This seems like it's missing the forest for the trees. The point of security measures is to make executing the attack more expensive than the expected payoff of successfully executing it.
What is the payoff here? Is the projector sold below cost and is the manufacturer recouping that via the cartridges? If not, what's the loss to them?
Regarding the proposed mitigations, I'm very doubtful on whether they would substantially change anything here:
> Use real crypto (AES-128 or lightweight stream) and make the cartridge carry per-title key (or an IV)
> Copying now requires cloning/extracting the original token secrets.
Sounds like a great idea, and fortunately we don't even need to speculate about whether it would work: Nintendo did this with Amiibo.
> If true anti-cloning matters, this requires an authenticated token (DESFire / NTAG 424 DNA class).
And where do you securely store the validation key for a symmetric encryption/authentication scheme? This would require adding a SAM to the projector as well.
The "use non-default NFC keys" suggestion shares the same problem: Where would you securely store these?
If your keys are in 3/4 parts, that's probably sufficient...
You bake in a public key for the device/projector... you sign the files on disk against the private key (for the encrypted hashcheck as a sanity check), you use an IV that combines with a secret key on the device to decrypt the file.
As long as you aren't too obvious, this would make the effort to play your own files at a different level without opening the device. Once you're willing to do that, you're probably going to be able to maybe just push your own firmware, which is a different issue.. assuming most of the internal are common/available hardware with relatively open/common reference implementations. For a $10/pound device, I'm guessing so.
In the end, it was probably as much about satisfying the content rights holders as anything else. If it looks like a lock, it doesn't matter if you can cut it off with scissors.
Actually, I think your point of view isn't that far off from what the article suggests. The goal shouldn't be to stop a state actor or a reverse engineering expert, but simply to meet basic business requirements at the same cost.
It's more about risk management, like raising the bar high enough so that the revenue model isn't affected by a bored casual user with a free Android app.
That said, your point is correct, it's difficult to make a robust DRM (it has taken industry giants quite some time to come up with models that remain “secure” for a certain amount of time)... but we are talking about a cheap toy, in which I don't think anyone would invest much more than a few hours trying to breach it.
TFA was pretty clear that this is an example which illustrates common issues in enterprise security. It even provides a handy table to map the similar patterns between this toy and a network appliance. No one’s arguing for stronger security in children’s toys, here.
> And here we have seen a few decisions that are really bad and, moreover, completely compromises the recurring sales business model of a large publishing group.
They're actually complaining the toy is bad and should've been more secure.
Exactly it's very junior mindset from the article author.
Where without giving consideration to the situation they are espousing "best practices". Best practice for what? A children's toy DRM for NFC tag? Come on....
At this point, I think that any good undergrad computer engineering education should include a class on practical security patterns, and design for security. Or, at the very least, training on when you need proactively call on a developer with better chops.
It would save the world so, so much grief and cheap insecure consumer devices. I will flip my lid if I see another kiddy-cam on Shodan.
Security has certain cost associated to implement it. That makes product more expensive without any additional market value. There must be certain external incentives to motivate spending extra effort
> Security has certain cost associated to implement it
The article makes a strong case that, at least for minimum viable/ordinary security measures, the cost is $0.
The projector in question wasn't missing features that would have consumed any amount of the issuing company's margin to implement; it was missing features that would have consumed at most a couple of meetings and a junior dev spending 30min watching the first three YouTube results for "consumer device security issues", and then another 30min copy/pasting standard mitigations into place.
If they'd done the basic due diligence of putting a lock on the metaphorical door, they wouldn't have even had to spend the QA cycles making sure the lock was secure (though that would be nice). But instead they opted to ship sans security entirely.
One of the fun things about the World Wide Web is that without specifically intending to do so we provided all of the Worst Case Scenario cryptographic properties, things a good cryptographic solution can cope with, but which were often treated as difficulties that aren't really worth worrying about because why would you need that?
For example, what kind of moron would put a secret you mustn't learn right next to data you can choose? A good solution wouldn't care, but surely a bad solution where that would cause a problem would never encounter real world scenarios where.... oh right HTTP Cookies
Good solutions won't lose security from repeating transactions, but while accidents might cause one or two repetitions surely no real world systems would need to withstand millions of... oh yeah, Javascript loops exist
A bit absurd really, the image of the manufacturer locking this down with robust security signed payloads and bootloaders is truly comical.
Unpopular opinion here: but this article is perfect proof of concept that when trying to take something to market you need a non technical person put the brakes on some technical teams.
> you need a non technical person put the brakes on some technical teams.
Can you expand on that? The general wisdom, true most places I and my peers have worked, is that non-technical business stakeholders are often the ones deprioritizing work that would reduce operational (including security) risk.
Technical teams are great at solving technical problems. And will always see more technical problems to solve.
This article is about how you can put jailbreaking this device out of the reach of a skilled reverse engineer, and require a skilled reverse engineer with some fancier technology. Ironically so it could be cracked by the same guy in all likelihood.
....Why?
There is no upside. Only costs.
This is obvious to anyone who's common sense isn't blinded by a mind geared to solving technical issues.
Presumably to secure the company selling the device’s revenue stream.
There’s a big difference between “any 10yo with $5 for an SD card can download a one-click app and jailbreak our projector” and “you have to be fairly technical to jailbreak our projector”.
