If you've been keeping abreast of goings on in the security and privacy world recently then you'd be hard pressed to have not heard of the Anonabox. A small device courted with controversy and more social funding pledged than you can shake a stick at.
Yes, the Anonabox, the small physical TOR box finally came to fruition and is available to buy, but the question is, is it any good?
What is TOR?
To understand what the Anonabox is you first have to understand what TOR is. TOR or The Onion Router to give it its full name is a free system designed to obfuscate your internet traffic by passing it through various other computers or “relays” in an encrypted manner.
The premise is that anyone who wanted to sit and watch what websites you visited or what you got up to on the internet would have a pretty hard job. In fact as long as you weren't accessing personally identifiable sites or entering your personal details then it goes part way to helping you stay anonymous. Alone it's not the full solution, but it is part way to getting there.
TOR is a piece of software available for a range of computers and devices and requires some set-up if installing manually however a special browser also exists which removes the majority of this set-up requirement.
Ok, I understand what TOR is, what exactly is the Anonabox?
The Anonabox is a small physical device that allows access to the TOR network without the need to install additional software or do any kind of set-up (in fact you couldn't really do any set-up even if you wanted to, but we'll get to that later). The device can be purchased directly from the manufacturers in the United States for a cost of US$99.00 so approximately £65.40 or €88.40 at the time of writing.
US customers get free shipping but [edit- ok, shipping in the US isn't free but starts from as little as $6], Europeans and elsewhere have to pay shipping costs starting at US$16.75 and upwards.
Measuring about the circumference of a credit card and no taller than two fingers placed together the Anonabox is a portable TOR device that is light enough to be carried around in a pocket if needed.
So for those of you who have heard of TOR or the overused phrase the “dark web” then the Anonabox will allow you to access the internet via TOR and even access the “dark web” without needing any technical expertise.
You're probably wondering, if you can download the TOR software for free then why do you need a hardware device that costs nearly a hundred dollars? Well for one it takes out any set-up requirement but for new-comers using the TOR browser can achieve that too, so what's the point? The main positive of using a hardware device is whilst it can be accessed directly via an ethernet cable it also creates a secure TOR WiFi hotspot protected by a password.
The WiFi hotspot allows any device to connect and access the internet via the TOR network. So while software solutions may be limited to systems that are supported the Anonabox allows you to access on any device that can connect to a WiFi hotspot. It also allows you to make TOR portable if you wished and access via devices other than you own, while that in itself wouldn't be entirely secure it does create that option.
What do you get and how do you use it?
The package contains :-
- 1x Anonabox
- 1x USB power cable
- 1x Manual
Firstly to set up you need to remove the device from its security sealed box. It was impossible to open the box without tripping the security seal or destroying the packaging in some other way. The security seal is there to ensure the device has not been tampered with while on route via the postal system, ie; government three letter agency tampering (aka NSA etc.). While the security seal only covers one side it is impossible to remove even from the none covered side (I know, I tried my best to do it).
Once removed the device requires the USB power cable plugging into a USB port, many routers have USB ports but as mine doesn't I opted to plug into my desktop USB port. You could, of course, buy a USB power socket adapter, but this would be an additional cost and isn't supplied with the device.
Next you simply connect an ethernet cable to the WAN port on the Anonabox and the other end of the cable to your router, one isn't supplied with the Anonabox which was a little bit disappointing but most people should have a few spares lying around. A light will start blinking on the box and from a user set-up point of view it is now completely set-up! simple huh?
There are two ways to make use of the device, either connect to the new WiFi hotspot that has been created or directly plug into the one ethernet wired port available.
The Anonabox comes with a pre-configured long password (24 characters in fact) made up of random characters. Unfortunately, this isn't possible to be changed so be careful what you do with the included password as if you lose it you'll be stuck.
The WiFi connection is broadcast using an SSID of “Anonabox” which also isn't possible to be changed. While not overly a huge issue I would of liked the ability to turn off SSID broadcasting to keep my Anonabox use under wraps, however the makers have stated that the broadcast range is rather small and so the ability for someone else to see the SSID is greatly reduced. WiFi encryption is WPA2-PSK (TKIP/AES).
Connection via wired connection or WiFi is a simple affair and once connected a quick check of the TOR project website to see if the connection was indeed being routed via TOR confirmed the fact. After which I was able to browse .onion websites and upon checking my IP at various websites they reported with a TOR exit node IP and not that of my home connection. The Anonabox does not suffer from any WebRTC IP leak issues that were experienced by OpenVPN users in recent months.
From a layman's point of view the box does as it should and gives access to the TOR network without set-up and without the need for software. In essence it is a small user-friendly portable device.
However one of the issues with privacy, anonymity and security is often user-friendly does not always equate secure.
