Anonabox Recalls Hundreds of Insecure 'Privacy' Routers

← Back to Stories (view on slashdot.org)

Anonabox Recalls Hundreds of Insecure 'Privacy' Routers

Posted by Soulskill on Wednesday April 8, 2015 @12:57AM from the less-anona-and-more-box dept.

Sparrowvsrevolution writes: It turns out all those critics of the controversial Tor router project Anonabox might have been on to something. Late last month, Anonabox began contacting the first round of customers who bought its tiny, $100 privacy gadget to warn them of serious security flaws in the device, and to offer to ship them a more secure replacement free of charge. While the miniature routers do direct all of a user's Internet traffic over Tor as promised, the company says that its first batch lacked basic password protection, with no way to keep out unwanted users in Wi-Fi range. And worse yet, the faulty Anonaboxes use the hardcoded root password 'admin,' which allows any of those Wi-Fi intruders to completely hijack the device, snooping on or recording all of a user's traffic.

Anonabox's parent company, Sochutel, says that only 350 of the devices lacked that password protection, and that it's fixed the gaping security oversights in newer version of the router.

The initial security criticisms of Anonabox helped to convince Kickstarter to freeze the proejct's $600,000 crowdfunding campaign in October. But Anonabox relaunched on Indiegogo and was later acquired by the tech firm Sochutel. Sochutel claims that the security flaws in the routers developed prior to its acquisition of Anonabox were out of its control, and that it's now hiring outside auditors to check its products' security.

50 comments

Min score:

Reason:

Sort:

Well, they do offer a sort-of-kind-of privacy by NotDrWho · 2015-04-08 01:12 · Score: 1, Funny

Technically, they do have "privacy"--in a bathroom-at-Bill-Cosby's-house sort of way.

--
SJW's don't eliminate discrimination. They just expropriate it for themselves.
1. Re:Well, they do offer a sort-of-kind-of privacy by ckatko · 2015-04-08 06:39 · Score: 1
  
  And the low-effort of the day joke award goes to... someone else, sorry. This wasn't good enough.
Translation ... by gstoddart · 2015-04-08 01:12 · Score: 5, Interesting

Security is hard, and it was more profitable to push crap out the door than actually do what we promised.
Honestly, TFS makes it sound like someone slapped together something and either naively believed they'd made something secure .. or straight up lied about having made something secure.
No wifi password and default admin passwords? That's pretty pathetic for something which purports to be a security/privacy tool.
Sounds like someone wrote the marketing literature before creating the product.

--
Lost at C:>. Found at C.
1. Re:Translation ... by Anonymous Coward · 2015-04-08 01:43 · Score: 0
  
  It's a Crowd-funding campaign: that's sort of the point.
  Kickstarter is a horse track for gadget lovers and art benefactors. You're betting on the horse before it leaves the gate or it would just be a retail experience with long backorder lead times.
2. Re:Translation ... by adolf · 2015-04-08 07:14 · Score: 1
  
  This level of security isn't hard. At all.
  What I think happened: COTS router was procured, cheap (Alibaba), and some kid was asked "Hey, kid: Do you think you can make this thing route everything over Tor?"
  Kid agrees, and Kickstarter/Indigogo campaign happens.
  Said kid then went through some Tomato source or forum posts, found the not-so-difficult bits that make Tor happen, implemented that (and only that) as requested, and said "I'll be taking that Porsche you offered me now, and it would be nice if you stuffed it with hookers and blow before delivery."
  Product then ships with every gaping and elementary security flaw that the original Chinglish firmware had, PLUS automagic Tor....because "privacy."
  The proceeds and remaining startup cash were then burned by the founders during a crazy weekend in Dubai. And that's that.
  Many of us here can "create" such a device without these problems before we're even finished with our first pot coffee or get through a half bowl of cigarettes. But we wouldn't bother: We'd just post the sources and binaries on Github and make mention on the appropriate forums, and switch Mythbusters on in the TV in the basement and have a nice mid-morning nap.
  
