Safeplug is Not Safe

An independent security audit of the SafePlug turned up glaring security holes, such as the total lack of any authentication for altering settings.  Given that there haven’t been any updates released for the SafePlug in over a year and I’ve totally given up on it.  ArsTechnica wrote a great op-ed on why these Tor middle-boxes are somewhat misguided.  If you are looking for more fool-proof security, check out Tails or Whonix.

The importance of my personal security has increased in line with my involvement within Namecoin and as head of Speech.is.  Lots of money and secrets could be gleaned from compromising my systems. My laptop is the workhorse for all of my personal and professional  activities and segregating my administrative functions would be very complex and less secure than I would like.

Over the winter break I looked over my options and settled on using a Chromebook and an NFC implant for administrative functions.  Chromebooks tie hardware and software security together, sealing the usual gaps between firmware, OS, applications, and taking care of all of the software updates automatically.

The last piece of the puzzle was a secure communications link between myself and my servers.  While I use a VPN to protect myself, there are some activities that I need to carry out over Tor.  However, Chromebooks do not natively support Tor.  To do so I would have to enable “developer mode” which would turn off the security checks that make Chromebooks more secure than an average laptop.

I later learned that you should only use the Tor Browser Bundle as the Tor devs have beefed up the security the browser to avoid things like fingerprinting.  So the Chrombooks are a non-starter for me but the rest of this review is still valid.

However, it is possible to wrap all communications on a connection using the middle-box pattern. Whonix uses this approach by creating a virtual machine that acts as a secure gateway for the traffic of another general purpose virtual machine.  Various hardware implementations of the middle-box pattern have existed over the years as well, including a semi-official Debian distro for the DreamPlug.  The hardware versions perform in the same manner: connect the internet in through one plug and connect your computer into the other ethernet plug.  The computer cannot leak info because the middle-box keeps the Chromebook in the dark and forces all traffic through the Tor network.

In November, the makers of Safeplug released Safeplug.  I had seen headlines on hackers adapting the vanilla PogoPlug as a Tor router and I was happy to see a commercial Tor product being developed from those efforts.  The prior hardware implementations all had one thing in common: they were handmade one-offs created by activists without a financial plan for sustained long-term development.  Better still, it appeared that Safeplug was taking usability very seriously,

Safeplug sets up in 60 seconds and allows you to use your existing web browser, and even your phone, to browse the Internet with complete anonymity and peace of mind.

As usability == security, I saw this as a very important development.  People have been screaming at Tor developers to make things easier to use for years and Safeplug seem to take usability engineering seriously. Unfortunately, they pretty much ignored the whole “safety” part of the engineering equation.

When I purchased the Safeplug I was expecting a setup equivalent to that of prior Tor efforts: two ethernet jacks and no setup.  When I unwrapped the Safeplug I was immediately deflated, the Safeplug logo was just sticker covering the standard Safeplug logo. When I flipped the Safeplug around I saw only a single ethernet jack. It was the regular Pogoplug case.

I tried to rationalize these choices.  I know how much it costs to make new dies and alter production lines, so they were waiting to see how sales went before committing their full resources.  I tried to think about the usability angle, most home users just use wifi, so maybe this was an access point … or something.  But the 3-step instruction card confirmed my creeping suspicions:

  1. Plug the Safeplug into your network.
  2. Visit pogoplug.com/safeplug and click “activate.”
  3. Your done!

Not, “Connect your pogoplug to network and join the PogoPlug wifi-access points …” but “Head to a public website.”  Oooookay… I guess they could do some auto configuration based on sharing the same IP address as my Pogoplug, that would be safe on my network and most other home networks but it is NOT safe on any NAT’d connections like you might find in a University dorm room or a hotel.  “But,” I thought to myself, “maybe they ask you to install browser addon that is capable of checking the local network.  That would be kinda safe, unless your network has already been cracked by bad people….”

But no, there was no browser add-on, just a nice looking set of instructions about how to download a proxy configuration file over an unencrypted link and install it using your favorite OS/browser combo.  Fuck.

This would be fine if one assumes that both the local network and the network connection to the Safeplug website is trustworthy, but Safeplug cannot make that assumption for it’s customers.  Given their target audience, they should assume that the local network has already been owned by someone.  I do not know much about proxy handshakes, but the config file doesn’t have any authentication mechanisms whatsoever:

function FindProxyForURL(url, host) {
    if(isInNet(host, "10.0.0.0", "255.0.0.0")) {
        return "DIRECT";
    }
    if(isInNet(host, "127.0.0.0", "255.0.0.0")) {
        return "DIRECT";
    }
    if(isInNet(host, "192.168.0.0", "255.255.0.0")) {
        return "DIRECT";
    }
    if(isInNet(host, "169.254.0.0", "255.255.0.0")) {
        return "DIRECT";
    }
    if(isInNet(host, "172.16.0.0", "255.255.240.0")) {
        return "DIRECT";
    }
    return "PROXY safeplug:8080";
}

In terms of security, the Safeplugs gets an -F.  Even without the shady proxy file it would be trivial to MITM the Safeplug setup screen … *sigh*  relying on external servers for anything but software updates (that have been signed by multiple parties in different jurisdictions) is a big no-no.  Safeplugs’s entire setup is just unsafe.

