Paul Moore

Paul Moore


Security consultant, researcher & CISO at Icebook.

Share


Twitter


Everykey: 3 years and $250,000... is it vaporware?

Paul MoorePaul Moore

Update 22/12/2015

I've received several emails regarding this project over the last few months; another landing just a few moments ago.

Unbelievably, Everykey has been delayed yet further... with delivery now estimated in February 2016.

I'm very grateful to everyone for keeping me informed. However at this stage, there's not a great deal I can add to the discussions. It's a great idea with (I believe) real potential... but talk of "receiving samples" after 3 years and $1.2 million dollars of investment, frankly, worries me no end.

I'm not sure if John McAfee's involvement is pure genius or an act of lunacy, given Intel's drive to dissociate itself with the McAfee brand & John's increasingly bizarre behaviour... but time will tell.

Despite not a single product being shipped (to my knowledge), there's now a successful Indiegogo campaign which has already reached 266% of their target. Despite the new version being cheaper to manufacture, according to a recent interview with Chris Wentz, it appears to have increased in price by a whopping 77%.

In summary...

There's still no technical information.
There's still no sign of the security audit, although it apparently "passed".
The March delivery deadline has come and gone, as has Summer, September, October & December.

Will it be 6th time lucky? I hope so... for the sake of backers still patiently waiting and investors with a million dollars to recoup.

Update 22/05/2015

Everykey has just announced its latest prototype. Yes, another one.


The original design wasn't really anything to write home about... but the new one looks, well, tacky. The fob has been redesigned too; looking more like a $5 usb pendrive than a product of a $500,000 investment.

With less than 3 months to go before they're due to be shipped, I'm astonished they're still prototyping and making design changes. Their initial timeline suggested a 3 month delay between production part testing (which hasn't started yet if they're still prototyping) and general release... and there's still no mention of the security audit.

If this ships by June/July/August (American summer), I'll be amazed.

Update 11/05/2015

It seems my figures were a little off. Everykey has actually received over $500,000 dollars, with a further $250,000 coming in the last few weeks.

http://ibmag.com/Main/Archive/Lock_and_Key_12829.aspx


OK, 2 years, 8 months and $254,053 to be exact... but it seems the Everykey concept isn't moving as fast as some investors would like.

When Everykey appeared on Kickstarter, it sounded like an interesting project. However, you may recall back in November 2014, I backed out of the Everykey campaign when a number of concerning issues came to light.

7 months later, I received an email from a concerned investor.

If I skip the profanities, the general jist seems to be:

  1. They're late delivering the product.
  2. The updates are thin on the ground, often late and lacking information.
  3. The results of their security review still haven't been published.

As any Kickstarter backer will tell you, most campaigns are delivered late, if at all. Their estimated delivery date was March 2015 and this being their first big venture, it's reasonable to expect a substantial delay.

Note: Each video only plays the segment I'm referring to!

It's only May 2015! What's 2 months...

Well, it's not quite that simple.

Everykey started out in September 2012, meaning by the time this article is published, it's fast approaching 3 years old.

What isn't immediately obvious from the KS campaign, is the sheer amount of funding Everykey has received to get this far.

In 2013, Everykey received a $25,000 grant from the GLIDE innovation fund. In October 2014, they received $12,000 from a Protech grant. A month later, $117,053 from Kickstarter.

By this point, Everykey has received over $150,000 in investment; a substantial sum for what's seemingly a great idea.

During their pitch, Everykey requested $100,000 to fund their first production run.

If we assume they did their sums correctly, $100,000 is all that's required to successfully bring this concept to life. However, 7 months after they successfully smashed their target, Everykey has successfully raised a further $100,000 from the GLIDE innovation fund... bringing their total to a whopping $254,053!

After a quarter of a million dollars and nearly 3 years of development, how far is Everykey from being released?

The design

The original Everykey enclosure was quite smart. It's not something I'd choose to wear purely from an aesthetics point of view, but if it served a purpose, it wasn't unduly ugly.

Unfortunately, despite having the prototype for well over 2 years, it seems nobody thought to ensure the components actually fit inside. Quite apart from "funding their first production run", Kickstarter backers have actually paid to redesign the entire product.

Old & New Prototype

Instead of a circuit board which simply inserts into the band, Everykey has essentially gone back to the drawing board and designed an entirely new enclosure. As you can see, the clasp has changed and, as the old circuit board wouldn't fit, it's been widened to accommodate this...

Meet EveryKey Fob

To be honest, I actually prefer the new design. However, there's one slight concern... it's still a prototype! If you're still making massive changes to the design, layout and functionality this far into a project, something has gone amiss.

It's starting to become clear why the March deadline came and went.

Lack of updates

Since Everykey reached its Kickstarter goal, there have been 3 updates regarding the project.

The first update discussed the production mold, a bespoke battery and an independent security audit. We know the mold and battery (both of which paid for with investor's money) are both defunct now, so let's move on.

The second update introduces the "Everykey Fob"; yet more 3D CAD designs and a strange comment regarding software development.

Up until this point, we've been developing Everykey software for demonstration purposes

What!? Hang on, let's rewind.

They've raised (by that point) $150,000 off the back of a proof of concept application but the video says "everything you've seen demonstrates real technologies which work today". That's misleading to say the least.

some operating systems handling Bluetooth Low Energy communication differently than others

Bluetooth is a wireless technology standard; a protocol which any supported operating system can use.

Now, we're bringing consistency to our software.

So as of March 2015, the software was still proof of concept (ie - not production ready) and they're only now starting to develop the real application? Hmm.

The observant amongst you will note the lack of reference to the security audit. Another backer rightly questioned why there was no update, to be told

we'll likely discuss the audit in the next update

The third update introduces the "web interface", the new enclosure and more staff.

The Web UI


3 years of development, $250,000 investment and that is the best example of the UI?

For those of you wondering, the "Lorem ipsum" line is a placeholder to show how the template will look, once populated with actual text.

Realistically, you could recreate that in 5 minutes using Bootstrap.

Chris's Macbook is deactive

Sigh.

The Security Audit

Neither of the last two updates mention it, so your guess is as good as mine.

If it hasn't happened yet, I doubt the product will ship this Summer. If it's been audited but failed, the least they can do is share the results with investors. If it's passed an audit, why the secrecy?

Summary

At this point, I've no idea if Everykey is vaporware, a victim of feature creep or simply mismanaged... but I'd exercise caution before investing more money into this venture.

If Everykey does ship in the Summer, you'd be wise to keep their development timeline in mind. By their own admission, the latest "consistent" build only started in March and there's still nobody from a security background in the team.

If you value security and you'd rather not deal with passwords, invest $50 in a password manager.

Paul Moore
Author

Paul Moore

Comments