Wifimity compares itself to a 50-year old computer

Once again we find ourselves with a KickStarter (archive copy) that’s claiming wireless networks are the sole reason for why users find themselves compromised.
Wifimity” promises to produce a “cloak of invisibility” with a device that is “military security level” for at least €77–the campaigners are looking to raise €48,000, or $54,000 USD.

[Ed: You really ought to read their Kickstarter page, it is a right mess.]

Actually, it’s really two devices: one called “Safebox” which just stores your passwords with authorization via a fingerprint reader; and another called “Shield”, which does the same, but also acts as some sort of VPN tunnel. It is supposed to sit between your device and wireless access point, and it connects itself to a service that the creators operate.

We’re going to ignore the password-only device since it is plausibly functional, and instead focus on the Shield device, where the meat and potatoes are.

Here are some of the features they claim will come with Shield:

  • “anonymous surfing” – It’ll anonymize your IP via something that sounds a lot like NAT.
  • “device cloaking” – It’ll scrub the identifying info off your HTTP requests.  Their use case is device-specific price discrimination.
  • “DNS server” – It’ll blackhole suspicious websites’ IP addresses.  No mention of where they get their blacklist…
  • “anti-virus” – The KickStarter claims that this is still “under construction”.
  • “encrypt your cloud” – Their only substantive stretch goal, they promise the Shield will encrypt all the data you “upload to your cloud”.

This really seems like a keychain version of some previous KickStarters we’ve covered.

These claims are bonkers

We should start off by pointing out that the number of people affected by compromised wireless networks is minuscule, compared to the number affected by corporate or government breaches.

Adobe’s 2013 breach affected well over a hundred million people, Home Depot’s hit over 50 million credit cards, and Target had taken out about 40 million.  These are far larger than the total number of times in history that someone has been affected by an individual running Aircrack at Starbucks. This isn’t to say that compromised wireless networks are not a threat, but these frequent “wifi protector” KickStarters all come back to the notion that user wifi insecurity is interchangeable with anything the layman would identify as “hacking”.

Here’s something we’ve seen before (see Sever) that makes us wonder if and how it defies the laws of physics:

Faster Surf: With this option activated you can increase up to 50% your browsing speed.
[…]
Speed: It doesn’t reduce your device speed because it runs out of your mobile, tablet, or PC.

Now there are some possibilities for this claim; they could include the following:

  • It removes half of the content that makes a website slow to load. Website bloat is a real thing and just by having an ad blocker or turning on certain features within the browser, page loading does become faster. Where is it doing this processing?
  • It compresses and decompresses every single thing that comes in and out in addition to providing an encrypted tunnel. How is this possible with a device that, based on its housing, is probably nothing more than a basic ARM-based device running at low-power? They claim that it won’t slow down your PC either, so again, where is it doing this?
  • They have no idea what they’re talking about and have no specific plan as to how they would make everything faster.

The first one seems to be probable as they link to an article from the Wall Street Journal about tracking cookies. Their concern over “price discrimination” – that your Internet activity will lead to online stores increasing prices on you, insurance companies increasing fees, and banks raising interest rates – has some merit, but these issues can be solved by the typical user, by employing the tools included with every modern web broswer. There is no need to throw money at a €140 device when all of this can be done for free.

There are hints that maybe they really don’t know what they’re talking about, however; at the start of the KickStarter page, there’s a statement about AES reminiscent of MyDataAngel.com’s DataGateKeeper:

“AES is the first (and only) publicly accessible cipher approved by the National Security Agency (NSA)..”

Really? I don’t suppose that they’ve heard of DES, have they? If you’re going to sell a cryptography product, it would be good to at least know a thing or two about the development of the algorithms.

More than 1,000,000 times the capacity of the Apollo 11 computer.

What do they mean by “capacity”? If we’re going to based on the storage capacity of the Apollo Guidance Computer (a computer that is 50 years old), which had 36 kilobytes of storage (in ROM), suggesting that it’s 1,000,000 times the capacity means that it has 34 GB of storage–let’s assume it’s 32 GB really. This is in no way a large amount of data by modern standards.

