Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Communications Encryption Privacy

Anonabox Recalls Hundreds of Insecure 'Privacy' Routers 50

Sparrowvsrevolution writes: It turns out all those critics of the controversial Tor router project Anonabox might have been on to something. Late last month, Anonabox began contacting the first round of customers who bought its tiny, $100 privacy gadget to warn them of serious security flaws in the device, and to offer to ship them a more secure replacement free of charge. While the miniature routers do direct all of a user's Internet traffic over Tor as promised, the company says that its first batch lacked basic password protection, with no way to keep out unwanted users in Wi-Fi range. And worse yet, the faulty Anonaboxes use the hardcoded root password 'admin,' which allows any of those Wi-Fi intruders to completely hijack the device, snooping on or recording all of a user's traffic.

Anonabox's parent company, Sochutel, says that only 350 of the devices lacked that password protection, and that it's fixed the gaping security oversights in newer version of the router.

The initial security criticisms of Anonabox helped to convince Kickstarter to freeze the proejct's $600,000 crowdfunding campaign in October. But Anonabox relaunched on Indiegogo and was later acquired by the tech firm Sochutel. Sochutel claims that the security flaws in the routers developed prior to its acquisition of Anonabox were out of its control, and that it's now hiring outside auditors to check its products' security.
This discussion has been archived. No new comments can be posted.

Anonabox Recalls Hundreds of Insecure 'Privacy' Routers

Comments Filter:
  • Technically, they do have "privacy"--in a bathroom-at-Bill-Cosby's-house sort of way.

  • Translation ... (Score:5, Interesting)

    by gstoddart ( 321705 ) on Wednesday April 08, 2015 @08:12AM (#49428459) Homepage

    Security is hard, and it was more profitable to push crap out the door than actually do what we promised.

    Honestly, TFS makes it sound like someone slapped together something and either naively believed they'd made something secure .. or straight up lied about having made something secure.

    No wifi password and default admin passwords? That's pretty pathetic for something which purports to be a security/privacy tool.

    Sounds like someone wrote the marketing literature before creating the product.

    • by adolf ( 21054 )

      This level of security isn't hard. At all.

      What I think happened: COTS router was procured, cheap (Alibaba), and some kid was asked "Hey, kid: Do you think you can make this thing route everything over Tor?"

      Kid agrees, and Kickstarter/Indigogo campaign happens.

      Said kid then went through some Tomato source or forum posts, found the not-so-difficult bits that make Tor happen, implemented that (and only that) as requested, and said "I'll be taking that Porsche you offered me now, and it would be nice if you

  • by Anonymous Coward

    Sochutel acquired a security-focused product in the middle of its development cycle and obviously didn't either retain or maintain an appropriate relationship with the development team that was working on it at the time. As a result, the final product had a bunch of dev environment sloppiness that should have been cleaned up before moving it into production. This is the most basic level of IT project management, and entirely within their control.

  • Outside auditors? Just log into the damn thing. If admin works and you can't change it, it's bad. You don't really need to go to outside help for that. Oh and see if the wifi broadcasts as open with no way to change it. That's not exactly hard.
    • And once they fix those two things, it'll be 100% secure with no need to test! Brilliant!
      • No, the point is that if such obvious problems exist, the whole product is likely brain-damaged junk not worth repairing.
    • No. Security is hard. Security in any system is just that, systemic and it's pervasive! Hence, fixing a hard coded admin password and default OPEN WiFi network has, righlty so, scared the beejesus out of this company- prompting them to do a full security audit of the code (hopefully.)

      If you can't do the "simple" security fixes, there are far, far, worse security concerns lurking underneath- or in accounting, or maybe the front door to the company has this hitch in it where it doesn't lock just right.

    • Technically you can't log in to it - every access to the Web gui and/or ssh has been "blocked" (only they forgot IPv6).

      Firmware ripped out is here: Github [github.com]

  • National Security Auditing, perhaps?
  • by Lumpy ( 12016 ) on Wednesday April 08, 2015 @09:00AM (#49428779) Homepage

    Why not just do a firmware update via the admin web interface?

    Why in the world would you ship them back to have this done?

  • Analysis (Score:5, Informative)

    by lars_boegild_thomsen ( 632303 ) <lth@@@cow...dk> on Wednesday April 08, 2015 @09:07AM (#49428823) Homepage Journal

    Well, since it wasn't linked in the summary above, I'll do a shameless self-plug here:

    Anonabox Analysis [reclaim-your-privacy.com]

    And yes - I am the author of that analysis, so if anybody got questions I'll be happy to respond here.

    • Somebody mod parent up already. I'm all out of points.
  • by koan ( 80826 )

    Security holes...

    If they fucked up that bad, over things this simple, I would NEVER use their gear.

    • It's funny when not having security at all is referred to as a "security hole." That's like me not building a water dam at all, and then saying "there's a hole in the dam allowing some water passed."
  • Did no one test this security device for security before shipping it? Does this episode demonstrate the perls of outsourcing your developement to some newly qualified intern in the far east?

    What is OpenWrt? [openwrt.org]
  • This is apparently the cheapest trash they could make, with security problems so obvious that even a novice pen-tester would find them in the first few minutes. They cannot have had a single competent security expert involved in development. The words "gross negligence" and "fraud" come to mind.

Fast, cheap, good: pick two.

Working...