Security through Obscurity is Insecurity

There are several axioms of the cybersecurity field.

“Security through Obscurity” is not one of them. But it’s a concept that is given a lot of space. At best, it’s the helping hand that holds two planks of wood close together while you get a proper nail gun. But usually, it’s the unlocked door with the robber on the other side, about to grab the handle.

For example, the continued revelations about the Pegasus malware developed by the NSO group, and its continued proliferation by its many customers, have highlighted huge vulnerabilities that plague Apple’s iMessage service.

While Apple seems to have released a partial patch for that particular set of vulnerabilities, there have been numerous reports of researchers attempting to identify, and combat such vulnerabilities, but are prevented from diagnosing further because Apple, and companies like them, lock researchers out from the logs and internal processes from the compromises that can be used to discover more about these exploits, and work to reverse them.

Not only does Apple’s walled garden approach prevent security researchers to learn as much as they can about a malware to combat it, the obscurity paradigm empowers the malware writers and bad actors with the latitude to operate and exploit the systems, staying hidden until compromises are publicized, often after a large amount of damage was done.

Setting aside the morality of buying and selling weaponized exploits, the recent NSO/Pegasus malware news, whether the targets were criminal or civilian, serves as a perfect example why this practice is a bad idea. And the idea that security researchers are prevented from looking through and auditing the code, logs and mechanisms, to responsibly discover and report vulnerabilities serves as an additional barrier that dis-incentivizes those acting in good faith, but perversely incentivizes those looking the exploit for profit.

Apple is only a single, prominent example of this. Many companies, in a wide range of industries including seldom thought of like manufacturing and agriculture follow the same playbook. Similar rent-seeking and anti-competitive behaviors often are excused by the need to survive in the market place or protect revenue streams, but this continues to erode the trust and quality of the products for which they are responsible.

Obscurity security models do little to nothing to stop motivated and well resourced attackers. A better, and more effective strategy is to equip and empower a motivated and diverse set of defenders. Not just diverse in the sense of ideas, but also of diverse incentives. The folks who are hired to work on a system, the folks that are users of the system and seek to ensure there own data and communications are protected, the advocates for privacy that seek to ensure that widely used systems are secured correctly, the security researcher that enjoys breaking into systems and making a name for themselves, all of those kinds of people comprise the level of diversity that will be required to combat sufficiently motivated attackers and threats.

These paradigms need to change, for as long as essential and ubiquitous technology uses obscurity as a defense strategy, those capable of exploiting the cracks and shadows that exist will continue to prosper.

Programs like bug bounties are crucial pieces to this security puzzle, but will need open sharing and communication, between vendors, between companies and their customers, and between producers and researchers to be truly effective. While this can be a lot of work, and introduces its own challenges initially, it fosters a more robust and resilient ecosystem overall and long term, that all players can benefit from.

This includes company employees, independent researchers, outsource contractors, privacy advocates, as well as a whole host of additional entities that might have an interest and enjoy the benefits of open peer review.

Rent seeking behaviors, trade secrets and intellectual property laws can serve as formidable obstacles, and are built into the very fabric of our economy and society. And while some might argue that judicial mechanisms exist that work to serve as a counter balance those obstacles, this only works when there is respected authority and understood spectrum of power to enforce those protections. But this is not the reality we live in currently, or one that we will likely see again in this multi-polar world of competing nation-states, NGOs, and capabilities that only seem to get more powerful and democratized.

In order to counter-balance the multi-polar world of competing interests, we need to be more transparent regarding the technologies that we depend on, and empower ourselves with knowledge of their benefits, as well as their risks.

There is some pithy quote about being shackled by secrets that I am forgetting or made up, but the truth is not simply a preservation of connotations the word freedom carries, but security obscured, when not only privacy, but safety is threatened, should be examined, and understood. I believe there is a place for secrets, but as of now, in the case of the Apple and companies like it, they just have a little too much real estate.