this notice has been placed in error, or once you have made the required improvements, please visit the #appeals channel on our Discord server: Join Here.

Notice: This Article's Relevance Is Under Review

This article has been flagged for questionable relevance. Its connection to the systemic consumer protection issues outlined in the Mission statement and Moderator Guidelines isn't clear. Articles that focus on isolated incidents, personal disputes, or local matters may not meet the inclusion criteria for the Consumer Action Taskforce Wiki.

Why This Article Is In Question

Articles in this wiki have to meet the following criteria:

  • Systemic Nature: Demonstrate a broader pattern of systemic abuse, negligence, or policies that align with modern consumer exploitation (e.g., ownership revocation, barriers to repair, privacy violations, changing the terms of the sale after the sale).
  • Relevance: Relate to consumer protection issues that extend beyond individual grievances or localized problems.
  • Evidence: Provide verifiable evidence or credible sources to support the author's claims and demonstrate systemic impact.

Examples of articles that do not meet these criteria:

  • A single negative customer experience; with no evidence of systemic issues or company policies enabling such behavior.
  • Localized disputes, such as a bad experience with a contractor or small business, better suited for platforms like Yelp or local consumer protection agencies.
  • Complaints that focus on personal dissatisfaction (e.g., "I waited too long for a response") without tying the issue to broader consumer exploitation themes.
How You Can Improve This Article

To justify the relevance of this article:

  • Provide evidence demonstrating how the issue reflects broader consumer exploitation (e.g., systemic patterns, recurring incidents, or related company policies).
  • Link the problem to modern forms of consumer protection concerns, such as privacy violations, barriers to repair, or ownership rights.
  • Add credible sources or documentation that substantiate claims and connect them to systemic practices. i.e:
    • A company that takes 5 days too long to refund a deposit is a bad Yelp review. Not eligible for inclusion.
    • A company with 500,000 active repairs at any given time that purposely delays all deposit refunds for a period of five days, in order to invest/gamble with these deposits on their balance sheet, with verifiable hard proof from internal communications that this was an intentional & standard practice performed with malicious intent is eligible for inclusion.

If you believe this notice has been placed in error, or once you have made the required improvements, please visit the #appeals channel on our Discord server: Join Here.

End of Stub Notice. The article content begins below this line.

Security through Obscurity is a practice where companies obfuscate or hide the logic behind their product to supposedly enhance their security.

Obscurity Cannot Improve Security[edit | edit source]

Obscurity in practice involves intentionally altering the appearance of something to make it difficult to understand, while keeping its end function unchanged. In software development, obscurity is often used because it can be implemented automatically, however it is also possible to apply obscurity in hardware. Companies use various methods to achieve this, such as:

  1. Software Refactoring: companies may refactor computer code in production by renaming values from human intelligible to machine intelligible. As an example the function "sendKey()" may be renamed to "f_019278()" throughout the entire codebase. This does not truly promote security because any person can reverse-engineer what the code does and come up with their own naming schemes for the renamed values. A prime example of this is the video game Minecraft, whose source code is refactored in production. Minecraft's code refactoring has been bypassed years ago and projects such as the Minecraft Coder Pack provide environments where intelligible code is viewable.
  2. Software Obfuscation: companies may obfuscate computer code by changing the instructions. This may include adding instructions that do meaningless actions or replacing actual instructions with more complicated ones. The end result of this obfuscation is always that the end functionality of the program is unchanged even though the steps are different and possibly unintelligible. This can also involve adding decoy code that has no purpose at all and merely exists to slow reverse-engineering.
  3. Software Encryption: companies may provide software in an encrypted format that must be decrypted before running. A problem to this form of obscurity is that the consumer will need a key to decrypt the program and run it, so a reverse-engineer could obtain this key and read the program.
  4. Physical Refactoring: companies may remove identifying information from physical components or change component appearance. Notably in the Tom Evans Audio Copyright Strike, identifying numbers were scraped from nearly all components to make repair more difficult. Mend it Mark was able to reverse engineer the entire product regardless.
  5. Confidential Schematics: companies, like Apple, may keep schematics confidential, however this will not deter someone with enough time and resources from reverse engineering a product and creating schematics of their own.
  6. Physical Obfuscation: companies can design physical products so that they have the same functionality but are unintelligible. As an example, consider a set of scissors that can only be moved by a giant Rube Goldberg Machine. The scissors still cut paper but the steps taken to cut the paper is ridiculously overcomplicated.

Ultimately, vulnerabilities will exist in functionality regardless of how a product's appearance is changed. Obscuring product information merely increases the amount of time it will take to reverse-engineer a product and does not actually provide any benefit to security.

Relation to Consumer Rights[edit | edit source]

Sometimes, companies choose to withhold details about their products in the name of "security," and in the process, consumer rights are often taken away. These decisions make diagnosing problems and repair more difficult, making consumers lose the ability to confirm that their product functions exactly as expected rather than unexpectedly and in potentially malicious ways. These decisions can take away consumer control over the product they bought after security through obscurity is implemented. Moreover, since this practice only obfuscates or attempts to conceal instead of actually implementing proper security, the workings of the device are often reverse-engineered in a short amount time.[1] Due to the IP protections afforded by laws like the DMCA, which make sharing of reverse engineered solutions unlawful, the only real benefit to the company is removal of consumer rights.[1]

List of Security Through Obscurity Instances[edit | edit source]

References[edit | edit source]

  1. https://media.ccc.de/v/38c3-we-ve-not-been-trained-for-this-life-after-the-newag-drm-disclosure
Retrieved from "https://wiki.rossmanngroup.com/index.php?title=Security_through_obscurity&oldid=4876"