Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Anonabox Analysis (reclaim-your-privacy.com)
78 points by wila on April 6, 2015 | hide | past | favorite | 34 comments


TLDR; Anonabox can be rooted with minimal effort (backdoor wide open). The attack vector is an undocumented web interface with a hard coded password ("admin"), an open SSH port that accepts the same credentials, and grants root access.

It is clear that they are lazy and a little out of their depth, but are they malicious?


Considering that their Kickstarter was shut down 6 months ago due to their lies, and that they started up again at Indiegogo despite the warnings, and that they've been concealing information and attacking their critics through sockpuppets? Yes, I think it's fair at this point to call them malicious.


They've been acquired by http://www.sochule.com/

Which seems to specialize in social marketing?

This update promises another update (which is now overdue) that covers these issues: https://anonabox.com/news/anonabox-blog-when-there-is-blood-...

In Part 2 & 3 of this blog series, we will discuss:

-- Anonabox's Hardware

-- Anonabox's Firmware

-- Open Source vs. Closed Source

-- The Blackhole

-- Product Roadmap (New products coming Q3...maybe sooner)

-- Third Party Hardware & Firmware Review

-- Black Duck Software | Open Source Code Audit


The "acquisition" is rather questionable: https://twitter.com/asherlangton/status/575768324757266432 https://twitter.com/asherlangton/status/583509322946125824


A simple fact is they do not _have_ the source code. They are only patching the firmware the router came with from China when they bought it. They are not even building Tor themselves but relying on an old unsupported version straight from OpenWrt's repository.


I wrote that analysis and honestly - no - I don't think it's malicious. Incompetent perhaps, but not malicious.


I should clarify: I don't think they're adding backdoors maliciously. It's their conduct -- proceeding despite the concerns raised, attacking critics, etc. -- that is greedy and malicious.


Now, that I am inclined to agree with :) And fact is - using the device as shipped to us is more dangerous than not using it at all. Anybody within WiFi range can basically do whatever they want.


This is an arena in which malice could plausibly try to disguise itself as incompetence. It's fine to give people the benefit of that doubt, but it is a doubt.


Invizbox is an attempt to create a decent tor-on-hardware solution using the same hardware tech Anonabox falsely claimed to have come up with.

While you can argue about the merits of a Tor-on-hardware solution they seem to have done a really good job of implementing things.

Their website: https://invizbox.io News they're planning to release a flashable firmware to plug the holes in Anonabox:https://twitter.com/invizbox/status/585116913321279488

[I've bought an invizbox but have no other affiliation]


And arguing about the merits we should.

It is a tremendously bad idea to route all of your traffic through Tor. It completely breaks the Tor security/privacy model.

Negative bonus points for doing it as a WiFi AP - that's a great way to accidentally reconnect to a different AP when your connection to the Tor AP drops, and immediately tie your Tor traffic to your regular connection through automatic reconnects.


This is likely the reason why the Anonabox generates random SSIDs; it forces the user to expect to have to connect to a new network regularly, and additionally reduces the amount of time available for an attacker to attempt to create a duplicate AP.

Of course, even this tactic isn't foolproof, and it's made rather ineffective by Anonabox's rather glaring flaws, but I can understand the rationale.


That idea doesn't work, though. Most devices/OSes remember your last access point, and will, upon a Anonabox failure / deauth / whatever, happily reconnect to your regular (non-Tor!) WiFi AP. That instantly compromises you. Changing the Anonabox SSID doesn't change that.


I had a look at the Invizibox firmware and it is somewhat better than Anonabox. However, and this is important - they are not Open Source. They TOO are only patching a binary firmware delivered by the manufacturer of the router (Gainstrong).


"Apologies to bbtec.net, but I _really_ didn't scan their public IP :)"

There is no need to apologize. There is nothing wrong with port scanning a public IP address. In fact, I just did it myself:

  # nmap -sT 126.16.2.1
  
  Starting Nmap 6.25 ( http://nmap.org ) at 2015-04-06 13:46 PDT
  Nmap scan report for softbank126016002001.bbtec.net (126.16.2.1)
  Host is up (0.12s latency).
  Not shown: 994 closed ports
  PORT      STATE    SERVICE
  80/tcp    filtered http
  340/tcp   filtered unknown
  2103/tcp  filtered zephyr-clt
  8000/tcp  filtered http-alt
  55555/tcp filtered unknown
  55600/tcp filtered unknown

  Nmap done: 1 IP address (1 host up) scanned in 24.78 seconds
No problem at all for anyone involved.


