Why You Can't Put Security in a Box
Buying into a Kickstarter promising cybersecurity is foolish, even dangerous.
Another day, another crowdfunded product claiming to easily provide cybersecurity to consumers. A new Kickstarter project called "Veiltower" promises backers a device that will create a "hacker-proof wifi network." That should be worrying enough, as it's just asking for the undivided attention of people wishing to prove them wrong.
But the real problem is that this project, and plenty of others like it, are perpetuating the misguided and possibly dangerous idea that security can be simply packaged into a neat little box and shipped out en masse. When, in reality, security is about behaviour, rather than any single shiny product.
At the moment, Veiltower has raised just under $10,000 from 59 backers, and its creators need to source a quarter of a million dollars within the next month. Essentially it's a piece of hardware that acts as a WiFi hotspot, but that routes your traffic through a VPN, and provides some firewall protections and anti-virus capability, the listing claims.
All of that sounds startling similar to previous crowdfunding projects.
There was Anonbox, which claimed it would route all of a user's traffic through the Tor network, and raised nearly $600,000. It was later revealed to have some serious security holes, which forced the company to recall over 300 units. Shortly after came Invizbox, which essentially said it did the same thing, but that managed to garner its full goal of $20,000.
Even if some of those products aren't simply cybersecurity snakeoil, and actually perform what they claim, they are still pushing the notion that security is something that can be purchased, rather than a concept which needs to be learned.
"Security is a process and behaviour not one product."
The "security in a box" mentality is a foolish idea. There are bugs in all software, and if they are discovered, users might need to apply any patches themselves; something which the target demographic of products like Veiltower won't necessarily do. Indeed, the entire point of these boxes is to provide peace of mind to those who don't have the technical know-how, or perhaps can't be bothered, to setup a VPN or anything else themselves.
To think that being secure is as simple as backing a Kickstarter project might also be harmful.
"Claims regarding security can be very dangerous particularly for high risk individuals," Richard Tynan, a technologist at Privacy International told Motherboard in an email. "Lulling them into a false sense of security [concerning] all traffic on their network is a very risky prospect."
To be fair to Invizbox, they do make it clear that nobody should be relying on this technology if their life depends on it: "Do not trust your freedom or your life to this technology! It's not designed for that," the IndieGoGo page reads.
Regardless, it and others still promise to provide security simply by buying their product, a notion that backers seem all to willing to blindly trust.
Instead, security is understanding the threats against whatever it is you're trying to protect, be that your personal data or anything else. Security is appreciating that no strategy is perfect, and that hackers will find a way to get into your system. Security is being able to adapt when new problems arise.
"Cybersecurity is a hot topic," Tynan said, "but as most professionals I speak with say: security is a process and behaviour not one product."