Slashdot Mirror
Anonabox Recalls Hundreds of Insecure 'Privacy' Routers
Sparrowvsrevolution writes: It turns out all those critics of the controversial Tor router project Anonabox might have been on to something. Late last month, Anonabox began contacting the first round of customers who bought its tiny, $100 privacy gadget to warn them of serious security flaws in the device, and to offer to ship them a more secure replacement free of charge. While the miniature routers do direct all of a user's Internet traffic over Tor as promised, the company says that its first batch lacked basic password protection, with no way to keep out unwanted users in Wi-Fi range. And worse yet, the faulty Anonaboxes use the hardcoded root password 'admin,' which allows any of those Wi-Fi intruders to completely hijack the device, snooping on or recording all of a user's traffic.
Anonabox's parent company, Sochutel, says that only 350 of the devices lacked that password protection, and that it's fixed the gaping security oversights in newer version of the router.
The initial security criticisms of Anonabox helped to convince Kickstarter to freeze the proejct's $600,000 crowdfunding campaign in October. But Anonabox relaunched on Indiegogo and was later acquired by the tech firm Sochutel. Sochutel claims that the security flaws in the routers developed prior to its acquisition of Anonabox were out of its control, and that it's now hiring outside auditors to check its products' security.
Anonabox's parent company, Sochutel, says that only 350 of the devices lacked that password protection, and that it's fixed the gaping security oversights in newer version of the router.
The initial security criticisms of Anonabox helped to convince Kickstarter to freeze the proejct's $600,000 crowdfunding campaign in October. But Anonabox relaunched on Indiegogo and was later acquired by the tech firm Sochutel. Sochutel claims that the security flaws in the routers developed prior to its acquisition of Anonabox were out of its control, and that it's now hiring outside auditors to check its products' security.
Security is hard, and it was more profitable to push crap out the door than actually do what we promised.
Honestly, TFS makes it sound like someone slapped together something and either naively believed they'd made something secure .. or straight up lied about having made something secure.
No wifi password and default admin passwords? That's pretty pathetic for something which purports to be a security/privacy tool.
Sounds like someone wrote the marketing literature before creating the product.
Lost at C:>. Found at C.
Why not just do a firmware update via the admin web interface?
Why in the world would you ship them back to have this done?
Do not look at laser with remaining good eye.
The real problem is that Sochutel failed to identify their acquisition as snake oil in the first place. It wasn't "security-focused", it was profit-focused from beginning to end.
Well, since it wasn't linked in the summary above, I'll do a shameless self-plug here:
Anonabox Analysis
And yes - I am the author of that analysis, so if anybody got questions I'll be happy to respond here.
Technically you can't log in to it - every access to the Web gui and/or ssh has been "blocked" (only they forgot IPv6).
Firmware ripped out is here: Github
Security holes...
If they fucked up that bad, over things this simple, I would NEVER use their gear.
"If any question why we died, Tell them because our fathers lied."
So what? There's nothing wrong with making money. There is something wrong with screwing up as badly as Sochutel did.