  --
  Kid-proof tablet..
"Out of their control" ....BS by Anonymous Coward · 2015-04-08 01:13 · Score: 1

Sochutel acquired a security-focused product in the middle of its development cycle and obviously didn't either retain or maintain an appropriate relationship with the development team that was working on it at the time. As a result, the final product had a bunch of dev environment sloppiness that should have been cleaned up before moving it into production. This is the most basic level of IT project management, and entirely within their control.
1. Re:"Out of their control" ....BS by Ignacio · 2015-04-08 02:01 · Score: 3, Insightful
  
  The real problem is that Sochutel failed to identify their acquisition as snake oil in the first place. It wasn't "security-focused", it was profit-focused from beginning to end.
2. Re:"Out of their control" ....BS by Khyber · 2015-04-08 02:50 · Score: 1
  
  Why do you think ANY company looks at acquiring another company? PROFIT.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
3. Re:"Out of their control" ....BS by dugancent · 2015-04-08 03:19 · Score: 1
  
  Unless it's a non-profit, it's profit focused. If you work and get paid, you are profit focused.
  
  --
  SJWs are the new boogeyman. -Me
4. Re:"Out of their control" ....BS by Anonymous Coward · 2015-04-08 03:30 · Score: 0
  
  Um... no. There are plenty of nonprofits with payrolls. There are plenty of workers who don't accumulate wealth, instead merely getting enough cash for their labor to continue eating.
5. Re:"Out of their control" ....BS by Ignacio · 2015-04-08 03:38 · Score: 2
  
  So what? There's nothing wrong with making money. There is something wrong with screwing up as badly as Sochutel did.
6. Re:"Out of their control" ....BS by Anonymous Coward · 2015-04-08 07:24 · Score: 0
  
  There was no acquisition. It's the same people, just trying to whitewash the past:
  https://twitter.com/AsherLangt...
  And not the first time for Sochule:
  https://twitter.com/AsherLangt...
Re:Open sores, LOL by Anonymous Coward · 2015-04-08 01:15 · Score: 0

I would have thought that the biggest concern was that most tor exit nodes were run by the NSA and other security organisations.
A fool and his money are soon parted by Anonymous Coward · 2015-04-08 01:28 · Score: 0

Get a real router and learn how to set it up properly.
orly? by slashmydots · 2015-04-08 01:28 · Score: 1

Outside auditors? Just log into the damn thing. If admin works and you can't change it, it's bad. You don't really need to go to outside help for that. Oh and see if the wifi broadcasts as open with no way to change it. That's not exactly hard.
1. Re:orly? by oodaloop · 2015-04-08 01:40 · Score: 1
  
  And once they fix those two things, it'll be 100% secure with no need to test! Brilliant!
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
2. Re:orly? by Anonymous Coward · 2015-04-08 01:46 · Score: 0
  
  Outside auditors because they already burned their one "trust us that we will protect our brand credibility" card.
  It's intended to whitewash their own lack of credibility with the idea that an independent auditor will care more about their reputation than they do about pandering to the conflict of interest that hired them.
3. Re:orly? by drunk_punk · 2015-04-08 01:54 · Score: 1
  
  No. Security is hard. Security in any system is just that, systemic and it's pervasive! Hence, fixing a hard coded admin password and default OPEN WiFi network has, righlty so, scared the beejesus out of this company- prompting them to do a full security audit of the code (hopefully.)
  If you can't do the "simple" security fixes, there are far, far, worse security concerns lurking underneath- or in accounting, or maybe the front door to the company has this hitch in it where it doesn't lock just right.
4. Re:orly? by lars_boegild_thomsen · 2015-04-08 02:11 · Score: 2
  
  Technically you can't log in to it - every access to the Web gui and/or ssh has been "blocked" (only they forgot IPv6).
  Firmware ripped out is here: Github
5. Re:orly? by BarbaraHudson · 2015-04-08 03:01 · Score: 1
  
  No, the point is that if such obvious problems exist, the whole product is likely brain-damaged junk not worth repairing.
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Outside auditors? by YuppieScum · 2015-04-08 01:49 · Score: 1

National Security Auditing, perhaps?

--
This sig left unintentionally blank.
Why? by Lumpy · 2015-04-08 02:00 · Score: 2

Why not just do a firmware update via the admin web interface?
Why in the world would you ship them back to have this done?

