11

I would like to connect to my VPN using IPSec protocol. For that, I need a router or any other device that support it.

I found this on eBay: https://www.ebay.com/itm/IPsec-VPN-server-military-secure-design-for-dummy-better-performance-now-/142000661040

The question is: How can I trust this device that it is not stealing my private keys, or doing MITM attack?

Joe
  • 2,734
  • 2
  • 12
  • 22
Aminadav Glickshtein
  • 285
  • 2
  • 13
  • 27
    How do you trust your CPU for system firmware not to steal your private keys or perform a MITM attack? – David Foerster Dec 09 '17 at 22:38
  • 8
    Wow. The only easy way this could be more sketchy would be to not find this on eBay, but advertised under miscellaneous services on Craigslist, with the seller only accepting altcoins. – Marcus Müller Dec 10 '17 at 00:14
  • That looks like a Raspberry Pi clone with preinstalled software on it. o.O – Andrea Lazzarotto Dec 10 '17 at 00:29
  • 17
    You shouldn't trust a product that says "military secure design". That's one of the warning signs to look out for: https://web.archive.org/web/19990117013016/http://www.interhack.net/people/cmcurtin/snake-oil-faq.html – kasperd Dec 10 '17 at 01:09
  • 15
    $119.99 for a Raspberry Pi!? You can [get one for $35](https://www.raspberrypi.org/products/); just install the (free, open) software yourself and save yourself some money _and_ in the process, ensure nothing funny has been (pre)installed since you're doing it yourself (which doesn't guarantee no backdoors will be installed but at least you've done everything yourself). Also: vpneveryone.ddns.net seems to have been discontinued and was a pretty [short lived project](http://web.archive.org/web/*/vpneveryone.ddns.net) if you ask me... With no reputable company but just an individual behind it... – RobIII Dec 10 '17 at 13:19
  • 2
    "With no reputable company but just an individual behind it..." Which isn't a bad thing necessarily but at least a red flag to investigate further. It could be someone trying to prey on less knowledgeable victims. Also: since [it's a DDNS site](http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/) instead of a decent registered domain and hosting I guess that, at least, should set some expectations for support, warranty etc. – RobIII Dec 10 '17 at 13:26
  • 1
    I wouldn't trust any eBay auction labelled "IPsec VPN server, military secure, design for dummy! better performance now" – user253751 Dec 10 '17 at 22:01
  • 1
    I dunno, I think the "design for dummy" part is pretty honest. – forest Dec 10 '17 at 22:24

3 Answers3

30

How can I trust this device that it is not stealing my private keys, or doing MITM attack?

Trusting is easy: just do it.

Way more complex is not to blindly trust this device but to find actual arguments why you should trust or why you should not trust it:

  • Is this a reputable vendor, do others you trust have experience with this vendor?
  • Does the product work as advertised and does not have it any back doors? Do others you trust have experience with this product?
  • Are the specifications of this product open, are you able to understand these and are you able to check that this product is build according to these specifications without anything harmful added?

If you cannot answer these questions then you probably either need to trust the product blindly or you need to trust anybody blindly which claims here that this product can be trusted.

Apart from that, I find a device which gets advertised as "IPsec VPN server, military secure, design for dummy! better performance now" very suspicious. What is this "military secure" in the first place? It probably does not mean EMP resistant. Instead it probably only says that it uses the same established encryption algorithms which your browser uses too when you visit HTTPS sites - only that "military" sounds better. If somebody needs to base the selling of his product on such exaggerated claims I personally would not really trust this product much.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 7
    What, you're saying it _doesn't_ conform to NATO SDIP-27 A, MIL-S-901D, and IEC 60512-6 11f?? But it says military secure! – forest Dec 10 '17 at 05:27
  • Thank You. This is the answered I search, I'm quote: > Are the specifications of this product open, are you able to understand these and are you able to check that this product is build according to these specifications without anything harmful added? – Aminadav Glickshtein Dec 11 '17 at 14:04
19

The product is a manually configured Orange Pi device. Someone made and configured it. You hope that they knew what they were doing and that they did not install backdoors.

With commercial products, you have a base level of communal trust that everyone is trusting the manufacturer and if the vendor did something wrong (intentionally or by accident) then everyone is in trouble. It is bad PR and the company is harmed.

With an individual custom-crafting these devices, you do not even have this level of basic trust. You have no idea if the device has been tested or even if it does what it says it can do. They could install blatant backdoors and if people found out, what could they do? Go to the media? No, they would give a bad eBay review. Then the vendor changes names. You have 0 protection here.

How you trust falls under 4 categories:

  1. 3rd party review and audit (this is where open source can be handy)
  2. "herd immunity" where the device is so common that problems would likely have been encountered and publicised or fixed (or if a problem occurs, everyone is affected equally) (also an element of open source code that everyone uses)
  3. commercial or reputational impact where problems are not in the vendor's best interest
  4. perform an audit yourself

So, unless you can perform an audit of this device, you are left without a lot of options that you can trust from a random eBay vendor.

But hey, the vendor has 74 positive reviews, it's homemade, and their website is a free dynamic website that could be anywhere and owned by anyone and you have no way of validating the ower of the site. What's the worst that could happen ... ?

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    "if the vendor did something wrong (intentionally or by accident) then everyone is in trouble. It is bad PR and the company is harmed." - Yeah, sure. That's why everyone stopped using Cisco, I suppose?! – I'm with Monica Dec 11 '17 at 10:05
  • @AlexanderKosubek "harmed" does not mean "removed from existence". Stock prices do drop. – schroeder Dec 11 '17 at 12:03
5

This is a fundamental flaw in IPsec and the use of the network layer for access control, authentication, and privacy. If you really must do this, you'd be better off running a reputable open source operating system on a general-purpose computing device as your router, rather than using a black box product designed to be used as a router. But really, you should be using TLS (or other suitable protocols like SSH) on top of TCP for all access control and privacy purposes, and treating the network layer as untrusted. If you do that, it doesn't matter if anyone is stealing your IPsec keys.

R.. GitHub STOP HELPING ICE
  • 7,813
  • 1
  • 23
  • 34