The middle to end of 2014 saw a flurry of interest in the security and privacy community after a hardware TOR router was thrust on to crowd funding site Kickstarter. The project soon began to fall apart after the security minded public started poking holes in the device and the story behind it.
In response to the perceived failings of the original TOR router a small but plucky Irish team (the reason for my cheap use of craic in the title for those who aren’t switched on) decided to take on the job of releasing a similar device that attempted to answer the failings of the original project and not only that but they also made it part of their mission to ensure that any claims of what the device was and wasn’t capable of were made clear.
Fast forward to 2015 and $20,000 of IndieGoGo funding later and the InvizBox was launched!
What’s the purpose of TOR?
The InvizBox is a small hardware device that allows access to TOR.
TOR otherwise known as The Onion Router is a network of computers that work as relays to bounce your internet requests through a series of those computers with the purpose of providing you privacy and anonymity. Your requests are passed randomly through a selection of relays in an encrypted manner before finally being decrypted at what is known as the exit node at which point it is passed to the wider internet. If you make another request it follows a different route and so on and so forth.
Although TOR isn’t a one size fits all solution to either privacy or anonymity and there are many facets involved in the make up of those goals it is a useful starting point.
TOR is usually accessed via a software solution such as the TOR browser.
What is the InvizBox?
The InvizBox is a small pocket-sized physical hardware device to allow systems such as your computer or even phone to connect to the TOR network without the requirement to install any kind of software solution. A plug in and play TOR device if you will.
It generally doesn’t have a target market mainly due to the marketing from the company behind it who have iterated and reiterated about both the possibilities of the device and the shortcomings of what it can and can’t do. The use is clear and that is to bring easy access to TOR in a hardware device removing the need for a software solution and even solving the issue of systems that do no inherently have the ability to connect to TOR.
It can be purchased directly from the manufacturer for the ultra low price of US$39 which is approximately £25.54 or €35.09. Shipping is set at the flat rate of US$6 to anywhere in the world and EU customers will be charged VAT at the rate in their own country. When you consider the price is over 2 and half times cheaper than the original competitor this really isn’t a price to be sniffed at.
The device itself is similar in size and shape to the original device that sparked the hardware TOR router craze in the first place, so roughly the dimension of a credit card, different only in port configuration layout.
Similar to the surface area of a credit card
InvizBox can be accessed both wired and wirelessly, after installation a new Wi-Fi hotspot is created allowing any device that has Wi-Fi capability to access the TOR network, this also enables access to .onion websites which are often referred to as the “deep web” or even the “dark web” when it concerns websites of dubious legality.
How does it work and what do you get?
The package contains :-
- 1x InvizBox
- 1x USB power cable
- 1x Manual
- 1x Ethernet cable
The InvizBox comes in a security sealed cardboard package. Both sides of the packaging are covered in protective security seals that are impossible to remove without tripping the security feature. Once the security seals are removed it leaves a series of VOID markings printed on the box that are impossible to replace.
Tamper proof security seal protects the integrity of the InvizBox
The security seal itself isn’t just a fancy aesthetic for the paranoid but a feature to ensure that the integrity of the device remains intact while the InvizBox is being transported through the postal system to yourself. In a nutshell it aims to protect against government interference for those who want to ensure their privacy.
Once removed from the packaging the set-up is extremely simple. Connect the USB power cable to the InvizBox and the other end to a USB power source. This can be your router if it has a USB output, your desktop or another device that has a USB port. After a few seconds a light on the device will start blinking and it is now basically active. A new Wi-Fi hotspot will now be available named InvizBox.
Unlike the closest competitor device, the InvizBox comes with an ethernet cable which is another bonus considering the low price of the device. Those who wish to use wired access can connect the ethernet cable to the WAN port located on the back of the device and the other end to the system they wish to access. I actually preferred the physical layout of the sockets on the InvizBox with them all being based at the back of the device, this meant it could be left at the back of a desk with cables hanging down behind.
Port configuration makes for tidy cables.
The first thing to note is the device works straight out of the box so for new users it’s simply plug in and play but for those who want to delve under the hood and play around with the settings there is a full control panel for the device. This is excellent news as the lack of one was one of the criticisms of the device that got the whole hardware TOR router scene started.
The admin panel really introduces a fix for a lot of the issues raised with the competitor device. Users can change the Wi-Fi password to whatever they choose so there is no issue with losing the original. I also liked the ability to change the SSID as I generally wouldn’t want to have the name “InvizBox” broadcast all over the neighbourhood due to the unwanted attention it could attract. With the ability to change the name also comes the ability to disable broadcasting the SSID which is a welcome feature.
InvizBox configuration for the end user.