The security expert opinion
We passed the Anonabox to Cybergibbons, a self-styled “reverse engineer, hardware hacker, security analyst, lock picker & heist planner” who spends his days tinkering with the ins and outs of systems and probing their weaknesses. Cybergibbons was a vocal opponent of the Anonabox when originally announced due to security issues raised and after probing the Anonabox made the following observations.
- It routes traffic via Tor as expected.
- DNS doesn't leak.
- If it can't route it over Tor, it just stops it (although it could do this in a nicer way).
- WiFi is secure.
- You can connect via the console and have root access. This kind of contradicts some statements they have made before about being able to leave the device unattended and be safe.
- The IP range of 22.214.171.124/24 and 126.96.36.199/24 is very strange, as it is an in-use IP range and not private. It's not good Internet citizenship, and anyone wanting to use anything on that range is stuffed.
uhttpd (webserver) and dropbear (SSH) are still running on the device.[edit- this has been resolved in newer shipped devices]
- root (along with every other account) no longer has a password but Linux generally treats this as “disable account” for normal logins.
- uhttpd is accessible on the IPv6 link local address on the WLAN but not WAN or LAN interface. As root has no password, there is no password required to login. This means anyone you give the WiFi password to can reconfigure your device without your knowledge. Again, this is odd. Why is it only running on WLAN and not LAN? Why not password protect it? It also doesn't line up with the claim that it cannot be reconfigured.
- dropbear is accessible on the IPv6 link local address on WLAN as well. It runs on a random port number, but can be found with a port-scan. Dropbear has password auth swtiched off, so the only way to login would be by using a keypair. There are no keys on the device, so there is no-way to login. This is odd. They should have disabled dropbear if you can't login with it.
- There's no way for a user to change the WiFi pass or any other setting. It means if you ever let a friend use it, you can't stop them using it.
- The range of MAC addresses used for the device is distinct and not registed with IEEE (which it should be). Plug this into any network, and the admins will be able to tell that it is an anonabox from the MAC. I'd really say that MAC randomisation would be a good idea.
- It has virtually nothing custom beyond openwrt. This really doesn't align with Anonabox's claims about writing millions of lines of code.
- There is no way to update the firmware of the device. This isn't good – an error in config or any vulnerability cannot be patched.
What do Anonabox themselves say
While the firmware of the box itself can not be updated as pointed out by Cybergibbons, Anonabox state that the box itself does check weekly for TOR updates and if such an update is required it will automatically update over an encrypted connection. The reasoning behind this is to remove any such requirement for the user to update it themselves.
Anonabox state that the box makes use of TOR circuit isolation. This is a way of enabling each user of the same box to become in essence an individual. i.e; one user may show a TOR exit node in the Netherlands while another connected to exactly the same Anonabox could show a TOR exit node in Malaysia. This is done so there is no way to collate a group of users to one location.
An explanation for the lack of admin panel given by Anonabox is to stop a user without the correct expertise from making a change that may compromise both their security and privacy. Another reason is to remove the possibility that a malicious hacker could possibly compromise the device, without any such configuration they aim to remove that possibility.
Anonabox have informed us that they do intend to introduce an Admin panel on a future version for users who do wish to make their own changes. This could indicate an Anonabox Mark II may be available in the future to address some of the criticisms of the original device.
The Anonabox was riddled with controversy from the outset which, unfortunately, has tainted the whole view of the project from the get-go. In recent months the takeover of Anonabox as a company has started to address some early criticisms and failings of the initially announced device. A measure of a company is often how they react to criticism and if they aim to address issues when raised.
One initial huge issue was the lack of WiFi password, this has been quickly rectified and it appears the new owners of the company are aiming to address the concerns of the security community.
The box itself from a layman point of view is extremely easy to use and for those who haven't dabbled with the TOR network before it is certainly an avenue into the world of hidden websites and traffic obfuscation.
Unfortunately for the security expert the device is not the magic bullet solution to online privacy and anonymity and it is unlikely any plug in and play device will ever answer this question. Privacy and anonymity have so many facets that need to be overcome that for the average user to completely cover their tracks it becomes an almost impossible minefield.
While the Anonabox may not be the holy grail of anonymity online it does make some inroads for the new user to get to grips with the TOR network and also enable TOR usage on devices otherwise unable to access. For those new to the TOR system it may be the ideal device however for the political dissident or those working in life critical situations it does not appear to be the answer.
The Anonabox can not be all things to all people but for the new user it does breach the minor learning curve that a software based solution may present. If you're interested in accessing hidden websites and having a play around with the TOR network then picking up an Anonabox will certainly tick this box, however at US$100 one needs to ask themselves how much they really want or need to use TOR in the first place.
Users interested in purchasing an Anonabox can do so directly from the manufacturer @ www.anonabox.com