--
Do not look at laser with remaining good eye.
1. Re:Why? by Anonymous Coward · 2015-04-08 03:04 · Score: 0
  
  Why not just do a firmware update via the admin web interface?
  Why in the world would you ship them back to have this done?
  Because there is no admin Web UI interface on IPv4 available, and most people are not comfortable typing in link local IPv6 addresses.
Re:Open sores, LOL by zidium · 2015-04-08 02:03 · Score: 1

I shed a tear when I realized I had no mod points left :-/

--
Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
Analysis by lars_boegild_thomsen · 2015-04-08 02:07 · Score: 5, Informative

Well, since it wasn't linked in the summary above, I'll do a shameless self-plug here:
Anonabox Analysis
And yes - I am the author of that analysis, so if anybody got questions I'll be happy to respond here.
1. Re:Analysis by Anonymous Coward · 2015-04-08 03:07 · Score: 0
  
  Well, since it wasn't linked in the summary above, I'll do a shameless self-plug here:
  Anonabox Analysis
  And yes - I am the author of that analysis, so if anybody got questions I'll be happy to respond here.
  What is the probability that Anonabox sends one of the 350 of 1500 defect units to its competitor, although Anonbox has known about this flaw for "weeks"? I bet they lie about the "we have known this for weeks" as well as everything else....
2. Re:Analysis by oodaloop · 2015-04-08 03:12 · Score: 1
  
  Somebody mod parent up already. I'm all out of points.
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
3. Re:Analysis by lars_boegild_thomsen · 2015-04-08 03:17 · Score: 2
  
  Yeah, I did consider that one myself :) And, well - I can add the following (and then let everybody make up their own mind).
  1. We did pledge on the Indiegogo campaign
  2. The Anonabox was received on Apr. 1 in UK (the date was funny)
  3. I received it about 2 days ago from UK (I live in Malaysia)
  4. Anonabox mentioned nothing about recalls before I posted the analysis
  5. There _was_ bitching in Indiegogo comments about the lack of WiFi passwords/encryption and there was a mention that if anybody wanted a password he could send the unit back and Anonabox would add one.
  6. To this date the one who ordered the Anonabox have not received any direct mail with a recall (albeit there could be a reason for that in this particular case)
4. Re:Analysis by lars_boegild_thomsen · 2015-04-08 03:21 · Score: 1
  
  Forgot: And I have now tried hard to find anybody owning one of the "fixed" boxes so I can check that out. So far no luck. I assume the particular device I've got is seriously out of warranty.
  So let me repeat that here - I would very much like to hear from ANYBODY who have received one of the "fixed" boxes and I would very much like to borrow that for a short while :)
5. Re:Analysis by Anonymous Coward · 2015-04-08 05:37 · Score: 0
  
  Nice (and fast) work. There are a lot of questionable decisions there.
6. Re:Analysis by Anonymous Coward · 2015-04-08 11:51 · Score: 0
  
  option ssid 'anbx1424833770', I think the "random" ssid is my favorite part (yes encryption 'none' is worse, but not as funny)
7. Re:Analysis by Anonymous Coward · 2015-04-08 21:07 · Score: 0
  
  Just a minor mistake:
  At the step "Breaking and Entering", you didn't actually ping and nmap the LAN IP of your box, but the host behind the public IP, as indicated by the long ping time, the hostname which nmap dutifully resolved for you and the fact that it took 13 hops to reach it.
  Other than that, I really liked the rest of your article. Thank you very much for taking the time to write it up!
Gaping by koan · 2015-04-08 02:15 · Score: 2

Security holes...
If they fucked up that bad, over things this simple, I would NEVER use their gear.

--
"If any question why we died, Tell them because our fathers lied."
1. Re:Gaping by ckatko · 2015-04-08 06:41 · Score: 1
  
  It's funny when not having security at all is referred to as a "security hole." That's like me not building a water dam at all, and then saying "there's a hole in the dam allowing some water passed."
Security device not secure .. by DougPaulson · 2015-04-08 02:18 · Score: 1

Did no one test this security device for security before shipping it? Does this episode demonstrate the perls of outsourcing your developement to some newly qualified intern in the far east?

What is OpenWrt?
1. Re:Security device not secure .. by Anonymous Coward · 2015-04-08 03:09 · Score: 0
  
  Did no one test this security device for security before shipping it? Does this episode demonstrate the perls of outsourcing your developement to some newly qualified intern in the far east?
  If you don't know what you are doing, then you don't know what to test for. Anonabox crisis team meeting; "IPv6??? What is that? Why didn't anyone say anything about it? Where did that come from?"
2. Re:Security device not secure .. by DougPaulson · 2015-04-08 03:34 · Score: 1
  
  @anon: 'If you don't know what you are doing, then you don't know what to test for. Anonabox crisis team meeting; "IPv6??? What is that? Why didn't anyone say anything about it? Where did that come from?'
  
