1

Does anyone know about this ICLOAK USB device? Opinions or how well they work? I'm looking for a security solution when I'm using PCs where I work. Occasionally we have to log into to web sites, from work, to check sensitive information regarding our pay stubs, pay rates, retirement plans etc from work. They are pretty relaxed about our personal usage of the internet and everything I just want to make sure 'mainly' that my log in credentials can't be intercepted between the the time they travel from my browser to the web sites I'm logging into. Like that there is nothing in the middle that can intercept or meddle with unencrypted info

One of the bullet points on their web-site https://icloak.org/ says (Use it at work and keep your employer from tracing or tracking your online footprints) Could this ICLOAK really achieve this feat?

Rose
  • 405
  • 1
  • 4
  • 9
  • 1
    Cheating your employer is not a good thing (TM) in general. – Deer Hunter Apr 17 '15 at 20:56
  • possible duplicate of [How to prevent network administrators from accessing USB drive](http://security.stackexchange.com/questions/83393/how-to-prevent-network-administrators-from-accessing-usb-drive) – Deer Hunter Apr 17 '15 at 20:57
  • I'm not 'cheating my employer' I don't trust the people in IT, and for good reason. I'm simply trying to make my usage of the internet 'safe' and 'secure' – Rose Apr 17 '15 at 21:22
  • 1
    @Rose just bring your own laptop and own internet connection (your phone?), or if the latter isn't possible just use a VPN or Tor. –  Apr 17 '15 at 21:27
  • @Andre, allegedly the ICloak has a Tor browser.. Anyway, I've been reading about VPN services too but cant figure out where the encryption occurs, if data is encrypted as it goes out the nic / browser at the network proxy or what? If its not encrypted as it flows through the proxy then it's not serving the purpose I need – Rose Apr 17 '15 at 22:33
  • @Rose in case of a VPN the encryption happens on the computer, so (when configured correctly) all outgoing traffic will be router through the VPN, and the only traffic that will be leaving the NIC is an encrypted data stream going to your VPN endpoint. –  Apr 17 '15 at 23:32

1 Answers1

1

Snake oil, this is just a glorified Linux live-USB with lots of bold claims to fool naive customers (they advertise it as a silver bullet solution for anonymity and privacy, which is impossible to do by just inserting an USB stick in a machine - does it magically detect hardware keyloggers or compromised firmware?).

You can make your own by installing Tails on an USB stick. I was about to rant over their proprietary OS but it looks like they're based on Ubuntu but even then, there is no clear download link for the source code so I wouldn't trust it.

If we assume their solution isn't malicious, this still isn't a silver bullet for anonymity and security; let's break down some of their claims :

Use it at work and keep your employer from tracing or tracking your online footprints

This doesn't protect against hardware or low-level (in the firmware for example) eavesdropping, while I doubt most employers would use this, it's definitely possible and this solution won't protect you against that. If you must do something privately, do it on your own computer, not your employer's one.

If you use it on your employer's network they will definitely know it - while it's true that they won't know what you're doing (assuming you're accessing HTTPS sites or using Tor), they will definitely notice some encrypted flow on the network and that will raise suspicions (and use of anonymity software may be prohibited which means you're fired).

Plug ICLOAK Stik into the USB drive of any Mac or PC device, reboot and you have 100% anonymity and privacy in under a minute.

Again, this doesn't take into account low-level nastyness like a compromised firmware or hardware keyloggers - if you need privacy or anonymity you should not be using a machine over which you don't have full control. Internet kiosks/cafés, employer-provided PCs, etc... shouldn't be trusted at all.

So, while it can indeed provide anonymity if you know how to use it properly (only on your own machine, check for hardware keyloggers, etc), I'd say this is snake oil because their target market is the "average Joe" who has no clue about IT security and will blatantly believe they can make any machine safe just by plugging an USB drive in it, which is obviously false and dangerous for them.

  • I'm not defending the product, but I think you are overreaching in your critique. 1) I'm not seeing claims of being a "silver bullet", merely the "best available". 2) Yes, an encrypted stream might be detected, but that does not defeat privacy or anonymity. 3) They, themselves, advocate installing Tails on a USB stick. 4) Can you provide evidence of firmware eavesdropping that survives rebooting to an attached USB drive? If you can reboot the machine and trigger booting to USB, you do have a lot of control over the machine. – schroeder Apr 17 '15 at 21:19
  • I don't care if I get fired. ;-) I want to know how to keep them from sensitive data. – Rose Apr 17 '15 at 21:23
  • @schroeder keyboard, NIC or BIOS/UEFI firmwares can all survive reboots no matter on which medium the OS is stored. And I'm pretty sure a malicious UEFI can set up some sort of rudimentary VM around the OS which means it'll be able to read memory at will and intercept any input/output (keylogging, screenshots, etc). –  Apr 17 '15 at 21:24
  • @Rose why don't you just use your own laptop and connect to the internet via your phone ? In that case the employer won't even know anything and you keep your job. –  Apr 17 '15 at 21:25
  • 1
    @schroeder in addition to my last comment, [here's some keyboard fw attack evidence](http://www.zdnet.com/article/hacker-demos-persistent-mac-keyboard-attack/) - while in his demo it's used to type in malicious commands, I don't see why it can't log keystrokes (only log after certain things are typed in, to not waste its limited memory on logging irrelevant stuff). –  Apr 17 '15 at 21:29
  • Ah, thanks for evidence. One thing, tho: How is Tails on a USB drive different? I simply don't see a basis for your claim that they are "fooling naive customers". There is the firmware vector that they cannot account for (no one could), but you yourself suggested that the probability was low and the hardware limitations are real. I still don't see the basis for such a scathing critique. – schroeder Apr 17 '15 at 21:32
  • @schroeder their site is full of "the ultimate tool for anonymity&privacy, just plug it in and reboot", and I have yet to see any mention of warnings that this is not a silver bullet solution. Tails, on the other hand, has [this](https://tails.boum.org/doc/about/warning/index.en.html), and even includes [a solution against hardware keyloggers](https://tails.boum.org/doc/encryption_and_privacy/virtual_keyboard/index.en.html). –  Apr 17 '15 at 21:48