Anonabox: How To Fail Horribly At Kickstarter

Late last week, Anonabox hit Kickstarter, glomming on to concerns over security, privacy, and censorship. The project was picked up on the usual tech blogs, lauding this project as the pinnacle of the Open Source, Open Hardware movement and a great investment for the privacy-minded technocrat in a post-Snowden world.

Then, the creator of Anonabox did an AMA on reddit. It was quickly discovered that the entire project was an off the shelf router found on AliExpress with reflashed firmware. The router sells for $20 in quantity one, and the Anonabox Kickstarter is giving them away with a minimum $51 pledge. The new firmware is basically a standard OpenWrt installation with a few changes to the config files. The project claims to solve the problem of hardware backdoors, but ships with a backdoor root password (the password is ‘developer!’), open WiFi, and ssh open by default. The Anonabox also claims to be a plug and play solution to security and privacy on the Internet, meaning if this project ever ships, there will be a lot of people who won’t change the default configuration. That’s rather hilarious in its implications.

According to the Kickstarter campaign, the Anonabox has gone through four years of development and four generations of hardware. [August] even has a great graphic demonstrating that each successive generation has reduced the size in half and doubled the system resources:

Unscaled
Image taken from Kickstarter campaign

Anyone with the slightest eye for detail will quickly realize that components, like Ethernet jacks, SD cards, and CF cards are always the same size. I wonder what this graphic would look like if all the boards were scaled so they were in proportion to each other?

Rescaled
Image rescaled so all boards are proportional to each other

Oh. That’s not fishy at all.

As with most Kickstarters that have seen this much negative attention, the project was suspended just a few hours ago, but not before gathering more than $600,000 in pledges at its peak.

suspended

Although the Anonabox failed, there is a market for a Tor-enabled router, and luckily we have one on hackaday.io. It’s so great that some of the copy for the Kickstarter campaign was lifted directly from this project. With a wealth of market research available, we can only hope that [CaptainStouf] runs his own campaign for the UnJailPi.

93 thoughts on “Anonabox: How To Fail Horribly At Kickstarter

    1. The router which Anonabox intended to use (their “version 4”) is an MT7620. Here’s the datasheet they released: http://anonabox.com/sauce/MT7620_Datasheet.pdf The MT7620 is used in the WRTNode: http://wrtnode.com/#4 which claims that:

      “WRTnode is a totally OpenSourced hardware now. PS: The Schematic of WRTnode is: http://cn.wrtnode.com/w/wp-content/uploads/2014/05/WRTnode_sch_v01.pdf, the PCB layout and BOMlist will open soon later.” http://wrtnode.com/w/?p=223

      Which is to say: “OMGWTFBBQ TOTALLY FLOSS. PS: JK BRO NOT REALLY FLOSS.”

      One of the problems with the MT7620 is that it requires a proprietary piece of Ralink Tech firmware for the WiFi driver. The driver it needs it based on rt2860 and the fact that it is not included in OpenWRT can be seen in this ticket on OpenWRT’s bug tracker: https://dev.openwrt.org/ticket/14625 which points to the binary blobs for the firmware: https://code.google.com/p/rt-n56u/source/browse/#git%2Ftrunk%2Fvendors%2FRalink%2FMT7620%253Fstate%253Dclosed

      All of that said, with all of the funds August’s Kickstarter, this would have been an excellent opportunity to find or create better hardware (like Bunnie’s Novena board) and securely deploy a real Tor Router ― with perhaps some help from kernel, hardware, and Tor Project developers would would love to see a secure Tor Router like this come into existence.

      The Tor Project has some idea what R&D needs to be done to create a real Tor Router that we’re happy with. Some ideas are on our mailing lists (https://lists.torproject.org/pipermail/tor-relays/2014-October/005514.html and https://lists.torproject.org/pipermail/tor-relays/2014-October/005541.html) and Jake (@ioerror) has put a significant effort towards pushing for us to do a Tor Router project, but we definitely need more helping hands and brains (ahem… and wallets) contributing!

