Anonabox Recalls Hundreds of Insecure 'Privacy' Routers

Sparrowvsrevolution writes: It turns out all those critics of the controversial Tor router project Anonabox might have been on to something. Late last month, Anonabox began contacting the first round of customers who bought its tiny, $100 privacy gadget to warn them of serious security flaws in the device, and to offer to ship them a more secure replacement free of charge. While the miniature routers do direct all of a user's Internet traffic over Tor as promised, the company says that its first batch lacked basic password protection, with no way to keep out unwanted users in Wi-Fi range. And worse yet, the faulty Anonaboxes use the hardcoded root password 'admin,' which allows any of those Wi-Fi intruders to completely hijack the device, snooping on or recording all of a user's traffic.

Anonabox's parent company, Sochutel, says that only 350 of the devices lacked that password protection, and that it's fixed the gaping security oversights in newer version of the router.

The initial security criticisms of Anonabox helped to convince Kickstarter to freeze the proejct's $600,000 crowdfunding campaign in October. But Anonabox relaunched on Indiegogo and was later acquired by the tech firm Sochutel. Sochutel claims that the security flaws in the routers developed prior to its acquisition of Anonabox were out of its control, and that it's now hiring outside auditors to check its products' security.

Re:

[zidium]

I shed a tear when I realized I had no mod points left :-/

Well, they do offer a sort-of-kind-of privacy

[NotDrWho]

Technically, they do have "privacy"--in a bathroom-at-Bill-Cosby's-house sort of way.

Re:

[Chris Katko]

And the low-effort of the day joke award goes to... someone else, sorry. This wasn't good enough.

Translation ...

[gstoddart]

Security is hard, and it was more profitable to push crap out the door than actually do what we promised.

Honestly, TFS makes it sound like someone slapped together something and either naively believed they'd made something secure .. or straight up lied about having made something secure.

No wifi password and default admin passwords? That's pretty pathetic for something which purports to be a security/privacy tool.

Sounds like someone wrote the marketing literature before creating the product.

Re:

[adolf]

This level of security isn't hard. At all.

What I think happened: COTS router was procured, cheap (Alibaba), and some kid was asked "Hey, kid: Do you think you can make this thing route everything over Tor?"

Kid agrees, and Kickstarter/Indigogo campaign happens.

Said kid then went through some Tomato source or forum posts, found the not-so-difficult bits that make Tor happen, implemented that (and only that) as requested, and said "I'll be taking that Porsche you offered me now, and it would be nice if you

"Out of their control" ....BS

[Anonymous Coward]

Sochutel acquired a security-focused product in the middle of its development cycle and obviously didn't either retain or maintain an appropriate relationship with the development team that was working on it at the time. As a result, the final product had a bunch of dev environment sloppiness that should have been cleaned up before moving it into production. This is the most basic level of IT project management, and entirely within their control.

Re:"Out of their control" ....BS

[Ignacio]

The real problem is that Sochutel failed to identify their acquisition as snake oil in the first place. It wasn't "security-focused", it was profit-focused from beginning to end.

Re:

[Khyber]

Why do you think ANY company looks at acquiring another company? PROFIT.

Re:

[Ignacio]

So what? There's nothing wrong with making money. There is something wrong with screwing up as badly as Sochutel did.

Re:

[dugancent]

Unless it's a non-profit, it's profit focused. If you work and get paid, you are profit focused.

orly?

[slashmydots]

Outside auditors? Just log into the damn thing. If admin works and you can't change it, it's bad. You don't really need to go to outside help for that. Oh and see if the wifi broadcasts as open with no way to change it. That's not exactly hard.

Re:

[oodaloop]

And once they fix those two things, it'll be 100% secure with no need to test! Brilliant!

Re:

[BarbaraHudson]

No, the point is that if such obvious problems exist, the whole product is likely brain-damaged junk not worth repairing.

Re:

[drunk_punk]

No. Security is hard. Security in any system is just that, systemic and it's pervasive! Hence, fixing a hard coded admin password and default OPEN WiFi network has, righlty so, scared the beejesus out of this company- prompting them to do a full security audit of the code (hopefully.)

