Security Through Obscurity (STO): History, Criticism & Risks
The concept of security through obscurity (STO) relies on the idea that a system can remain secure if the vulnerabilities are secret or hidden. If an attacker does not know what the weaknesses are, they cannot exploit them. The flip side is that once that vulnerability is exposed, it is no longer secure. It is commonly held that security through obscurity is only effective if used as one layer of security and not as the entire security system. STO is a controversial topic in the IT world. On its own, it is an ineffective security measure.
What is security through obscurity?
Obscurity means unknown. Security through obscurity seeks to keep a system secure by keeping knowledge of it secret. Inner mechanisms and workings of a system are kept on a “need to know” basis. If no one outside of the core group is aware of them, or the vulnerabilities, the system can remain secure. In theory, this works, but the margin of human error is wide. If there is a leak, the entire system can be compromised.
History of STO
The concept of security through obscurity has a long-standing history, with early opponents dating back to the 1850s. It involved the concept of publishing how to successfully pick a state-of-the-art lock at the time. While there was much outrage, the argument was made that people working to break in already know how and exposing flaws in the design will not actually make them more vulnerable to attack. STO has been a traditional aspect of cryptography with government agencies, such as the NSA (National Security Agency), employing cryptographers whose work was kept secret. On the opposite side, Kerckhoff’s Principle from the end of the 19th century holds that the cryptographic system should be secure as long as the key is kept secret, even if everything else about the system is well-known.
Obscurity in architecture vs. technique
Security by obscurity is in essence an insecure concept in that it means that the hidden secret, or unknown entity, is the key to unlocking the entire system. In this case, once the enemy has this key, they have access to everything. In technique, security by obscurity is an insecure concept when used in isolation. When used as part of a system’s architecture and as an independent layer, security through obscurity can be an effective security measure. For example, camouflage is a helpful security measure, but if you can see through it, it is no longer effective unless there is additional protection underneath the camouflaged layer.<
Good obscurity compared to bad obscurity
STO as the only method for protecting your assets is a bad idea, but when used in conjunction with other security measures, it can be a useful tool. Security by obfuscation serves to make reconnaissance from bad actors and unauthorised users harder. They will have a tougher time exploiting vulnerabilities of something that they cannot see in the first place. These are real-life examples of security through obscurity:
- The door is locked, but the key is hidden under the doormat.
- Deploying decoy cars around the asset you are trying to protect, with only key players knowing which car the asset is contained within.
- Using a closed source system that only specific people have knowledge on how it works.
- Writing your password on a piece of paper and hiding it underneath your computer keyboard.
Good STO involves keeping the keys to your system less visible while ensuring that they are properly protected at the same time.
Criticism of STO
The IT environment is becoming increasingly complex, and more users need access, which increases the number of people “in the know.” More and more users have advanced knowledge of how systems work, which can make it easy for them to guess the information that was withheld. For these reasons, STO is often criticised as an ineffective method, especially when used as the primary or only form of security. Also, once the key is discovered, the system is open and vulnerable to attack if STO is the only method for protecting it. Once discovered, there is no more protection. Open source code is regularly used and widely available. Even the United States National Institute of Standards and Technology (NIST) does not recommend using a closed source to secure software. Secrecy does not in fact equate to security — not on its own.
Not a standalone security method
In short, security through obscurity by itself is not a good concept. It serves to replace actual security with secrecy, meaning that if anyone, such as a bad actor, learns the key or trick to the system, it is no longer secure. Security through obscurity can be a good complementary level of security when used in tandem with other security tools and measures. It should never be used as the only method of keeping your system secure, but it can add an extra layer of protection by keeping things hidden and less visible. Security through obscurity works as a probability reduction, keeping the odds of your system being hacked or compromised lower. This is different from impact reduction, which adds additional armour against security compromise. Overall, STO is a controversial topic that has some merit, but only when used properly and with additional higher-level security measures.
References
Security Through Obscurity (STO). (July 2013). Techopedia.
Kerckhoff’s Principle. (2020). Crypto-IT.
Security Through Obscurity: The Good, The Bad, The Ugly. (May 2020). The Cyber Patch.