When it launched on Kickstarter earlier this week, the Tor-enabled router project known as Anonabox successfully tapped into thousands of Internet users' desire for simpler privacy tech. Unfortunately, it wasn't ready for the scrutiny that success brought with it.
In its first three days online, Anonabox's campaign raised more than $600,000---more than 80 times its modest Kickstarter goal of $7,500---by promising a portable, $45 router that would direct all a user's traffic over the anonymizing network known as Tor. But as of Thursday morning, the backlash against that project had become so severe that its total funding was actually ticking down rather than up, as disillusioned backers pulled their pledges faster than others could make them. The comments section on the Kickstarter page had filled with users accusing the project's creators of fraud, many asking Kickstarter to cancel the fundraiser.
Update 10/17/2014 4:12pm: Kickstarter has now suspended the Anonabox campaign.
Anonabox's creator, August Germar, says that he's been both dismayed at the vitriol and overwhelmed by the demand for the device. He traces the controversy to his own marketing around the project, in which he claimed to be offering a ready-made consumer device. Instead, he insists his Kickstarter was actually aimed at developers and beta testers who he hoped would try out the Anonabox and work together to help him iron out its issues. "I had thought this would be like push-starting a car," Germar says. "Instead, it's been like being handcuffed to a rocket."
Criticism of Anonabox, which first exploded on Reddit, initially centered around its creator's claims (which WIRED published and then corrected in our first story on Anonabox) that they built a "custom" board and case for their miniature router over four years of development. Critics quickly found that they had instead bought an off-the-shelf case from a Chinese supplier and merely increased the flash memory of a preexisting board to accommodate Tor's resource demands. "I think I should cancel my pledge," wrote one Kickstarter backer on the site. "It troubles me that August was not forthcoming that they sourced the entire hardware package from that off-the-shelf Chinese router."
"The story about 4 years of development and 4 generations of products to end up on an existing Chinese mini-router already on the market for $20...I don't like it," wrote another user.
As criticism snowballed, some backers were even angrier. "I am so pleased to see the money finally going backwards," wrote one on Wednesday night. "I hope this project crashes and burns."
But other Kickstarter customers defended the project, arguing that they didn't mind using stock hardware if it anonymized users' online traffic as promised. "Says it was configured and refined, does NOT say the creator invented plastic!" wrote one. "I want it! I want one that I can take to the coffee shop with me too!"
But as the security community has taken notice of Anonabox over the last week, its analysts and penetration testers have found that the router's software also has serious problems, ones that could punch holes in its Tor protections or even allow a user to be more easily tracked than if they were connecting to the unprotected Internet. "I'm seeing these really strange smells and poor practices in their pilot beta code," says Justin Steven, a computer security analyst based in Brisbane, Australia. "It scares me if anyone is relying on this for their security."
>"I had thought this would be like push-starting a car. Instead, it's been like being handcuffed to a rocket."
In its Kickstarter campaign and on its website, the Anonabox project promised to open-source its code. But it uses Tor and the independent router software Open-WRT as the basis for its firmware, and the only code it's made available for download on its own site has been a set of configuration files. And those configuration files were quickly found to include a root password common to all Anonaboxes by default. Though that root password was cryptographically hashed, one user was able to quickly crack that hardcoded password and found it to be "developer!".
In its default state, the Anonabox doesn't password-protect its wireless network. That means that anyone who sets up an Anonabox without changing its settings can have their device completely compromised by a nearby hacker who has the easily identifiable root password. That wireless attacker could disable Tor or even infect the router with spyware that tracks the user's location wherever they take it. "Within a reasonable range you can just start pulling stuff out and attacking the person," says Steve Lord, a British penetration tester and founder of the security conference 44Con. "The reality doesn't stack up to their claims on the software side."
On top of its root password problem, Steven points to the fact that Anonabox's current configuration files mean that every device would have the same SSHD host key, a kind of secure shell key used to remotely run commands on the router. This is a problem because anyone who owned one of the devices and extracted that key could use it to intercept another Anonabox owner on the same network using SSH to change the settings on his or her router. "The fact that they’re cloning pre-rolled SSHD host keys is a well known bad practice," he says. "I feel bad slamming this project. The beauty of open source is that these issues can be fixed. But it just makes me worried for their development maturity."
Anonabox's lax default settings are particularly worrying given its intended audience. Germar has said he designed the tiny router to be used by activists and journalists in repressive regimes. In its current state, it could create more risk than protection for those sensitive users.
But Germar argues that all the criticisms of the Anonabox stem from miscommunication, not carelessness or any attempt to scam users. He admits that he should have made clear which parts of the Anonabox's hardware he sourced from China rather than give users the impression he was custom-building the parts from scratch. But he denies the software issues represent real vulnerabilities. Instead, he describes them as issues of user education. Germar says he intended to include warnings in the final documentation to change the router's root password, for instance.
The software criticisms in particular, he says, stem from the fact that he never intended the first version of the device for regular, non-expert users. "When I first started this, I thought it would be crazy if we sold even 500 of them, and mostly for developers," he says. "There's no documentation because the code isn’t even finalized. I thought this would continue on as a community of developers, working on it together."
Germar says he regrets not better explaining his intentions for the project. But even as users pull their Kickstarter pledges and his total funds dip below $600,000, he still calls the project a success. "This would have been a success even if we'd raised $10,000," he says. "This is a place to start."