Also, the article is more about drawing parallels to the enterprise software security space (where the “Why?” is large-to-existentially-large financial and regulatory risk to an organization that gets hacked) than explaining why this specific projector should be more tamper-proof.
You think a 10 year old is checking the Shannon entropy of some files and deducing that that a single byte xor key is being used? Reversing it and adding more MP4 files then writing NFC cards to play whatever they want?
Surely this is a perfect example of a losing sight of the wider picture.
The articles appeal to well if they do this with a €10 projector they'd do it with a €100,000 is again absolutely comical.
I don't think the the conclusion is right. It's just that the security had cost money, why pay a developer for 5 days when he can do it in 3 without proper security? There is no proper security needed, so don't pay for it. And thats exactly the same that happens with bigger software too. As long as it doesn't creates pain for the seller to sell insecure tools, they will stay insecure.
You might have a point regarding security in general but what is the specific problem here? It is your device to use as you please. I might be thrilled if all devices were as broken as this.
What is the payoff here? Is the projector sold below cost and is the manufacturer recouping that via the cartridges? If not, what's the loss to them?
Regarding the proposed mitigations, I'm very doubtful on whether they would substantially change anything here:
> Use real crypto (AES-128 or lightweight stream) and make the cartridge carry per-title key (or an IV)
> Copying now requires cloning/extracting the original token secrets.
Sounds like a great idea, and fortunately we don't even need to speculate about whether it would work: Nintendo did this with Amiibo.
> If true anti-cloning matters, this requires an authenticated token (DESFire / NTAG 424 DNA class).
And where do you securely store the validation key for a symmetric encryption/authentication scheme? This would require adding a SAM to the projector as well.
The "use non-default NFC keys" suggestion shares the same problem: Where would you securely store these?
You bake in a public key for the device/projector... you sign the files on disk against the private key (for the encrypted hashcheck as a sanity check), you use an IV that combines with a secret key on the device to decrypt the file.
As long as you aren't too obvious, this would make the effort to play your own files at a different level without opening the device. Once you're willing to do that, you're probably going to be able to maybe just push your own firmware, which is a different issue.. assuming most of the internal are common/available hardware with relatively open/common reference implementations. For a $10/pound device, I'm guessing so.
In the end, it was probably as much about satisfying the content rights holders as anything else. If it looks like a lock, it doesn't matter if you can cut it off with scissors.
It's more about risk management, like raising the bar high enough so that the revenue model isn't affected by a bored casual user with a free Android app.
That said, your point is correct, it's difficult to make a robust DRM (it has taken industry giants quite some time to come up with models that remain “secure” for a certain amount of time)... but we are talking about a cheap toy, in which I don't think anyone would invest much more than a few hours trying to breach it.
If that's the bar, I feel like the ad-hoc XOR "cipher" also did the job :)
> And here we have seen a few decisions that are really bad and, moreover, completely compromises the recurring sales business model of a large publishing group.
They're actually complaining the toy is bad and should've been more secure.
Where without giving consideration to the situation they are espousing "best practices". Best practice for what? A children's toy DRM for NFC tag? Come on....
It would save the world so, so much grief and cheap insecure consumer devices. I will flip my lid if I see another kiddy-cam on Shodan.
The article makes a strong case that, at least for minimum viable/ordinary security measures, the cost is $0.
The projector in question wasn't missing features that would have consumed any amount of the issuing company's margin to implement; it was missing features that would have consumed at most a couple of meetings and a junior dev spending 30min watching the first three YouTube results for "consumer device security issues", and then another 30min copy/pasting standard mitigations into place.
If they'd done the basic due diligence of putting a lock on the metaphorical door, they wouldn't have even had to spend the QA cycles making sure the lock was secure (though that would be nice). But instead they opted to ship sans security entirely.
For example, what kind of moron would put a secret you mustn't learn right next to data you can choose? A good solution wouldn't care, but surely a bad solution where that would cause a problem would never encounter real world scenarios where.... oh right HTTP Cookies
Good solutions won't lose security from repeating transactions, but while accidents might cause one or two repetitions surely no real world systems would need to withstand millions of... oh yeah, Javascript loops exist
Unpopular opinion here: but this article is perfect proof of concept that when trying to take something to market you need a non technical person put the brakes on some technical teams.
Can you expand on that? The general wisdom, true most places I and my peers have worked, is that non-technical business stakeholders are often the ones deprioritizing work that would reduce operational (including security) risk.
This article is about how you can put jailbreaking this device out of the reach of a skilled reverse engineer, and require a skilled reverse engineer with some fancier technology. Ironically so it could be cracked by the same guy in all likelihood.
....Why?
There is no upside. Only costs.
This is obvious to anyone who's common sense isn't blinded by a mind geared to solving technical issues.
Presumably to secure the company selling the device’s revenue stream.
There’s a big difference between “any 10yo with $5 for an SD card can download a one-click app and jailbreak our projector” and “you have to be fairly technical to jailbreak our projector”.
Also, the article is more about drawing parallels to the enterprise software security space (where the “Why?” is large-to-existentially-large financial and regulatory risk to an organization that gets hacked) than explaining why this specific projector should be more tamper-proof.
Surely this is a perfect example of a losing sight of the wider picture.
The articles appeal to well if they do this with a €10 projector they'd do it with a €100,000 is again absolutely comical.