Site icon Sophos News

Who killed Proxyham?

Proxyham. Image by Benjamin Caudill.Earlier this month, security researcher Benjamin Caudill unveiled a new, cheap anonymizing device called Proxyham that set the security press a-buzz.

Caudill noted that while technologies such as TOR can provide a certain level of anonymity, there exists “a fundamental flaw”: the direct relationship between IP address and physical location.

If your true IP is ever uncovered, it's game over – a significant threat when your adversary owns the infrastructure.

Proxyham’s promise: to enable whistleblowers, dissidents or anybody who seeks anonymous connectivity (including, of course, criminals) to connect to a Wi-Fi spot that’s up to 2.5 miles away.

Thus would surveillance be thrown off-track, as law enforcement or other snoopers sniff their way not to our doorsteps but rather to whatever public Wi-Fi spot the device gloms onto – for example, at a local coffee shop or a public library.

But over the weekend, the rug got pulled out from under not only the Proxyham project, which has been shelved, but a talk that had been slated for the upcoming DEF CON security conference.

Speculation has subsequently erupted over the mysterious cancellation and Caudill’s statements that he’s not at liberty to explain.

This is how the hardware device was billed in the lineup before the talk got cancelled:

[ProxyHam] utilizes both WiFi and the 900Mhz band to act as a hardware proxy, routing local traffic through a far-off wireless network – and significantly increasing the difficulty in identifying the true source of the traffic.

Caudill initially promised that not only would he demonstrate the device itself; also, his firm, Rhino Security Labs, would release, for free, the full hardware schematics and code.

On Friday, Rhino Security tweeted that it was pulling the plug and zipping its lip:

Rhino Security Labs @RhinoSecurity
Effective immediately, we are halting further dev on #proxyham and will not be releasing any further details or source for the device

…as well as cancelling Caudill’s talk:

Rhino Security Labs @RhinoSecurity
We will also be immediately cancelling the @caudillbenjamin talk at @_defcon_ on #proxyham and #whistleblower #anonymity

…and that all the prototypes it’s built so far are going to be scrapped.

These are some of the speculative theories that have been put forth to explain the death of Proxyham, as well as what we’ve seen for the whys or why-nots:

But there are others who suggest that all this talk about a conspiracy on behalf of the Feds to squash Proxyham amounts to a pile of steaming nonsense, given that Proxyham wasn’t a particularly groundbreaking, or even a particularly effective, tool.

Security researcher Robert Graham, for example, said that the DEF CON talk “was hype to begin with.”

From his blog:

You can buy a 900 MHz bridge from Ubiquiti for $125 (or MicroTik device for $129) and attach it to a Raspberry Pi. How you'd do this is obvious. It's a good DEF CON talk, because it's the application [that's] important, but the technical principles here are extremely basic.

Graham notes that comparing the picture from Wired’s story on Proxyham with a picture of the bridge on Ubiquiti’s site suggests that this is indeed one and the same piece of hardware.

He theorizes that perhaps the media attention gave somebody cold feet, rather than the FBI getting spooked by the device and sending an NSL.

For his part, security researcher Dave Maynor plans to whip up his own version of Proxyham:

David Maynor ‏@Dave_Maynor 4h4 hours ago
I intend to duplicate the #proxyham functionality (according to the OSINT we have) document weakness and provide ideas. #proxyhamrebirth

…while Hackaday’s Brian Benchoff has already published instructions on how to build what he says is a gadget that does what Proxyham was supposed to – no DEF CON talk required.

At this rate, whatever theoretical hole was left in the security realm by Proxyham being snuffed out is, apparently, already being filled.

Image of Proxyham by Benjamin Caudill.

Exit mobile version