      ♥Ⓐ isis

      1. He’s almost certainly referring to the “rounded corners” patent that Apple filed a few years ago. Rectangles with rounded corners are obviously a key and unique innovation that deserve protection from those evil Koreans and Japanese cell phone makers.

        1. it was part of the description of a design patent (equivalent to a registered design over here in Europe), and pretty much all of the description needs to match in order for infringement to be found. You can spot Apple haters easily by their repeated quoting of that one point and ignoring the other things that went with it.

          1. The diagram from the design patent used solid lines to indicate claimed shapes, and dashed lines to indicate illustrative shapes. The only solid line was a rounded rectangle.

          2. And there’s another one. Factors like radius and proportion play a factor in design patents, as does the category of device. Many companies found it perfectly possible to create tablet designs that didn’t infringe on Apple’s following the iPad, and anything not a tablet PC wasn’t covered, but still the cry of “patented rounded corners”.

  1. A dead give away if you have 2 generation of the product. Even if it *were* real, a company won’t have much future if it doesn’t know what it is trying to sell. Constantly up rev’ing shows that you have no clue. What happened to the 2 older generations? Did it even sell? Is the company more interested in making prototypes than selling them? That kind of burnt rates kills a company.

    Two, I can understand if you are a startup and it takes a while to develop a working proto for proof of concept, and by then you want to catch up to the bleeding edge. (need NDA with vendors to get their preproduction parts etc.)

    1. there were no generations, there was no product, those are generic devboards, KS fraudster NEVER even had them in hand, he probably doesnt own the final router either so he had to photoshop Alibaba picture instead

  2. why did they get suspended? If people at kickstarter are stupid enough to let him start this then why close it? I tried a few times to do LEGIT kickstarters but was denied. And that was for trying to raise about $500…

    Kickstarter sux and id never be cought buying from there.

    1. He got suspended for basically false advertisement, claiming that he had designed the hardware and that it was open-source when in reality he hadn’t.

      Kickstarter is – in my opinion – good for legitimate startups who have a finished design that’s at least mostly production-ready and just need the money to bootstrap their production, but finding such projects and figuring out if they’re legit can be more trouble than it’s worth.

    2. I hear ya. They denied me when I tried to make a $500 Kickstarter for a USBHID board that’d let people turn any switches hooked up to GPIO into HID/Gamepad ‘buttons’… They gave me some cock and bull story about how Kickstarter was primarily for ‘creative arts projects’ (wtf?!) and that my project didn’t fit.

    1. Is it a scam though? All across America you have people selling China-made crap for 100s of times what they paid for it. If it’s sold as described, it’s not a scam.

      It’s called capitalism, people.

  3. Here’s the link to the device in English. It looks like he got a Chinese company to make a slightly modified version of their existing product. Perhaps he had them change to a larger program flash chip (as he hints about in the kickstarter) and removed the USB port for external USB flash/disk (the off-the-shelf device seems to be able to support external storage).

    http://www.aliexpress.com/item/New-2014-300Mbps-WT3020A-Multiprotocol-Portable-Mini-WIFI-Router-with-USB-data-line-Wireless-Router-wi/1691403728.html

    Perhaps this is the same silicon as the wrtnode people are using (rt2860v2).

    http://www.wrtnode.com

  4. AliExpress is russian witch is even worse since remember the soviet union?

    the soviet union is spies so the router could be a honeypot.

    if you are going reflash off the shelf hardware then say so dont say it is proprietary or custom hardware.

    1. The Chinese may be doing something that the USA’s NSA has AREADY been caught doing.

      Economic cost is around 54% of CISCO sales this year.
      Why not focus on building better systems…. rather than stealing other peoples’ worthless crap in the first place…

  5. These sorts of scams are good forus as a society. People need to learn to take a deeper look at things and not just jump on hype trains. One day they might even realize that Apple puts out expensive products with weak specs.

          1. The only time I have waited in line unnecessarily was for Lord of the Rings Return of the King. My iPhone 5 was easily bought instore a month or so after release.