If you can't do the "simple" security fixes, there are far, far, worse security concerns lurking underneath- or in accounting, or maybe the front door to the company has this hitch in it where it doesn't lock just right.

Re:

[lars_boegild_thomsen]

Technically you can't log in to it - every access to the Web gui and/or ssh has been "blocked" (only they forgot IPv6).

Firmware ripped out is here: Github [github.com]

Outside auditors?

[YuppieScum]

National Security Auditing, perhaps?

Why?

[Lumpy]

Why not just do a firmware update via the admin web interface?

Why in the world would you ship them back to have this done?

Analysis

[lars_boegild_thomsen]

Well, since it wasn't linked in the summary above, I'll do a shameless self-plug here:

Anonabox Analysis [reclaim-your-privacy.com]

And yes - I am the author of that analysis, so if anybody got questions I'll be happy to respond here.

Re:

[lars_boegild_thomsen]

Yeah, I did consider that one myself :) And, well - I can add the following (and then let everybody make up their own mind).

1. We did pledge on the Indiegogo campaign

2. The Anonabox was received on Apr. 1 in UK (the date was funny)

3. I received it about 2 days ago from UK (I live in Malaysia)

4. Anonabox mentioned nothing about recalls before I posted the analysis

5. There _was_ bitching in Indiegogo comments about the lack of WiFi passwords/encryption and there was a mention that if anybody wanted a passwor

Re:

[lars_boegild_thomsen]

Forgot: And I have now tried hard to find anybody owning one of the "fixed" boxes so I can check that out. So far no luck. I assume the particular device I've got is seriously out of warranty.

So let me repeat that here - I would very much like to hear from ANYBODY who have received one of the "fixed" boxes and I would very much like to borrow that for a short while :)

Re:

[oodaloop]

Somebody mod parent up already. I'm all out of points.

Gaping

[koan]

Security holes...

If they fucked up that bad, over things this simple, I would NEVER use their gear.

Re:

[Chris Katko]

It's funny when not having security at all is referred to as a "security hole." That's like me not building a water dam at all, and then saying "there's a hole in the dam allowing some water passed."

Security device not secure ..

[DougPaulson]

Did no one test this security device for security before shipping it? Does this episode demonstrate the perls of outsourcing your developement to some newly qualified intern in the far east?

What is OpenWrt? [openwrt.org]

Re:

[DougPaulson]

@anon: 'If you don't know what you are doing, then you don't know what to test for. Anonabox crisis team meeting; "IPv6??? What is that? Why didn't anyone say anything about it? Where did that come from?'

I suspect the crisis team consists of some uni student who scraped the code off the Intertubes :) Seriously Anonabox, if you are serious about security, then hire a pen testing team that does nothing but hammers on your device seeking out potential security vulnerabilities. At the end of about ten months

Cheapest trash possible

[gweihir]

This is apparently the cheapest trash they could make, with security problems so obvious that even a novice pen-tester would find them in the first few minutes. They cannot have had a single competent security expert involved in development. The words "gross negligence" and "fraud" come to mind.

Re:

[Qzukk]

the Prey App

Is this something running on your computer where it's capable of bypassing whatever network configuration you've got?

Re:

[Qzukk]

If it's antitheft software than at a minimum i'd expect it to be running as administrator and phoning home every few minutes reporting the last 5 networks it was connected to and every wireless AP it can see along with signal strengths for wifi geolocation/triangulation. At a minimum.

Any program you're running could do most of that (except maybe tap into the wireless AP list without admin access).

Re:

[ShaunC]

I use the free tracking service preproject.com and it places my laptop within 300ft no matter how I try to hide it. HOW?

I'm pretty sure Prey uses a database of known wifi networks and their locations. For example, the Google Maps cars don't just take pictures, they also record a fingerprint of every 802.11 network they encounter; SSID, coordinates, the router's MAC address. There are public crowdsourced databases that do this, too. If you power up your computer and you're in range of a wireless network that's in one of these databases, Prey will locate you that way.