Tuesday, 6 October 2015

Veiltower: a misleading plastic jungle of deception

Once again we have another Kickstarter that claims that it is 100% secure, un-breachable, and uses unheard of cryptography. Introducing "VeilTower", a plastic jungle of deception.

As indicated in my opening, I've dealt with this sort of claim before where erroneous claims about the product's capabilities were made in a Kickstarter. In this case, we're being told of the following capabilities in the device using terms like "military-grade" which tend to set off alarms:
Some of the most security conscious organizations in the world have been using what’s called 802.1x with great success. That’s what we’re using. The encryption currently in use for typical consumers is 256 bit encryption. We’re utilizing 2048 bit encryption. We wanted to give consumers a product with military-grade technology.
Veiltower also makes your digital presence anonymous by masking your traffic and connected devices with it's state of the art embedded VPN (Virtual Private Network) solution.
It goes on further in an update that was posted after they were confronted online to explain its "100% secure" statement:
Some have questioned whether its not too bold of a statement to claim Veiltower provides 100% security. And that is a very fair question.
The simple reality is that almost anything can be cracked/hacked if enough effort is put in and over the years various standards (remember the heartbleed bug?) contained, in hindsight, vulnerabilities.
So to our knowledge, the encryption we use in Veiltower is secure! That's until one day we, and many other Access Point providers that employ the same encryption, are proven wrong.
For the techs:
VPN: Strong Swan IKEv2
This of course after this tweet was made at me:

Needless to say it started quite the Twitter conversation so I am going to condense everything I know about them and additionally opine on the matter.

To start off here, no product no matter its claims can go and say that what they do and or provide is 100% secure and is immune to breaches. Anyone who makes such a claim is either being intentionally deceptive or has zero clue about what they're talking about. In this case, I think that's more of the latter as based on the background of the individual leading this project, as he does not appear to have ever worked on anything cyber security-related.

Veiltower (also known as Veil Systems) has a bit of a history and this is not their first Kickstarter either. It has since been removed but did manage to create a PNG mirror of the campaign draft which was penned around November 2014. They did tweet aggressively leading up to the date they expected to launch everything but for some unspecified reason, Kickstarter did not accept the submission so they promised to regroup and launch again later in the year.

However, after the last tweet, they made no quip about the Kickstarter campaign and just proceeded to share videos that they had already made. Additionally, the product was slightly different than what we are seeing now as they were also promising NAS functionality and an IP camera in addition to the "security" features we're seeing today.

Physically the products are similar except that there is a glowing, device shaped like a bowling pin that would have had the IP camera at the top. The campaign however appears to provide more details on the inner guts the device which is something I found lacking in the current campaign.

They're also providing the specifications in this old campaign.
Which again is sorely missing from the campaign.

However, something didn't add up: how is the PCB larger than the above disc in the guts image? If we look at a photo of the rear of the unit, you'll notice that the device doesn't even have ports that match the board.
This sort of reminds me of the Sever thing because it was revealed to me in conversation with some people close to the project that the board didn't match the case itself. What's going on here? Well without details on the specs of the unit in the current campaign, I guess we'll never know.

One thing to add: I call this a "misleading plastic jungle of deception" for good reason: they make the following claim about the antenna design:

A friend of mine is an avid ham radio operator and he informed me that the antenna slant wouldn't be enough to incur a polarization shift, meaning that the benefit from this design would be non-existent.

In any event, based on the hardware details from the previous Kickstarter and the lack of details in the current, it doesn't really bode well for this device at least from a physical standpoint. Any claims about its abilities to improve your overall Internet experience will be exaggerated at best.

Perhaps it's worth learning a bit about who's behind it: really there is one but it seems like there is quite a bit of discord going on behind the scenes as evident in these tweets.

I am guessing that after the exchange had started earlier (the crypto one from earlier was by this "social media guru"), Edsard Ravelli, the founder or leader behind this project decided to get involved and effectively sack the person behind the Twitter account--it should be assumed that the 802.1x encryption remark was made by the removed individual. I think that it is a bit fair to talk about the person behind this project.

Edsard hails from Amsterdam and appears to have been involved with the project from the start. He has claimed via his LinkedIn to once have been CEO and Founder of a company called DigiNext, but left in Autumn 2014, a year and a half after founding Veil Systems--I was not able to procure details on what happened with DigiNext but I can safely tell you that their website has a lot of broken links. Additionally he also has a software patent to his name, depicting some sort of update mechanism that reeks of similarity to every other software updater out there.

Veiltower mentions two other employees in the Kickstarter: Eric Stebel and Kris Caryl. Eric is cited as being the "Lead Designer" for the project, but judging based on his website, he's likely involved in the creation of the physical case of the device and not the electronics itself--however I will admit that Eric has done some cool stuff. I was not able to get much in the way on Kris other than her being cited as a Veiltower's logistics person.

Noticed something peculiar? Not a single person with an information security, software development, or hardware design background is cited. And here they are making claims about having a product that is 100% secure.

Of course, Edsard was okay in citing that it was okay to claim this because he's trying to lay it out to the laymen:

Edsard's excuse here is that it's acceptable to lie in the Kickstarter because he's trying to "appeal to consumers who [are] technology illiterate". By that logic, Volkswagen should be off the hook because consumers wouldn't notice the difference between the government-mandated emissions testing and "real world situations".

He continues to say that he had details posted on Facebook weeks before with over 5,000 followers where nobody made a quip about the claims. This is completely idiotic to claim and I am not even going to entertain the idea of writing here about why.

Going back to employees, Veiltower has gone out of their way to hire freelancers using Elance. Since April 2014, they have spent $38,002 USD across 29 different freelancing job requests--or about $1,300 on average per request. In contrast to their $250,000 goal on Kickstarter, the money spent on Elance would account for 15% of what they need to raise. How much is Edsard paying himself, Eric, and Kris? At a minimum, if these two have worked a year for Veil Systems at a wage of $8.12/hour, they'd each account for $16,952 ignoring things like sick days or other labour aspects. Times two, that's 14% of the campaign costs, meaning that around 30% is just for labour--this is a huge assumption too.

It should also be noted that none of the freelance requests were for anything technical and appeared to be solely marketing-related.

There's also no indication that there are other employees with Veil Systems as the name does not link to any other employees on LinkedIn other than Edsard himself.

One of the rewards is a white Veiltower for 1,999 people at a cost of $159. To meet that goal of $250,000, they need to get over three-quarters of that amount in order to cross that threshold required for a Kickstarter payout. But makes me wonder: does $250,000 cover all the salaries and development costs incurred?

If this was a product that was worth funding, a Kickstarter campaign would have not been ever needed. I tend to believe that the vast majority of campaigns out there are for ideas that are not marketable at all and just pander to a niche market. There are exceptions to this rule but it's a very short list of them.

Edsard has claimed that tomorrow he'll have some answers so we shall wait and see!


  1. I believe the webcam and NAS functionality are still there as an optional device called the Bishop.

  2. Yeah this is clearly a scam. They're trying to scare noobs into thinking they need this product. While most routers have good wifi encryption already. Besides that, they're using some kind of VPN service where you can't choose between providers, who wants that ? And then, a lot of devices wont support 802.1x certificates at all, so they wont be able to connect. Scam.