  I suspect the crisis team consists of some uni student who scraped the code off the Intertubes :) Seriously Anonabox, if you are serious about security, then hire a pen testing team that does nothing but hammers on your device seeking out potential security vulnerabilities. At the end of about ten months then you can declare it as safe as is humanly possible. But then again no one, including the major players does this. The usual method is, if it compiles then ship it and fix the (user reported) bugs in the next version.
Cheapest trash possible by gweihir · 2015-04-08 02:43 · Score: 1

This is apparently the cheapest trash they could make, with security problems so obvious that even a novice pen-tester would find them in the first few minutes. They cannot have had a single competent security expert involved in development. The words "gross negligence" and "fraud" come to mind.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Traceability? by Anonymous Coward · 2015-04-08 02:46 · Score: 0

I am very curious about using this or a VPN service and knowing just how traceable my connection is. Bare with me, I want to explain my home set up and as your expert insight...
I use PrivateInternetAccess.com whenever I leave my home network. I understand that the first hop is not obfuscated but after that I should appear to be anywhere that I choose (from their selections). And if I goto any site that shows my IP address this does play out as being the case. BUT.... I use the free tracking service preproject.com and it places my laptop within 300ft no matter how I try to hide it. HOW? Shouldn't the Prey App show where PIA says I'm coming out at? And moreover how effective is PIA? Should I even bother with using it? Is there any way to truly mask where you are while online?
1. Re:Traceability? by Qzukk · 2015-04-08 03:19 · Score: 1
  
  the Prey App
  Is this something running on your computer where it's capable of bypassing whatever network configuration you've got?
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
2. Re:Traceability? by Anonymous Coward · 2015-04-08 03:25 · Score: 0
  
  Sorry about that: http://preyproject.com Honestly, I do not know how it works. I'm concerned that any app could divulge location though. I use a mac and have it locked down with Little Snitch. But hell, even the native Mac MailApp calls to apple whenever it pings a mailserver so I deleted it. None of apple's damn business.
3. Re:Traceability? by ShaunC · 2015-04-08 05:49 · Score: 1
  
  I use the free tracking service preproject.com and it places my laptop within 300ft no matter how I try to hide it. HOW?
  I'm pretty sure Prey uses a database of known wifi networks and their locations. For example, the Google Maps cars don't just take pictures, they also record a fingerprint of every 802.11 network they encounter; SSID, coordinates, the router's MAC address. There are public crowdsourced databases that do this, too. If you power up your computer and you're in range of a wireless network that's in one of these databases, Prey will locate you that way.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
4. Re:Traceability? by Anonymous Coward · 2015-04-08 10:02 · Score: 0
  
  It does it on my Cat 6 as well. So laptop hops onto Cat. 6 to a home gig router (not wifi) > onto that horrid Comcast > then out to PIA. I wondered about some sort of wifi so I wanted to test the hardline as well. It pings far faster doing that. I'm really curious about how it's finding the laptop.
  Side note: using Google Chrome, it list my location as my actual location as well.
5. Re:Traceability? by Qzukk · 2015-04-09 05:28 · Score: 1
  
  If it's antitheft software than at a minimum i'd expect it to be running as administrator and phoning home every few minutes reporting the last 5 networks it was connected to and every wireless AP it can see along with signal strengths for wifi geolocation/triangulation. At a minimum.
  Any program you're running could do most of that (except maybe tap into the wireless AP list without admin access).
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
Re:Open sores, LOL by Anonymous Coward · 2015-04-08 03:25 · Score: 0

Given that no source has been published by either company, whoops?
TOR Router project? by Anonymous Coward · 2015-04-08 06:03 · Score: 0

Go on down to the ATM Machine, enter your PIN Number and withdraw enough cash to by a NIC Card. Check its UPC Code then write some HTML Language. Redundant mother fucker.
comments in comments are ugly by Anonymous Coward · 2015-04-08 12:02 · Score: 0

https://anonabox.com/about/
By mid 2014, the product had been reduced 3 times in size thanks to the Chinese engineer I had hired back in 2013.
I guess that may explain this
https://reclaim-your-privacy.c...
I assume this also helps
August Germar
Founder & CTO
August is a security, privacy and IT guru with over 20 years of relevant experience. In addition to being a SysAdmin, he also owned his own ISP for 10+ years.
Marc Preston
Chief Executive Officer
Marc is a highly experienced CEO with over 7 years experience in developing custom platforms, websites, Facebook games and mobile apps for Fortunte 500 companies.
so a ex-system admin and an app developer think (thought) they have a clue about proper security protocols (well I would hope the ex-system admin has some idea)