Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anonabox Recalls Hundreds of Insecure 'Privacy' Routers

Posted by Soulskill on from the less-anona-and-more-box dept.

Sparrowvsrevolution writes: It turns out all those critics of the controversial Tor router project Anonabox might have been on to something. Late last month, Anonabox began contacting the first round of customers who bought its tiny, $100 privacy gadget to warn them of serious security flaws in the device, and to offer to ship them a more secure replacement free of charge. While the miniature routers do direct all of a user's Internet traffic over Tor as promised, the company says that its first batch lacked basic password protection, with no way to keep out unwanted users in Wi-Fi range. And worse yet, the faulty Anonaboxes use the hardcoded root password 'admin,' which allows any of those Wi-Fi intruders to completely hijack the device, snooping on or recording all of a user's traffic.

Anonabox's parent company, Sochutel, says that only 350 of the devices lacked that password protection, and that it's fixed the gaping security oversights in newer version of the router.

The initial security criticisms of Anonabox helped to convince Kickstarter to freeze the proejct's $600,000 crowdfunding campaign in October. But Anonabox relaunched on Indiegogo and was later acquired by the tech firm Sochutel. Sochutel claims that the security flaws in the routers developed prior to its acquisition of Anonabox were out of its control, and that it's now hiring outside auditors to check its products' security.

29 of 50 comments (clear)

  1. Well, they do offer a sort-of-kind-of privacy by NotDrWho · · Score: 1, Funny

    Technically, they do have "privacy"--in a bathroom-at-Bill-Cosby's-house sort of way.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
    1. Re:Well, they do offer a sort-of-kind-of privacy by ckatko · · Score: 1

      And the low-effort of the day joke award goes to... someone else, sorry. This wasn't good enough.

  2. Translation ... by gstoddart · · Score: 5, Interesting

    Security is hard, and it was more profitable to push crap out the door than actually do what we promised.

    Honestly, TFS makes it sound like someone slapped together something and either naively believed they'd made something secure .. or straight up lied about having made something secure.

    No wifi password and default admin passwords? That's pretty pathetic for something which purports to be a security/privacy tool.

    Sounds like someone wrote the marketing literature before creating the product.

    --
    Lost at C:>. Found at C.
    1. Re:Translation ... by adolf · · Score: 1

      This level of security isn't hard. At all.

      What I think happened: COTS router was procured, cheap (Alibaba), and some kid was asked "Hey, kid: Do you think you can make this thing route everything over Tor?"

      Kid agrees, and Kickstarter/Indigogo campaign happens.

      Said kid then went through some Tomato source or forum posts, found the not-so-difficult bits that make Tor happen, implemented that (and only that) as requested, and said "I'll be taking that Porsche you offered me now, and it would be nice if you stuffed it with hookers and blow before delivery."

      Product then ships with every gaping and elementary security flaw that the original Chinglish firmware had, PLUS automagic Tor....because "privacy."

      The proceeds and remaining startup cash were then burned by the founders during a crazy weekend in Dubai. And that's that.

      Many of us here can "create" such a device without these problems before we're even finished with our first pot coffee or get through a half bowl of cigarettes. But we wouldn't bother: We'd just post the sources and binaries on Github and make mention on the appropriate forums, and switch Mythbusters on in the TV in the basement and have a nice mid-morning nap.

      --
      Kid-proof tablet..
  3. "Out of their control" ....BS by Anonymous Coward · · Score: 1

    Sochutel acquired a security-focused product in the middle of its development cycle and obviously didn't either retain or maintain an appropriate relationship with the development team that was working on it at the time. As a result, the final product had a bunch of dev environment sloppiness that should have been cleaned up before moving it into production. This is the most basic level of IT project management, and entirely within their control.

    1. Re:"Out of their control" ....BS by Ignacio · · Score: 3, Insightful

      The real problem is that Sochutel failed to identify their acquisition as snake oil in the first place. It wasn't "security-focused", it was profit-focused from beginning to end.

    2. Re:"Out of their control" ....BS by Khyber · · Score: 1

      Why do you think ANY company looks at acquiring another company? PROFIT.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    3. Re:"Out of their control" ....BS by dugancent · · Score: 1

      Unless it's a non-profit, it's profit focused. If you work and get paid, you are profit focused.

      --
      SJWs are the new boogeyman. -Me
    4. Re:"Out of their control" ....BS by Ignacio · · Score: 2

      So what? There's nothing wrong with making money. There is something wrong with screwing up as badly as Sochutel did.

  4. orly? by slashmydots · · Score: 1

    Outside auditors? Just log into the damn thing. If admin works and you can't change it, it's bad. You don't really need to go to outside help for that. Oh and see if the wifi broadcasts as open with no way to change it. That's not exactly hard.

    1. Re:orly? by oodaloop · · Score: 1

      And once they fix those two things, it'll be 100% secure with no need to test! Brilliant!

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    2. Re:orly? by drunk_punk · · Score: 1

      No. Security is hard. Security in any system is just that, systemic and it's pervasive! Hence, fixing a hard coded admin password and default OPEN WiFi network has, righlty so, scared the beejesus out of this company- prompting them to do a full security audit of the code (hopefully.)

