Security researcher claims anonabox has amateurish security
Regular readers may recall a post from October 2014 on the anonabox, a Tor hardware router that re-routes data through the Tor network for security and anonymity. Now German IT news site heise reports that there are serious security problems with the device.
The anonabox router out to protect its users’ privacy and route all traffic via the Tor network. Although the device performs this task, it exposes its users at the same time to the risk of being spied upon by local attackers. Massive oversights in the implementation of the device’s software don’t show the manufacturer in a good light.
User: root, Password: admin
A security analyst who has examined the anonabox has roasted the device. The WLAN network, which is configured by the manufacturer, is completely open and both SSH access and a web interface are simple to access even though they are concealed. Furthermore, the analyst was able to discover the pre-set root password “admin” at his fourth attempt. In addition, users cannot change the root password. The device is therefore surrendered defenceless to any attacker who can see the box’s WLAN.
At any rate, the WLAN network’s SSID changes with every reboot. The code responsible for this nevertheless seems to be the only source code which the anonabox’s developers have written themselves. In all other respects the device’s firmware seems to be a minimally adapted version of the OpenWrt open source project; and even then its own function is implemented almost amateurishly.
The anonabox project, which was launched through crowdfunding, attracted strong criticism from the outset. On the one hand, should allegedly self-developed hardware consist of a products that is already available. On the other, security experts were still doubting whether it was sensible to route all everyday traffic via Tor. In addition to these criticisms can now be added the fact that the box itself also represents a security risk.
The manufacturer has admitted the security problems and is exchanging affected devices. According to Wired, 350 of the total 1,500 devices sold via the its second crowdfunding campaign are affected. Its first campaign was halted by Kickstarter before its end date. New devices will not be affected by the security problem and thus need no free update, according to the boss of anonabox.