

Anonabox Analysis - wila
https://reclaim-your-privacy.com/wiki/Anonabox_Analysis

======
deckar01
TLDR; Anonabox can be rooted with minimal effort (backdoor wide open). The
attack vector is an undocumented web interface with a hard coded password
("admin"), an open SSH port that accepts the same credentials, and grants root
access.

It is clear that they are lazy and a little out of their depth, but are they
malicious?

~~~
lbthomsen
I wrote that analysis and honestly - no - I don't think it's malicious.
Incompetent perhaps, but not malicious.

~~~
asherlangton
I should clarify: I don't think they're adding backdoors maliciously. It's
their conduct -- proceeding despite the concerns raised, attacking critics,
etc. -- that is greedy and malicious.

~~~
lbthomsen
Now, that I am inclined to agree with :) And fact is - using the device as
shipped to us is more dangerous than not using it at all. Anybody within WiFi
range can basically do whatever they want.

------
padraic7a
Invizbox is an attempt to create a decent tor-on-hardware solution using the
same hardware tech Anonabox falsely claimed to have come up with.

While you can argue about the merits of a Tor-on-hardware solution they seem
to have done a really good job of implementing things.

Their website: [https://invizbox.io](https://invizbox.io) News they're
planning to release a flashable firmware to plug the holes in
Anonabox:[https://twitter.com/invizbox/status/585116913321279488](https://twitter.com/invizbox/status/585116913321279488)

[I've bought an invizbox but have no other affiliation]

~~~
joepie91_
And arguing about the merits we should.

It is a _tremendously_ bad idea to route all of your traffic through Tor. It
completely breaks the Tor security/privacy model.

Negative bonus points for doing it as a WiFi AP - that's a great way to
accidentally reconnect to a different AP when your connection to the Tor AP
drops, and immediately tie your Tor traffic to your regular connection through
automatic reconnects.

~~~
yellowapple
This is likely the reason why the Anonabox generates random SSIDs; it forces
the user to expect to have to connect to a new network regularly, and
additionally reduces the amount of time available for an attacker to attempt
to create a duplicate AP.

Of course, even this tactic isn't foolproof, and it's made rather ineffective
by Anonabox's rather glaring flaws, but I can understand the rationale.

~~~
joepie91_
That idea doesn't work, though. Most devices/OSes remember your last access
point, and will, upon a Anonabox failure / deauth / whatever, happily
reconnect to your regular (non-Tor!) WiFi AP. That instantly compromises you.
Changing the Anonabox SSID doesn't change that.

------
rsync
"Apologies to bbtec.net, but I _really_ didn't scan their public IP :)"

There is no need to apologize. There is nothing wrong with port scanning a
public IP address. In fact, I just did it myself:

    
    
      # nmap -sT 126.16.2.1
      
      Starting Nmap 6.25 ( http://nmap.org ) at 2015-04-06 13:46 PDT
      Nmap scan report for softbank126016002001.bbtec.net (126.16.2.1)
      Host is up (0.12s latency).
      Not shown: 994 closed ports
      PORT      STATE    SERVICE
      80/tcp    filtered http
      340/tcp   filtered unknown
      2103/tcp  filtered zephyr-clt
      8000/tcp  filtered http-alt
      55555/tcp filtered unknown
      55600/tcp filtered unknown
    
      Nmap done: 1 IP address (1 host up) scanned in 24.78 seconds
    

No problem at all for anyone involved.

~~~
chias
Putting aside the question of legality, a port scan that does not have prior
authorization is pretty generally considered "impolite". As an analogy, it's
certainly not illegal to touch someone else's laptop screen, and if I gesture
at something and accidentally land a fingerprint on someone's screen, I'll
apologize. Legality notwithstanding, it's kind of a dick move if you see me do
that, to walk over and tell me I don't need to apologize to the person, and
then plant your own fingersmudge right there next to mine.

In any case, if you're located inside the US, it's almost certainly a
violation of your ISP's terms of service.

~~~
Dylan16807
Well it's more like saying you don't have to apologize to the _laptop_. And
with invisible smudges.

~~~
lbthomsen
Hey, I did include a smiley in the original wiki post.

------
shayaknyc
Frankly, it strikes me as very odd that a company that is manufacturing a
product that is supposed to help maintain your anonymity and increase your
security online fails to safeguard the end-user through basic security
recommendations that have been around for YEARS. Would these "holes" be
plugged up as a matter of course? Something doesn't add up..... Thanks for
your thorough analysis, though. This makes it increasingly clear that not
every company that purports to offer "anonymous" or "secure" services can or
should be trusted - even if it wasn't malicious or intentional.

~~~
joepie91_
A generally applicable rule of thumb is that _any_ company that claims to
provide "anonymous" or "secure" services/products is untrustworthy, unless
proven otherwise.

It's _extremely_ hard to make money from perfect security/anonymity, so any
commercial entity is likely to have screwed up at least _something_ , whether
intentional or not.

------
TehCorwiz
Color me crazy, but the odd 126 ip space kinda makes to me. Consider that one
of the more common attacks on Tor users is IP leakage from the browser. In
this setup the local ip would map to a real public ip, but would be entirely
useless.

I personally don't think that it's a good solution. Poor operational security
can't be solved by misdirection.

~~~
duskwuff
I still don't see the point. If there's a vulnerability that can be used to
leak your LAN address, you want the leaked address to be as generic as
possible. Something like "192.168.0.2" is perfect; a crazy 126.16.2.x address
is unusual and could be used to fingerprint Anonabox users.

------
amelius
There is a danger with running "just anything" over tor, which is that,
ultimately, your data will be visible to the exit node. And if you run
anything (like facebook, apps, etc.) over that same link, it will be very easy
for the person running the exit node to tie the information to a particular
person (you).

~~~
orthecreedence
I was going to reply with a bunch of stuff about how Tor exit nodes don't
terminate TLS, but I thought more about what you are saying. You're right,
it's not a good idea _at all_ to be logged into any account that de-anonymizes
you in any way while using Tor, because then for the rest of that Tor session,
you are potentially compromised.

Your anonymous presence and your public presence should always be 100%
separate.

~~~
amelius
In general, I don't think it is a good idea to connect to multiple services
over the same Tor link. One of those services could be compromised in some way
(hacked, government backdoors, etc.), and could be used to de-anonymize
sessions at other services, by using the ip-address of the exit-node and the
time-frame in which the communication took place.

~~~
lbthomsen
After discussion on the Tor mailing list a while back, that issue was solved
in Cloak ([http://reclaim-your-privacy.com](http://reclaim-your-privacy.com)
and
[http://github.com/ReclaimYourPrivacy](http://github.com/ReclaimYourPrivacy))
by using different Tor circuits for each service! The relevant file is here:
[https://github.com/ReclaimYourPrivacy/cloak-
cloak/blob/maste...](https://github.com/ReclaimYourPrivacy/cloak-
cloak/blob/master/tor-cloak/files/tor.init)

------
agilentrun
Why not do a simple Raspberry PI? at least it can be updated - runs raspian
[http://learn.adafruit.com/onion-pi](http://learn.adafruit.com/onion-pi)

------
de_wq912AesppE5
The wifi password situation seems to be addressed here [0]. It was a limited
batch of these that were sent out with lacking wifi security. [0]
[https://anonabox.com/news/anonabox-blog-when-there-is-
blood-...](https://anonabox.com/news/anonabox-blog-when-there-is-blood-in-the-
streets-buy-part-1.html)

~~~
asherlangton
Yeah, and the remote root shell with password "admin"?

~~~
htilonom
Don't bother he has a brand new user account, created just for defending
Anonabox scammers : )

