Thursday, May 26, 2016

Security through obscurity isn't security at all

I just wrapped up a great few days at the EnFuse conference and I'm sitting in the airport waiting for my flight to board.  In the meantime, I started reading an application for a temporary restraining order (TRO) trying to prevent a researcher from obtaining details provided in an RFP to a public entity (Seattle Light).

Don't reverse engineer our device
The TRO, if granted, would restrict the release of an unredacted copy of the RFP data.  The company, Sensus, doesn't want their security controls known.  However, they apparently forgot that bidding on a public contract where those details were part of the RFP would expose them to release.  If public money is being spent on the devices (and it is) and the public will be forced to use the devices (they will) then the public should have the opportunity to evaluate the security of the devices.

However, in it's plea to the court, Sensus makes it clear that one of their fears is reverse engineering of the devices.  

Secure encryption
But the real issue is that Sensus apparently believes that encryption can only be safe if nobody can examine it.  Consider this excerpt:

I suspect that at first glance this makes sense to some.  But of course we know that encryption is only safe when exposed to public review.  And even then, it may still contain vulnerabilities.  This statement alone puts Sensus in a delicate position to defend later.  The Sensus VP makes a declaration under penalty of perjury that releasing this data to the public would create a risk to cyber security since an attacker would compromise their encryption data.  

But if that's really the case (and not just hyperbole) then Sensus' encryption is fundamentally broken.  Another possible  option is that the Sensus' encryption deployment is completely secure but their VP simply doesn't understand what he's talking about.  Admitting that however would put Sensus in a delicate position since it would call into question the rest of their claims. 

Chilling effects
Finally, Sensus threatens that this required disclosure will have a chilling effect on it's participation in the public marketplace.  Sensus says that if they are required to disclose RFP submissions for public review, they will either withdraw from the market or charge a substantial premium to compete in it.

Honestly, neither of these options sounds that bad to me.  If Sensus removes itself from the public AMI market because their devices cannot withstand public security, we are probably all better served as consumers.  If Sensus imposes a substantial premium in its bids (as threatened) this isn't bad either.  Other companies who are not afraid of public security will step in to fill the void and again the public is better served.

Independent security evaluations
Just as the fox can't guard the henhouse, the engineers who build a product can't be responsible for evaluating its security.  Independent security evaluations are required, particularly before your devices and designs are subject to public scrutiny.  Rendition Infosec performs a number of these evaluations annually and we regularly find that engineers build products with what they were taught to be "best practices" that are in fact fundamentally insecure.  While the engineers say the product was built using the best the industry has to offer, security simply isn't understood.  Absent independent reviews, we all suffer.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.