        1. If by exellent usability you mean a lackluster feature set and clauatrophobic user interface? All apple products are overpriced trash. Their OpenGL and graphics drivers are even behind the times. And lets not even mention Apple has no f-ing idea what a Retina even is (hint: it’s a sensor not an output). Coby makes products on par with Apple.

        2. Also when you “buy” an Apple phone you are really renting it, they control everything on it. They can access anything on it, and police can too, without a warrant. It’s not your phone or device, it’s apple’s. And sadly microsoft is heading down that road. At least android can be forked and run on custom hardware.

      1. Ever heard of using the full name for the first time and putting the acronym in brackets to show people what you will use the next time, like this:
        “Anonabox did an ‘ask me anything’ (AMA) on reddit”

        That is what i remember from school. Where did you learn practical language you illiterate fool?

          1. I expect everyone who has gone to school to produce the same minimal quality of writing, especially once they start writing for news sites.

            Terminology and acronyms are not the same thing, people can use whatever terminology they want, but there are rules for using acronyms for English, Go learn them.

          2. Yeah, fries, okay, granddad. Back to the nursing home with you.

            I sincerely doubt you’d have as much of a problem if the article had referenced RAM, or ROM, or CD-ROM, or any number of other terms despite AMA being as well-established on the Internet as any of the former ones are. Don’t blame the HaD writers for your own pathological inability to get with the times. Just go back to sipping mint juleps and screaming at kids to get off your lawn while the rest of us actually keep up with the world.

      2. I did use google, and this is what i got:
        American Medical Association
        American Medical Association
        American Medical Association
        Academic & Science » Psychology
        American Medical Association
        American Marketing Association
        American Music Awards
        American Management Association
        American Motorcyclist Association
        Against Medical Advice
        Automatic Message Accounting
        Academy of Model Aeronautics
        Anti-Mitochondrial Antibody
        Advanced Maternal Age
        American Motorcyclist Association
        Ask Me Anything
        Argentinean Manitoban Association
        American Music Abroad
        Anti Mitochondrial Antibodies
        Adaptive Management Area
        Agencia del Medio Ambiente
        Alleenstaande Minderjarige Asielzoeker
        Amateur Martial Arts
        Amarillo International Airport, Amarillo, Texas USA
        Airplane Modelers Association
        Automotive Manufacturers Association

        So now what? I just start guessing? You’re a moron.

        1. “Hmm, none of those seem to be what I’m after, I probably need to be more specific. The article mentioned reddit, let’s add that. Google “AMA reddit” and oh hey it’s the very first result!”

        2. Classic how pissed you got instantly, trying to slam me as a person and my intelligence left and right, you might be fluent in English, but your far more fluent in asshole. Even with the ability to regulate your speech with text, you still couldn’t control your anger and hatred. With 10% of a person’s language expressed as words, I can’t imagine how much of a loser you must have acted like, huffing and puffing while you write.

          1. He’s probably one of those 50-something assholes who rants about “them Twitters” and “those Facebooks” while polishing his gun and screaming at kids to get off his damn lawn, lamenting internally about how much better life was back when everything was based around the transistor rather than when those Jap-uh-NEEZ-made integrated circuits took over. No need to worry about him – old age, Alzheimer’s, or a combination of the two will take him soon enough, while the rest of us who can actually be fucked to keep up with the world will continue to make progress.

          2. Instead of spending time being angry at someone for something you yourself could have prevented, perhaps you should fix your writing style to fit to everyone instead of your closet group of boys that live on the internet?

            Being old is not a crime, and now knowing what a term is on a site that no one in the real world actually cares about is nothing new. Unless you all of the sudden think a Fortune 500 is going to start listening to Reddit-ers for investing advice now.

