Who killed Proxyham?

Earlier this month, security researcher Benjamin Caudill unveiled a new, cheap anonymizing device called Proxyham that set the security press a-buzz.

Caudill noted that while technologies such as TOR can provide a certain level of anonymity, there exists “a fundamental flaw”: the direct relationship between IP address and physical location.

If your true IP is ever uncovered, it's game over – a significant threat when your adversary owns the infrastructure.

Proxyham’s promise: to enable whistleblowers, dissidents or anybody who seeks anonymous connectivity (including, of course, criminals) to connect to a Wi-Fi spot that’s up to 2.5 miles away.

Thus would surveillance be thrown off-track, as law enforcement or other snoopers sniff their way not to our doorsteps but rather to whatever public Wi-Fi spot the device gloms onto – for example, at a local coffee shop or a public library.

But over the weekend, the rug got pulled out from under not only the Proxyham project, which has been shelved, but a talk that had been slated for the upcoming DEF CON security conference.

Speculation has subsequently erupted over the mysterious cancellation and Caudill’s statements that he’s not at liberty to explain.

This is how the hardware device was billed in the lineup before the talk got cancelled:

[ProxyHam] utilizes both WiFi and the 900Mhz band to act as a hardware proxy, routing local traffic through a far-off wireless network – and significantly increasing the difficulty in identifying the true source of the traffic.

Caudill initially promised that not only would he demonstrate the device itself; also, his firm, Rhino Security Labs, would release, for free, the full hardware schematics and code.

On Friday, Rhino Security tweeted that it was pulling the plug and zipping its lip:

Effective immediately, we are halting further dev on #proxyham and will not be releasing any further details or source for the device

— Rhino Security Labs (@RhinoSecurity) July 10, 2015

Rhino Security Labs @RhinoSecurity
Effective immediately, we are halting further dev on #proxyham and will not be releasing any further details or source for the device

…as well as cancelling Caudill’s talk:

We will also be immediately cancelling the @caudillbenjamin talk at @_defcon_ on #proxyham and #whistleblower #anonymity

— Rhino Security Labs (@RhinoSecurity) July 10, 2015

Rhino Security Labs @RhinoSecurity
We will also be immediately cancelling the @caudillbenjamin talk at @_defcon_ on #proxyham and #whistleblower #anonymity

…and that all the prototypes it’s built so far are going to be scrapped.

These are some of the speculative theories that have been put forth to explain the death of Proxyham, as well as what we’ve seen for the whys or why-nots:

• No FCC license?
  Why this isn’t it:Caudill has responded to media outlets asking about his apparently missing FCC license or the theory thatProxyham might have violated Federal Communications Commission (FCC) rules, saying that the FCC had nothing to do with it. The firm was only starting to look at 900MHz licensing, so theProxyHam deviceswere capped at the 1-watt limit as required by the FCC, he’s said.Besides, as CSO notes, security talks that could have had a similar conflict, such as this one (YouTube video) from BlackHat 2013, haven’t been cancelled.
• What about a patent issue?
  Why this isn’t it: It’s been suggested that patents held by Ubiquiti or Intel are forcing the project to close down. But Caudill told CSO that this wasn’t behind the shutdown, and there are “no IP-related issues.”
• Is Caudill under a gag order?
  Maybe yes? In what he describes as his “rant” about Proxyham, CSO’s Steve Ragan suggested that Caudill might have been served a National Security Letter (NSL) that came with a gag order. Caudill’s response: “No comment.” Hmmm.

But there are others who suggest that all this talk about a conspiracy on behalf of the Feds to squash Proxyham amounts to a pile of steaming nonsense, given that Proxyham wasn’t a particularly groundbreaking, or even a particularly effective, tool.

Security researcher Robert Graham, for example, said that the DEF CON talk “was hype to begin with.”

From his blog:

You can buy a 900 MHz bridge from Ubiquiti for $125 (or MicroTik device for $129) and attach it to a Raspberry Pi. How you'd do this is obvious. It's a good DEF CON talk, because it's the application [that's] important, but the technical principles here are extremely basic.

Graham notes that comparing the picture from Wired’s story on Proxyham with a picture of the bridge on Ubiquiti’s site suggests that this is indeed one and the same piece of hardware.

He theorizes that perhaps the media attention gave somebody cold feet, rather than the FBI getting spooked by the device and sending an NSL.

For his part, security researcher Dave Maynor plans to whip up his own version of Proxyham:

I intend to duplicate the #proxyham functionality (according to the OSINT we have) document weakness and provide ideas. #proxyhamrebirth

— David Maynor (@Dave_Maynor) July 14, 2015

David Maynor ‏@Dave_Maynor 4h4 hours ago
I intend to duplicate the #proxyham functionality (according to the OSINT we have) document weakness and provide ideas. #proxyhamrebirth

…while Hackaday’s Brian Benchoff has already published instructions on how to build what he says is a gadget that does what Proxyham was supposed to – no DEF CON talk required.

At this rate, whatever theoretical hole was left in the security realm by Proxyham being snuffed out is, apparently, already being filled.

Image of Proxyham by Benjamin Caudill.