Last fall, Crowdfund Insider shared details about the infamous Tor hardware router, Anonabox. The device received some negative attention after Kickstarter decided pulled the plug on its nearly $600,000 funded campaign when backers began to question the creator, August Germar, and the details that was given about the project.
Germar stated that his team had built a “custom” board and case for their miniature router over four years of development. Those who questioned the project quickly found out that the team had only bought an off-the-shelf case from a Chinese supplier and merely increased the flash memory.
Anonabox then turned to Kickstarter’s leading competitor, Indiegogo, and captured over $80,000, which was enough to start its promised production. Despite the doubts, the startup announced last month that the Anonabox was shipping out to backers.
However, Anonabox is now being recalled due to a security flaw. According to Wired, the startup began contacting the first round of customers who bought its tiny, $100 privacy gadget to warn them of serious security flaws in the device, and to offer to ship them a more secure replacement free of charge.
While the miniature routers do direct all of a user’s Internet traffic over Tor as promised, the company has confirmed that its first batch lacked basic password protection, which gives unwanted users in Wi-Fi range access. The faulty devices also have bug that would allow those Wi-Fi intruders to completely hijack the device, snooping on or recording all of a user’s traffic. The 350 out of the 1,500 or so that have these issues were sold as part of Anonabox’s Indiegogo campaign.
Email to the backers reads:
“Prior to Sochule Inc’s acquisition of Anonabox and completely out of our control, a number of the first batches of Anonaboxes were shipped without a password for the Wi-Fi. Anyone that has received an Anonabox device without a password may ship their device back in good working order for a new Anonabox device…We will immediately escalate your order to the front of the line for processing, return shipment, and a new Anonabox device w/ the Wi-Fi enabled WPA2-PSK encryption.”
Noting that the two flaws make the Anonabox “downright dangerous,” security researcher Lars Thomasen stated:
“This is worse than not using any privacy device at all. Anyone in range can listen to your traffic without you noticing. Anyone can gain access to the device and install a sniffer to capture all that traffic.”
While Anonabox is asking backers to return the devices, CEO of Anonabox, Marc Lewis, who was brought in by Anonabox’s new parent company Sochule Incorporate, continues to insist that the startup is simply a “free upgrade” rather than a recall.
Offering his thoughts about the situation, UK-based penetration tester and co-founder of the security conference 44Con, Steve Lord explained:
Lewis added that Anonabox has learned its lesson, and is now enlisting outside security consultants to review its products. He also said that Sochule is doing whatever it takes to fix the bugs.
“The very first thing we did when we acquired the company was put the password on there. We took over a shitstorm of [public relations], and we’re trying to put best practices in place.”
Have a crowdfunding offering you'd like to share? Submit an offering for consideration using our Submit a Tip form and we may share it on our site!