      3. DAGS (Do/Did A Google Search) that is what I did when someone commented with EABOD earlier. That is also how I found out about FOMO, ESAD, and ACRONYMs
        (Abbreviated Coded Rendition Of Name Yielding Meaning) B^) DAMHIKT

          1. No, it’s only been retconned to be so.

            acronym (n.): word formed from the first letters of a series of words, 1943, American English coinage from acro- + -onym “name” (abstracted from homonym; see name (n.)).

            Notice “name” comes from “nym,” that’s the clue.

            Acronym is no more an acronym than MARZIPAN.

      4. Lol! Frakkin’ hilarious!

        On a more serious note though, there’s a lot to be said for “reading comprehension”, and simply being smart enough to determine something’s meaning by the context in which its used.

        D00d is a lazy MF, and I’d be more than happy to cure him of that… if I thought he could make it one day on my job site, which I don’t.

    1. Technically, “yes” it would be easier to check for backdoors in the circuit logic language, remember the FPGA isn’t magical, it still runs on actual hardware. Besides the fact that a lot of manufacturers purposefully place backdoors in software, cough “Microsoft/Apple” to name a two, but with 64-bit CPUs, opcodes are getting so long, no one will know what backdoors are in CPUs. Always remember the only unhackable computer is one that doesn’t accept input, or isn’t on. If your interested and have about a hour, watch http://www.youtube.com/watch?v=bCVT1BtlZn0, and watch the successive parts and you’ll learn, understand, and realize, a computer does nothing but what its told to do, it has no brain or thought, so just change the input and blam, hacked.

      1. I don’t know if my point really came across correctly but let me illustrate the point by a story from Defcon 2014. This one guy was hired by a corporation to try to infiltrate their facilities. The main floor and all major doors were monitored, guarded, IDs checked etc. But in the back was an exit for the main execs on the top floor, where there was an elevator that only went from the top to the bottom. So this guy picked the lock to the door, got in the elevator, used a set of service operator keys, then manually controlled the floor of the elevator, took it up, then got off a few floors up. Because the company had such strict restrictions and procedures to prevent unauthorized access, once he got there he had full freedom. When he told the execs how he got in, they replied with, “I was told that doesn’t go up.” Ding, ding, ding. there in lies the problem with all hardware, software, etc. So long as it accepts input (therefore changeable), its hackable. Try to always think back on that story, when you ask, “Is it hackable?” If the hardware already does it, then any statement saying it doesn’t is flawed logic. The computer can’t tell between good software and bad software, it doesn’t have a soul, it just runs anything possible.

      2. There is a difference between ‘input from user’ and ‘input from programmer’. One is (or at least should) be handled as data only or given limited capability, the other is what fundamentally tells the computer what to do. Any programmer can write a program that accepts input and whatever anyone enters into that input the computer won’t come under their complete control (provided whatever libraries the programmer uses to accept input and the computer hardware are secure). Problems are only caused when programmers make errors in handling input (bugs) or intentionally have the program ‘listen’ for certain inputs (backdoors). Your elevator example is a case of the former: the executives failed to account for all possibilities and when an unexpected possibility arose the ‘program’ (the security system and the elevator, which contained the bug) was exploited. Hardware design is similar.

        You are correct however in noting that the design in an FPGA could potentially be given a backdoor via the FPGA’s silicon (its real hardware).

        1. You don’t get it, and you are wrong, to put it bluntly. You clearly don’t design hardware, so try to learn rather than teach. All hardware is hackable. There is no universal law that says the way someone intended for it to be used, is exactly or possible to enforce. So long as hardware isn’t self aware, then the person that determines the route in which the hardware takes, is in COMPLETE control. That’s why input is all that is necessary. Software isn’t some magical language that runs on nothing, its just 1s and 0s, so just change the 1s and 0s at the right point, a vwah lah, hacked. YOU CANNOT CONTROL INPUT, EVER. That type of mentality is why hackers can hack so easily, because the assumption is, “If I design it like this, its the only way it can work” yet you fail to realize the logic and reality, just like the elevator principle, it still it identical to 1s and 0s everywhere, every time, in everything else, NO DIFFERENCE, you just reordered the sequence, that’s it. The ONLY computer not hackable, is one with no input, or off, period.