Connection was a straight forward affair and after plugging in an ethernet cable or connecting via Wi-Fi my system confirmed I was using the TOR network when checking the TOR status website. Websites of the .onion type were accessible and geo-location information showed my location to be other than my own which changed as I refreshed. InvizBox recently introduced a GeoIP option so users have the ability to choose the country of the exit node that will be useful for anyone wanting to access a specific service or appear in a certain country.
The device suffered no DNS leaks or issues with WebRTC that have recently been big security concerns in the VPN world.
With the ability to access an admin panel it opens up the possibility to update the device meaning that if any security issues are discovered then the InvizBox team can release an update. The source code of the InvizBox has finally been released giving the security community the chance to mull over what makes the device tick.
Updates are done manually so for users who aren’t likely to access the admin panel they’re equally likely to be unaware the device needs updating. This could potentially lead to a situation where a user’s device could be left with a security issue and so the onus is on the user to be on the ball and keep the system updated.
Tor itself is also currently updated with the firmware and not automatically but the addition of automatic updates has been implemented in the latest firmware for future use.
Updating is a relatively straightforward affair and anyone with average computer skills should be able to complete it, however for the absolute novice this may be a step too far and begs the question of if extreme novices will be left with potential security issues should they not be able or aware of how to update the device. That said, being able to update the device is a major plus.
The settings interface of the InvizBox alerts users when updates are available. To update users simply download a firmware file from the InvizBox website, select it from within the admin panel and the box itself takes care of the rest of the work. A simple process although once flashing had finished on my first attempt the screen paused and gave no indication that it had actually finished, after a few minutes nervous waiting I quit the browser and was pleasantly surprised to find it had indeed updated correctly even without confirmation. InvizBox informs me this was likely to be a one off.
Updates keep the InvizBox secure.
The Techspert opinion (That’s Tech-Expert!)
Privacy and security mixed with user-friendly often don’t go hand in hand and the holy grail is to produce a product that is both easy to use for the everyday user and actually secure, most devices never manage to achieve this.
To put the InvizBox through its paces and attempt to poke more holes in it than a Swiss cheese we let Cybergibbons give it the once-over and then twice-over. Cybergibbons spends his days hidden away in a darkened cave, hunched over a work desk, reverse engineering security products and analysing them for their weaknesses, so he knows his stuff. Ok, the cave bit was a bit of creative licence, but the rest is true.
Cybergibbons found quite a few security issues with the Anonabox that we recently reviewed, many of which were not found in the InvizBox, however there were a few pointers which are given below.
- It has a web interface that users can access to change settings.
- The firmware can be upgraded and they are pushing out upgrades. I extracted and compared the firmware they have on their site, and they are changing the things they say they have and nothing looks dodgy.
- There’re no weird IP ranges involved.
- It has the fixed MAC and NTP request leaks like Anonabox, but minor.
Overall the InvizBox was found to be more secure than the Anonabox due to a combination of not having as many issues but also not making as many claims.
Cybergibbons summed up his thoughts with the following sobering statement.
Really, it is a better, cheaper version of the Anonabox that is future proofed. I still don’t think that Tor routers are a great idea though.
As Cybergibbons himself said, it is like a better version of the Anonabox and that sums up the product nicely. Essentially it fixes the flaws seen in the device that launched the TOR router craze and has the ability to correct further wrongs if and when discovered.
The aim of the InvizBox has always been from the start to make clear the positives of the box but also to ensure that users are aware of the shortcomings of not just their product but any such hardware TOR router. Like the Anonabox before and any future TOR router device this one piece of hardware is not a full solution to online privacy or anonymity.
The InvizBox definitely pushes some way towards providing users with the ability to use the internet anonymously. However, it also requires users themselves to be aware of the ways in which the software we use such as on our internet browsers like adobe flash and other add-ons can potentially leak clues to identifiable information. Generally user error or simple mistakes are what exposes users to privacy issues.
InvizBox have done a great job from a security perspective answering the issues seen with the original TOR router project. The box itself is extremely easy to use and basically does what it says on the tin. If you’re after accessing TOR on a device that otherwise wouldn’t be able to access or you just want plug in and play access to TOR without installing software then the InvizBox is certainly the solution for you.
At under US$40 the box is an absolute steal of a price. It may not be the full solution to online anonymity but with the extremely low cost it is certainly a nice tool to have lying around in an arsenal of privacy products.
Questioning if you really need to access TOR is the first port of call and remembering the device does not suddenly allow you to be sloppy with your own online privacy is key but if you fancy having a bash at TOR and at $40 for the InvizBox it is hardly going to break the bank.
The InvizBox is available to purchase directly from the manufacturer, https://www.invizbox.io/