Paul Moore

Paul Moore


Security consultant, researcher & CISO at Icebook.

Share


Twitter


EveryKey Revisited: Military grade? Give me a break.

Paul MoorePaul Moore

Update 27/04/16:
Here are some screenshots of the EveryKey Windows app.

It's not digitally signed, so there's no way to ensure it's genuine and hasn't been modified, it crashes if you click the toolbar & if you click "forgot password", it opens Google. To be frank, it looks pretty thrown together at the moment.

Thank you for the anonymous tip folks.

Update 12/04/16:
EveryKey have replied to this post. Read it here.


In May 2015, I questioned if EveryKey, one of Kickstarter's most successful campaigns, was vaporware.

Over the last 11 months, I've received near-monthly emails/tweets from backers; angry over delays and poor communication. Other than a few updates to the original article, I didn't intend revisiting EveryKey as, quite honestly, I didn't see the point.

This week however, has seen an influx of complaints as EveryKey have, once again, failed to deliver the product as promised. By my count, they've missed no less than 6 deadlines... although "March 2015" was never realistic.

Before we dive in, let me answer my own question.

No, EveryKey isn't vaporware.

It may not be in the hands of backers just yet, but I've no doubt EveryKey exists and will ship at some point in the future.

Whether you'll want to use it however, is another matter entirely.

Accepting payments over HTTP.

When the Kickstarter campaign finished, EveryKey began collecting pre-orders, customer PII & payment info over HTTP, which is both insecure and in breach of PCI compliance. I tweeted EveryKey (@_EveryKey) and despite the lack of a response, it was fixed a few days later. Leaking your customer's payment data isn't a great way to begin a working relationship, especially given the context.

"We won't be hacked"

Famous last words.

No responsible company, especially not one in the security space, would ever claim to be impervious to hacking. It does however, reaffirm my decision to back out of their campaign.

OK. Enough of the trivialities...

Vulnerable API

For several months, EveryKey has provided an API on http://api.everykey.com which presumably acts as the service entry point for their devices/partners.

Hmm. That's clearly not finished... or even started.

But, what happens if you land on the registration page first?

That's better... apart from the distinct lack of SSL/TLS! If you try to load the site over HTTPS, the connection fails, so it's impossible to register your details over a secure connection.

Let's register.

That's a good start! It can't connect to the database! But hang on, what's this?

Database name: ev[erykey]
Database username: hytech
Database password peeyushisthebest

We now have Everykey's database credentials.

That's already game over, for a number of reasons.

  1. There's no SSL/TLS, an absolute necessity when dealing with personal data & passwords.
  2. They're leaking database credentials in error messages.
  3. The password being used to "protect" the database is weak & amateurish, thus crackable even without being disclosed.

Again, I emailed Everykey to alert them to this and despite not receiving a reply, the domain was taken offline yesterday and replaced with this.

Perhaps I'm being too harsh. It's clearly a work-in-progress and perhaps doesn't reflect the true quality of the final product.

But...

Is a barely-working, insecure prototype acceptable after nearly 4 years & $1.25 million dollars of investment? The registration page gives absolutely no indication that it's a proof-of-concept page and not intended for public use, so how many others have blindly "registered" and inadvertently leaked their details?

The observant amongst you may have spotted the addition of SSL/TLS in the last screenshot, so now it's secure, right?

Really? POODLE in a brand new TLS deployment? This is a joke, surely?

... and the certificates are in the wrong order! I've no idea how they've managed to make a mess of a "Let's Encrypt" deployment... it's about as "hands off" & simple as it gets.

It's shipped for Windows & Android. Or has it?

A week ago today, EveryKey announced the product had finally shipped.

Well, sort of.

At the last minute, they opted to hold back on support for Mac/iOS, citing the logistics of handling 4,000+ orders and the appreciable load on their support desk.

Forgive me, but that's thinly-veiled nonsense.

It's true; shipping 4,000+ products is a logistics nightmare and will undoubtedly increase the number of support requests... but that's something you scope into your business plan before you begin collecting millions of dollars from backers. Phased roll-outs are nothing new, but keeping backers in the dark until the day of shipping is misleading to say the least.

It's also very unusual for a company to send out surveys to "confirm shipping details" on the day they're due to ship the product. A bit of forward planning goes a long way.

Despite all this, the comments on both Kickstarter & Indiegogo suggest not a single person has received their survey... even a week later. BackerKit, which EveryKey uses to manage their campaign, makes the process of sending surveys painless. They're quick, simple and hassle-free. They certainly don't take a week to send.

The Play Store

Let's assume at least 1 has been shipped... the app isn't in the Play Store.

It's not available to download via their website either, nor is the Windows binary or Chrome/Firefox extension.

Alas, EveryKey later admitted the Mac & iOS versions weren't ready for release but they estimate it'll be ready over the next few years/decades months.

Summary

Well, that's enough for amateur hour this week folks.

I really do appreciate your efforts in updating me on the situation, but this is likely to be the last I'll write about EveryKey.

Invest in a password manager and leave cryptography & security to the experts.

Paul Moore
Author

Paul Moore

Comments