The controversial anonabox anonymity hardware router project returned today amidst a scathing reaction from the wider security and anonymity communities.
Previously, the project was suspended from Kickstarter after claims that the project used entirely custom hardware were debunked by industry experts and laymen alike. The project has resurfaced on crowdfunding site Indiegogo, where so far it has raised over $11,000.
Claims made by the previous incarnation of the project, that turned out to be false, included: A claim that the project was based on 100 per cent Open Source hardware, which turned out not to be true when the boards used in images hosted on the project’s site were identified as being the same as a closed System-on-Chip platform already available from Chinese shopping site Aliexpress for just over $20.
There was also a further claim that the project was based on 100 per cent Open Source software when the only “source code” released was a collection of configuration files. Amongst the few configuration files provided, substantial vulnerabilities were found, including an open unencrypted wireless hotspot and a trivially cracked default password on all devices.
Another claim was that all traffic passed through popular anonymity software Tor was trivially debunked by looking at the firewall configuration. That appeared to be poorly implemented and allowed some traffic to pass through.
Finally, there was a ludicrous claim that all communications were encrypted, deemed a ludicrous claim as only traffic sent over Tor was encrypted, and even then only at the point of entering Tor. User traffic was still sent to Tor using a default open and unencrypted wireless network, making it less secure than using something like the Tor Browser Bundle.
Any device that uses Tor to provide anonymity is going to face some inherent limitations on its ability to provide genuine anonymity, something both the Cloak and Portal projects have considered. On the version of the anonabox website up at the time of writing, the features page claims that “this is the safest way to use Tor”.
Throughout this entire debacle, many researchers and industry practitioners, myself included, have taken the view that the problems with the anonabox project may have been caused by a lack of the specialist security experience demonstrated in similar projects like PORTAL, or experience of adopting a fully open approach like the Cloak project.
Following the suspension of the Kickstarter project, the fact that this has resurfaced on Indiegogo alongside the plans to release the device for sale independently without engaging or appropriately responding to the community backlash is only going to lead to further accusations that the team involved are conducting a scam.
Former Tor chief and privacy researcher Runa Sandvik disagrees, confirming that the LinkedIn group wasn’t official, when shown the above quote, Runa said via Twitter that: “August Germar is making false claims, again.”
At the time of writing, a search of the forum tor.stackexchange.com found no evidence of contributions from Germar.
Adrian Wade of the Cloak project offered to “stump up the $51 he’s asking for and publicly offer him a debate”, while Twitter and reddit user @htilonom said: “Maybe it’s for good, people have to learn not to trust scams.”
Some of the broader security community have been more scathing in their assessments. Self-described dog enthusiast and breaker of stuff @semibogan accused the anonabox project of being “just thieving c*nts.”
At the time of writing, the current website is keen to push its Open Source credentials and even provides a link to a page to download code, without any actual source code package provided of course. It remains to see whether or not anonabox will reach its funding goals.
In the meantime, the community will no doubt continue to discourage people from supporting this or similar projects.
Steve Lord is technical director of Mandalorian