Putting aside the question of legality, a port scan that does not have prior authorization is pretty generally considered "impolite". As an analogy, it's certainly not illegal to touch someone else's laptop screen, and if I gesture at something and accidentally land a fingerprint on someone's screen, I'll apologize. Legality notwithstanding, it's kind of a dick move if you see me do that, to walk over and tell me I don't need to apologize to the person, and then plant your own fingersmudge right there next to mine.

In any case, if you're located inside the US, it's almost certainly a violation of your ISP's terms of service.


Well it's more like saying you don't have to apologize to the laptop. And with invisible smudges.


Hey, I did include a smiley in the original wiki post.


Frankly, it strikes me as very odd that a company that is manufacturing a product that is supposed to help maintain your anonymity and increase your security online fails to safeguard the end-user through basic security recommendations that have been around for YEARS. Would these "holes" be plugged up as a matter of course? Something doesn't add up..... Thanks for your thorough analysis, though. This makes it increasingly clear that not every company that purports to offer "anonymous" or "secure" services can or should be trusted - even if it wasn't malicious or intentional.


A generally applicable rule of thumb is that any company that claims to provide "anonymous" or "secure" services/products is untrustworthy, unless proven otherwise.

It's extremely hard to make money from perfect security/anonymity, so any commercial entity is likely to have screwed up at least something, whether intentional or not.


Color me crazy, but the odd 126 ip space kinda makes to me. Consider that one of the more common attacks on Tor users is IP leakage from the browser. In this setup the local ip would map to a real public ip, but would be entirely useless.

I personally don't think that it's a good solution. Poor operational security can't be solved by misdirection.


I still don't see the point. If there's a vulnerability that can be used to leak your LAN address, you want the leaked address to be as generic as possible. Something like "192.168.0.2" is perfect; a crazy 126.16.2.x address is unusual and could be used to fingerprint Anonabox users.


That and the semi-randomized SSID have been bugging me all day while I wrote that wiki entry. I simply can't see the logic in or reasoning behind those decisions.


This is a really good point. I totally missed it when reading the article. Maybe TAILS should do something like this automatically.


There is a danger with running "just anything" over tor, which is that, ultimately, your data will be visible to the exit node. And if you run anything (like facebook, apps, etc.) over that same link, it will be very easy for the person running the exit node to tie the information to a particular person (you).


I was going to reply with a bunch of stuff about how Tor exit nodes don't terminate TLS, but I thought more about what you are saying. You're right, it's not a good idea at all to be logged into any account that de-anonymizes you in any way while using Tor, because then for the rest of that Tor session, you are potentially compromised.

Your anonymous presence and your public presence should always be 100% separate.


In general, I don't think it is a good idea to connect to multiple services over the same Tor link. One of those services could be compromised in some way (hacked, government backdoors, etc.), and could be used to de-anonymize sessions at other services, by using the ip-address of the exit-node and the time-frame in which the communication took place.


After discussion on the Tor mailing list a while back, that issue was solved in Cloak (http://reclaim-your-privacy.com and http://github.com/ReclaimYourPrivacy) by using different Tor circuits for each service! The relevant file is here: https://github.com/ReclaimYourPrivacy/cloak-cloak/blob/maste...


Why not do a simple Raspberry PI? at least it can be updated - runs raspian http://learn.adafruit.com/onion-pi


The wifi password situation seems to be addressed here [0]. It was a limited batch of these that were sent out with lacking wifi security. [0] https://anonabox.com/news/anonabox-blog-when-there-is-blood-...


Yeah, and the remote root shell with password "admin"?


Don't bother he has a brand new user account, created just for defending Anonabox scammers : )


I wouldn't know. I just went through the work of reading their blog post and saw that they addressed the wifi security problem.


What's with the use of public IP space? Why is the openwrt web UI even in the firmware if it's supposed to be firewalled off?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: