Some Anonabox privacy routers recalled for security problems

It’s not rocket science that if you bother to purchase a “privacy” router, then you’d likely expect it to come with at least basic security features. “Security is a right” and “freedom is fundamental,” the Anonabox website states. What Anonabox claims it offers, like “portable privacy” and “anonymity for all,” sounds good, but the first batch of privacy routers didn’t even have basic password protection!

Oops!

The $99 Anonabox is supposed to offer plug-n-play flavored privacy via a pocket-sized router that encrypts and routes all the users’ web traffic via the Tor anonymizing network. Yet the privacy product has been entangled in one problem after another. After the Kickstarter campaign for the tiny plug-and-play Tor-loaded Anonabox router quickly raised over a half million dollars, one of the developers backpedaled on ‘custom’ hardware claims; some Redditers had found the same hardware available for sale in China. After its half million in fundraising was frozen and it was kicked from Kickstarter for repackaging Chinese hardware, Anonabox moved its crowdfunding efforts to Indiegogo where it raised $82,742.

Then last month Anonabox contacted some of its first customers, warning that the shipped devices offered no password protection – something considered a basic feature in any Wi-Fi router. That’s not the only problem.

On Reclaim Your Privacy, Lars Thomsen posted a wiki-styled analysis of Anonabox since the product site had no documentation or source code. He said it is “downright shocking that the Wi-Fi connection is running unencrypted. Anybody within range of the Anonabox can connect to the network and sniff all network traffic.”

Then under “Breaking and Entering,” Thomsen wrote:

Anonabox has got a root password hard-coded. And the root password is – I am not joking: “admin”

Regarding whether or not Anonbox can be made secure, Thomsen said, “Some of the obvious mistakes made by Anonabox can be remedied and that will make it a better product. But there’s still a fundamental problem in the fact that the source code is not available, so a back door could theoretically be hidden in a binary file somewhere … It would be a far better approach to build an entirely new firmware.”

“The two flaws combined make the affected devices downright dangerous to use,” Thomsen told Wired. “This is worse than not using any privacy device at all. Anyone in range can listen to your traffic without you noticing. Anyone can gain access to the device and install a sniffer to capture all that traffic.”

When Anonabox was acquired by Sochule in March, Sochule CEO Marc Lewis said, “Value is in the demand, and the demand is unprecedented.” And no, the Anonabox press release on April 1 was not an April Fool’s prank; it failed to mentioned any security flaws but did announce security features like unique Wi-Fi passwords and auto-updating software. However, Lewis did mention the lack of Wi-Fi passwords and options to obtain a replacement in a blog post from March.

Lewis later said Sochule took over a “sh*tstorm” regarding Anonabox public relations, but the company has done everything it can to put best practices in place and patch the privacy router’s security bugs.

After recalling 350 of 1,500 routers due to security flaws, Lewis told Wired that affected Anonabox customers receiving replacements were getting “free upgrades.” Wired called the “scheme” a “recall.”

After Steve Lord, a UK-based penetration tester and co-founder of the security conference 44Con, reviewed Thomsen’s analysis, he said users with that version of Anonabox were at “extreme risk.” Lord added, “This is what happens when you combine amateur hour with money. It’s not surprising Anonabox is trying to recall it and cover their tracks. It’s a total train wreck.”

If you are interested in poking around, Thomsen posted the original firmware files pulled from a virgin Anonabox on GitHub.

A recent ArsTechnica review of the good, bad and ugly of both the $99 Anonabox and a $39 Invizbox stated, “If you’re actually concerned about providing security from surveillance to a group of people larger than one, InvizBox’s ability to be expertly configured for a user by someone educated in how to get the most out of Tor makes it a significantly better option.”