      If you can't do the "simple" security fixes, there are far, far, worse security concerns lurking underneath- or in accounting, or maybe the front door to the company has this hitch in it where it doesn't lock just right.

    3. Re:orly? by lars_boegild_thomsen · · Score: 2

      Technically you can't log in to it - every access to the Web gui and/or ssh has been "blocked" (only they forgot IPv6).

      Firmware ripped out is here: Github

    4. Re:orly? by BarbaraHudson · · Score: 1

      No, the point is that if such obvious problems exist, the whole product is likely brain-damaged junk not worth repairing.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  5. Outside auditors? by YuppieScum · · Score: 1

    National Security Auditing, perhaps?

    --
    This sig left unintentionally blank.
  6. Why? by Lumpy · · Score: 2

    Why not just do a firmware update via the admin web interface?

    Why in the world would you ship them back to have this done?

    --
    Do not look at laser with remaining good eye.
  7. Re:Open sores, LOL by zidium · · Score: 1

    I shed a tear when I realized I had no mod points left :-/

    --
    Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
  8. Analysis by lars_boegild_thomsen · · Score: 5, Informative

    Well, since it wasn't linked in the summary above, I'll do a shameless self-plug here:

    Anonabox Analysis

    And yes - I am the author of that analysis, so if anybody got questions I'll be happy to respond here.

    1. Re:Analysis by oodaloop · · Score: 1

      Somebody mod parent up already. I'm all out of points.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    2. Re:Analysis by lars_boegild_thomsen · · Score: 2

      Yeah, I did consider that one myself :) And, well - I can add the following (and then let everybody make up their own mind).

      1. We did pledge on the Indiegogo campaign

      2. The Anonabox was received on Apr. 1 in UK (the date was funny)

      3. I received it about 2 days ago from UK (I live in Malaysia)

      4. Anonabox mentioned nothing about recalls before I posted the analysis

      5. There _was_ bitching in Indiegogo comments about the lack of WiFi passwords/encryption and there was a mention that if anybody wanted a password he could send the unit back and Anonabox would add one.

      6. To this date the one who ordered the Anonabox have not received any direct mail with a recall (albeit there could be a reason for that in this particular case)

    3. Re:Analysis by lars_boegild_thomsen · · Score: 1

      Forgot: And I have now tried hard to find anybody owning one of the "fixed" boxes so I can check that out. So far no luck. I assume the particular device I've got is seriously out of warranty.

      So let me repeat that here - I would very much like to hear from ANYBODY who have received one of the "fixed" boxes and I would very much like to borrow that for a short while :)

  9. Gaping by koan · · Score: 2

    Security holes...

    If they fucked up that bad, over things this simple, I would NEVER use their gear.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Gaping by ckatko · · Score: 1

      It's funny when not having security at all is referred to as a "security hole." That's like me not building a water dam at all, and then saying "there's a hole in the dam allowing some water passed."

  10. Security device not secure .. by DougPaulson · · Score: 1

    Did no one test this security device for security before shipping it? Does this episode demonstrate the perls of outsourcing your developement to some newly qualified intern in the far east?

    What is OpenWrt?

    1. Re:Security device not secure .. by DougPaulson · · Score: 1

      @anon: 'If you don't know what you are doing, then you don't know what to test for. Anonabox crisis team meeting; "IPv6??? What is that? Why didn't anyone say anything about it? Where did that come from?'

      I suspect the crisis team consists of some uni student who scraped the code off the Intertubes :) Seriously Anonabox, if you are serious about security, then hire a pen testing team that does nothing but hammers on your device seeking out potential security vulnerabilities. At the end of about ten months then you can declare it as safe as is humanly possible. But then again no one, including the major players does this. The usual method is, if it compiles then ship it and fix the (user reported) bugs in the next version.

  11. Cheapest trash possible by gweihir · · Score: 1

    This is apparently the cheapest trash they could make, with security problems so obvious that even a novice pen-tester would find them in the first few minutes. They cannot have had a single competent security expert involved in development. The words "gross negligence" and "fraud" come to mind.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Re:Traceability? by Qzukk · · Score: 1

    the Prey App

    Is this something running on your computer where it's capable of bypassing whatever network configuration you've got?

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  13. Re:Traceability? by ShaunC · · Score: 1

    I use the free tracking service preproject.com and it places my laptop within 300ft no matter how I try to hide it. HOW?

    I'm pretty sure Prey uses a database of known wifi networks and their locations. For example, the Google Maps cars don't just take pictures, they also record a fingerprint of every 802.11 network they encounter; SSID, coordinates, the router's MAC address. There are public crowdsourced databases that do this, too. If you power up your computer and you're in range of a wireless network that's in one of these databases, Prey will locate you that way.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  14. Re:Traceability? by Qzukk · · Score: 1

    If it's antitheft software than at a minimum i'd expect it to be running as administrator and phoning home every few minutes reporting the last 5 networks it was connected to and every wireless AP it can see along with signal strengths for wifi geolocation/triangulation. At a minimum.

    Any program you're running could do most of that (except maybe tap into the wireless AP list without admin access).

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.