The specifications given for the device make no sense

Wifimity has provided a hypothetical specification for their keychain-sized device:

32 bits high speed microprocessor.
Cryptochip, high level security by hardware.
WiFi 2.4GHz chip or bluetooth BLE.
WPA2, TLS 1.0, HTTPS.
A battery 500mA with an intelligent charge system for long life.
A custom operative system (OS) to avoid hacking.

A 32-bit “high-speed microprocessor” is more or less the standard for devices these days (it’s later described to be a 32-bit ARM Cortex-based processor).  Their “cryptochip” appears to be a hardware implementation of AES, and 2.4 GHz wireless and Bluetooth are what I expect, but the rest of this just doesn’t hold water.

On the subject of cryptography, why is this using TLS 1.0? It’s vulnerable to both POODLE and BEAST. How was this overlooked? I guess this “custom [operating] system” that has been created to “avoid hacking” will take care of that problem right?

The cryptography doesn’t really make sense either considering this snapshot from one of the videos:

Screen Shot 2016-06-22 at 19.11.51

I can turn off encryption? I can turn off device cloaking and anonymizing options?

It gets weirder when you realise what the options at the top of the display webpage are for:

Screen Shot 2016-06-22 at 19.12.21

Oh wow. It just inserts a frame at the top? What’s the point of this device? Why is it not doing this passively? Does this mean that Facebook and other applications that do not make use of the mobile device’s browser do not get the same level of protection?

Nonsense. If we go back to the encryption part again, we see this gem as part of their stretch goals if they manage to achieve €250,000 in funding:

We keep a lot of important information in our cloud and this goal is to sure that it is safe and the all copies are unreadable in case we delete the cloud info.

So are they storing all your data on their own servers in cleartext unless they hit this stretch goal?  Or is this a clumsy restatement of their earlier claims about “encrypting your cloud”?

None of these features require a fancy device sitting between the user and a server to make it happen. In fact, this does nothing to solve the problem that the campaign seeks to resolve.

Who are these people?

As with previous exposés on this website, we like to document who’s leading these campaigns, as information on their backgrounds helps to discern between scammers and optimists. Unlike previous campaigns, there is very little information given on who’s behind it. This is evident in this passage:

Together with our team, we take our passion for innovation beyond our products and into every decision we make. In our product development process, simplifying people’s lives has always driven us at every stage. Simple products that can help people.

Pablo, our SEO, with several patents registered, has worked for more than 25 years in custom electronic projects. He has developed complex algorithms in collaboration with the mathematics department of UPV University and has made modems for GPRS, modems narrow band, and WiFi systems with encrypted solutions.

“Pablo” is actually “Pablo Jose Reig Gurrea”, CEO of Ladegar in Bilbao, Spain. His KickStarter profile is a bit more detailed:

Pablo is currently the CEO of Ladeger, company that develops technologic solutions for the consumer market. He graduated in Electronic engineering and worked more than 25 years in tailor-made solutions for industry, in British and German multinational companies. He has several patents registered and used to collaborate with the UPV university for developing algorithms and custom made solutions.

His prior work explains how he was able to build a demonstration device that appears to work as well as it does, but there is little to no evidence of his involvement in information security prior to this campaign. No website for his company appears to exist.

We get the impression however that Pablo is unsure of how his product will be assembled, as evident in this image:

madeinusa

But then it’s stated they’re still in negotiations over where it will be made:

We are in negotiations to manufacture in two plants, one in Albuquerque, USA for the American and Canadian market. “Made in USA.”

And the other in Bilbao, Spain for the European market. “Made in Europe.”

So it has gone from “will be” to “in negotiations”? Also, Canada would not permit “made in USA” just to be clear here.

We don’t expect this campaign to succeed.

Wifimity - Passwords & Surf Safe with Just a Key ring! -- Kicktraq Mini