It would have been more lucrative for the company, easier for the consumer, and harder to screw up the engineering if they had setup a VPN gateway which tunneled all of the users traffic. So why are they are using Tor? Their website states that hey have no formal relationship with the Tor developers but what idiot doesn’t bother sending out a few free boxes to Tor developers for feedback?  In an interview Dan Putterman (the CEO of Pogoplug) stated,

We could have run a VPN or proxy service somewhere else, but we realized the only way to truly guarantee [anonymity and safety] is not to be reliant on any other service. People who are skeptical can look at the Linux level and see exactly what processes are running. Technical users can look inside the box and feel safe that it’s only running Tor.

Either their technical team doesn’t understand basic security or Putterman chose Tor because it was free, not because they are worried about National Security Letters being delivered to VPN providers. Tor is really complicated and any researcher quickly learns run all of their ideas past a Tor developer before trying it out.  In my personal experience, they have always managed to point out an incorrect assumption or a tricky edge-case I had not thought of.  If you want to make a Tor related anything you must hire a Tor developer to consult on the project.

The Safeplug doesn’t fare much better in terms of usability: it relies on the user knowing how to setup and manage a proxy connection.  Usability is more than pretty setup screens and “simple” instructions. For not understanding that lesson the Safeplug gets a D- but only because of how bloody awful the usability is for most Tor-related projects.

The Safeplug team swung and missed, but at least got up to the bat and tried.  I could have written a much more sensational headline for this story and a included nonstop hyperbolic rhetoric about how stupid the Safeplug people are.  However, the company is putting time and money into a part of Tor that is just as important as the abstract security guarantees offered by Tor’s architectural design.  The Tor people may be amazing programmers but when it comes to usability they put their bat out and ask the pitcher to hit it for them.  Eight years after I told them to just hardwire the Tor proxy into the browser it looks like the Tor team has finally recognized how important usability is.  Everyone has to learn some lessons the hard way and my sincere hope is that the Safeplug designers learn from their mistakes.

Sadly, I’m stuck with a $50 box which makes it slightly easier for me to casually browse .onion sites and produce regular cover traffic in the form of a relay node.  If the Safeplug people want to address the usability problems with their current box I would suggest they start by paying whoever is maintaining the Tor browser bundle to create a custom version which uses the local Safeplug as the backend proxy.

Going forward, I would suggest that they distribute this software on the Pogoplug itself.  The user could plug into the Safeplug via USB and run an installer located on a Safeplug itself.  This would install the custom Tor Browser and install self-signed security certificates for future network-based communication with the Safeplug.  Perhaps they could offer to install EFF’s SSL Everywhere extension(s) for better system-wide coverage as well.  Of course, all of the software should be signed using the appropriate OS binary signing scheme and hashes posted on their website.

The Safeplug should copy the simple security solutions offered by the middle-box design by adding a second ethernet jack and integrating a wireless access point.  They could take the opportunity of the usb plugin/software install step to configure the wifi more securely and (if possible) prevent the computer from connecting to imposter wifi access points.  They could also monitor for imposter wifi-access points by scanning available IDs past a fuzzy string analyzer.

I’ve got some cool ideas for anti-NSA hardware mechanisms as well.  They could offer coatings which act Physically Unclonable Functions and give the signature to the customer during checkout.  Any interdiction program would have to break the PUF in order to install the bugging device.  Hardware encryption could extend inside the unit using TPM and the hardware should be open source (which is NOT an oxymoron).  Of course, all of that is really, really hard.  Until then we will have to settle for glitter nail-polish.

I would also suggest that Safeplug offer a yearly VPN subscription and simply encapsulate all of the users traffic that hits the access point.  This would improve the user experience for those that are not worried about the national security letters as well as bring in a nice profit.

Getting a Tor box middle-box that reporters and human rights activists can use securely is a very important goal.  I hope the Safeplug team can hit a home-run with a future version.

I tried to send a rough draft of this post to PogoPlug for comments.  However, both feedback@pogoplug.com and  support@pogoplug.com  bounced my emails with a report about it being rejected as spam for a Google Group.  Apparently they are using a Google Group to manage their customer emails, which would be fine except if it wasn’t totally broken and I’m tired of apologizing for them.

Powered by WordPress. Designed by WooThemes