    2. Two problems:
      FPGA on a performance/price point of view isn’t that great especially when you are trying to implement things like a processor. You would be lucky to get 200MHz off a core when priced at the target price for the BOM of the final product. SO you are looking at ~$10-ish for that magical FPGA. You’ll also need a much larger and more expensive part if you want to implement the data path of a router and use a simpler uC for control path. Not quite what you can sell at $50 for a final product either.

      You would still need to reflash it with something you trust (better). So basic trust issue not solved.

      1. So obviously you are not familiar with the SPARAC designs for Xilinx with cross switched logic
        Also ASIC or FPGA IS the way to go on this, there is no high speed routing fabric inside many of these SOC’s used in ‘cheap’ routers, after all , you take a packet from one port and shove it to another one, that is not a job for a CPU ( in fact MANY of these shitty CPU’s string the ethernet ports off I2C or USB… way to bury ANY throughput)

        In the case of switches and routers it is about parallel processing not MHz rating in some second rate pipelined CPU

    3. I dream of this, but opensource and FPGA are two words that do not go together. Pretty much all FPGAs on the market are tied up in expensive propriatary software with confusing liscencing agreements. A few open source projects are happening but most of them are just IDEs that just call xilinx/altera’s synthesizer binaries.

      1. Preventing the scammer from taking their money, just so they can pledge it to the next scammer in line is not what I would call “protecting fools”. Protecting themselves, yes, but not the fools.
        How many of these people are actually going to learn from this experience and do actual research next time? Most will probably just shrug, go back to the KS homepage, and start searching for another too-good-to-be-true, vaporware scam to “invest in”.

  6. It sucks that douche bags like this guy (and the Scribble Pen guys) put projects like this on Kickstarter which could potenitally weaken or even kill crowd funding in the future, ruining it for the rest of us.

  7. Guys, was just wondering something.
    What’s the point of a TOR enabled router? I’d see that more of a danger than an anonymizer for normal users, since they’d still use it like their everyday router, for all of their critical data to be sent to TOR nodes for easy listening.

    You could use it as an “anonymiser 101” for whenever you need some anonymity and you’re too lazy to do it yourself, and then turn it off when you’re done, but then again, the people really needing this should already have done their homework and created the proper tools.

    If there’s a real interest out there for that, it must be for a reason, but i don’t see it, so it’d be grateful if someone could tell me

  8. There is this STUPID myth, that if you have a computer and pass the traffic through TOR either as a service or as a ‘magic box’ , that you will be protected on all your internet traffic.

    It is bollox , it is that simple,
    It is akin to taking a picture of yourself with a unique signboard, then sticking a Mc Donald’s bag over your head, taking another picture, posting both on the internet and challenging people to identify you.
    TOR only works as a very carefully controlled service and is only capable of protecting specific traffic, moving the ‘gateway’ further out from your computer only has the potential to weaken any protection the service may give you…….

      1. Yep… that is the problem, the number of complete cretins that use TOR, but then log into a known account, even torrents are not secure.

        It is as if someone read a little about TOR, then saw the warnings about links that are triggered outside of the Tor secured browser, and though “Hay I know how to fix that…. I can secure ALL the traffic with a black box” so now we have these idiots logging into their secured bank accounts via TOR, better still routing emails to/from their email server without TLS now means that you have UNSECURED textual traffic going via an unknown route possibly via a sniffing gateway…. and all because some tosser thought it was a ‘good idea’ to make a TOR router….

  9. It’s not really a scam, it’s just misleading. The product exists and does what they say.

    They just lied about creating the hardware and have made some very poor security decisions.

    This isn’t unusual, most of the projects I see on Kickstarter are already available on Ali or eBay in a slightly different format. For example on Kickstarter you might see a wireless bathroom speaker shaped like a whale. The same thing is being sold on eBay from China for a fraction of the price but instead of a whale, it’s a Dolphin. Same electronics, same plastic, same everything.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.