After a project to build an anonymising internet router for whistleblowers mysteriously closed down over the weekend, a replacement has already emerged — and it claims to be far more powerful.
ProxyHam was a $US200 DIY router that promised to help hide users’ location by broadcasting the Wi-Fi connection over a 900MHz frequency, letting them hide up to 2.5 miles away. Built by Rhino Security Labs’ Ben Caudill, it was due to be presented at a conference in August. However, the security consultancy company abruptly announced that all prototypes would be destroyed, and the source code would not be released, and it could no longer talk about the project — prompting many to speculate the US government had covertly closed it down.
But those looking for a way to stay hidden online haven’t had to wait long for a replacement. Prolific hacker Samy Kamkar has built a new device called the ProxyGambit, which he says extends the range up to 10 kilometers — or even further, to anywhere in the world. The plans, code, and instructions on how to build the ProxyGambit have all been released online for free.
It can operate in one of two ways. In the first, it offers a high-speed radio link that lets users connect from up to 10 kilometers away, provided there is a direct line-of-sight. The user sets up the ProxyGambit on any public Wi-Fi network (think of a library/coffee shop/coworking space), points their receiver at it, and goes. While Kamkar cautions that it’s not “fool-proof,” when combined with other anonymising tools like Tor it adds an extra layer to attempts to stay hidden by physically removing the user from proximity to their IP address.
The second way provides a slower connection, but far more range. Instead, it uses 2G GSM, also used for the cell phone network, allowing users to connect from anywhere (with signal) in the world. The user could theoretically fit the device at a Starbucks in New York, then connect to it in Los Angeles, fooling any would-be trackers into thinking they are on the East Coast.
“The idea here is to add a layer of anonymity to some of your Internet traffic,” Kamkar told me, “but what’s special is that the data leaves the Internet entirely and comes back in a different location, like a portal or wormhole for Internet traffic. Of course the data went somewhere, but it just travelled in a medium that’s not typically used” — thereby making it harder to track.
The original ProxyHam was touted as a boon for whistleblowers looking to cover their tracks online, and Kamkar says he built the ProxyGambit for similar reasons. “The recent vanishing of ProxyHam left me bewildered, and I thought it was a simple yet great idea. I’m a proponent of projects that allow people to communicate freely and privately if they wish. Projects like this help uphold people’s rights to privacy and freedoms of speech, which have been pretty shaky as of late.”
Kamkar continues: “Reasons [for use] could be as trivial as not wanting a website to track you (which they can by IP), or you’re a political dissident under an oppressive regime and want to speak out on a social network about what’s happening inside your country.”
He has released full instructions on how to build the ProxyGambit online, along with the source code used to power it and a shopping list of components needed to build it. All in all, it comes in a tad more expensive than the ProxyHam — $US238.
Kamkar recommends that any would-be builders exercise caution, though. “This is an insecure, bare bones proof of concept,” he said. “The fragmentation of data through alternate mediums is a useful and effective concept and those interested in privacy, anonymization, or deanonymization should explore this area further. Entropy is both gained and lost with these methods and many risks are involved when deploying any system of this nature.”
Kamkar first made headlines in 2005 when he released the Samy worm onto MySpace, infecting 1 million users in less than 24 hours and forcing the social network to temporarily shut down to tackle the virus. He is known for his experiments and projects: Back in January, he built a $US10 USB wall charger that could intercept anything typed on certain wireless Microsoft keyboards. And in April, he published a technique that he said can be used to crack any Master Lock padlock combination in two minutes.
When asked for comment about the ProxyHam, creator Ben Caudill told me that the company “can’t disclose any further information on Proxyham, the Defcon talk on anonymity and privacy, or the cancellation of the research.” Some in the security community think that Caudill’s silence is down to a government gag, and it remains to be seen whether Kamkar’s experiment will draw similar attention.
Caudill is cautious about the new device, however, telling Business Insider that “I’m concerned about the lack of security and initial direction with GSM as a communication medium. The whole point of Proxyham is decentralized communication (non-internet routed) – this version makes identifying the users location trivial, given the technology and capabilities of government agencies. That said, I am encouraged by the project being rebuilt by the community. I look forward to the future of anonymity tools such as this, and wish Samy and others the best.”