Tor anonymity gateway-maker InvizBox chases VPN subscriptions down rabbit hole

The InvizBox Tor-gateway router stopped receiving firmware and secuirty updates two years after release. Ten months later, InvizBox decided to try and reinvent their product with an alternative firmware that focused on selling virtual private network (VPN) services from InvizBox instead of relying on the free Tor onion network.

InvizBox was a specialized Wi-Fi router that acted as a gateway to the Tor onion network. That is no longer what the product does, but you can read my 2016 review of InvizBox for the historical perspective.

The economy of maintaining device firmware have shifted from using the free Tor anonymizing network to selling ubscription services. InvizBox sent out an email to existing customers offering “90 days free VPN service” to incentivize existing customers to upgrade from their now unsupported Tor firmware to the newer VPN firmware.

90 days of free VPN sounded interesting and I thought I could get a little more life out of my InvizBox. I was sold and proceeded to upgrade my device’s firmware. This experience would end up completely changing my impressions about the InvizBox.

Firmware upgrades are complicated

InvizBox firmware doesn’t support auto-updating to new versions and customers have to follow what I can only describe as an involved and manual update process to update their devices. It’s 2018 and there is universal agreement that auto-updates are essential for anything connected to the internet. InvizBox must have missed the memo on that one.

I kept my InvizBox up to date while it was still supported and was well-versed in its upgrade process. However, this time around I ran into a problem. The InvizBox would run out of memory and crash during the upgrade. From reading the changelog of the new firmware update, I noticed an entry that said they’d fixed an issue were the Tor software wouldn’t stop running while upgrading and this would cause the out-of-memory issue. Unplugging the WAN Ethernet cable worked around the issue and let me install the upgrade.

The first thing I noticed after installing the upgrade was that the device were still running the same old version of the LEDE/OpenWRT firmware as before. It wasn’t much of an upgrade of the underlying operating system, in other words.

The InvizBoz broadcasts a network called “InvizBox”, but none of my devices could connect to it after the upgrade. I reconnected to the InvizBox over LAN but ran into another serious problem with the web administration. The setup wizard returns a HTTP 403 Forbidden status code, meaning that I’m not logged in. At no point did the web interface prompt me too login or provide the administration password, however. There was no visual feedback other than a blank page and I had to resort to my web browser’s developer tools to read the error status code.

Using some extremely simplistic URL hacking, I managed to get a session cookie which let me access the setup wizard. The wizard required me to agree to a Terms of Service and an Acceptable Use Policy for the InvizBox VPN service. These documents weren’t bundled with the firmware and were linked to the website instead. This is more of a roadblock than it may sound like as I’m connecting to a device that haven’t yet been connected to the internet. You either have to review the documents using another device or disconnect from the InvizBox and connect to another internet connected network to review the policy documents. I’m sure that lawyers everywhere could argue with good reason that these policy documents aren’t legally enforceable as they’re not made available to the customer at the point when the customer is required to agree to them.

After you agree to the policies you land on a page asking you to login to your InvizBox VPN service user account. There is no information on how or where you’d register for such an account anywhere on that page. So at this point you again have to disconnect from the InvizBox and return to another internet connected network. It would turn out to not be a simple task to setup this account even with working internet, however.

Did InvizBox want to sell me VPN services or not?

All of this work was to get the privilege of paying for InvizBox’s VPN services. However, the VPN services were surprisingly difficult to sign up for.

The InvizBox website is all focused on selling hardware–VPN-service bundles to the extent that there isn’t an option anywhere to just buy the VPN service. There is nowhere to go if you already have the hardware and have upgraded your firmware. As I mentioned above, there also isn’t any information on how you sign up for the service in the setup wizard.

There is a support page talking about upgrading to the VPN enabled InvizBox. However, the suggested process assumes you have an InvizBox account; something you can’t register for on the website without purchasing a new hardware product.

There is no pricing information available for what the VPN service renewal will cost you if you do purchase a hardware product. The lack of pricing information should be worrying to anyone that considers purchasing a product from InvizBox.

InvizBox sent me a promotional email with details about the Tor-to-VPN service firmware upgrade. It promised 90 day free VPN services to customers who upgraded their firmware. I didn’t investigate this promotional offer too closely prior to upgrading my firmware as I assumed the InvizBox’s on-device web interface itself would guide me through the sign-up process. I can’t find any references to this promotional offer anywhere on the InvizBox website. They seem to have changed their minds about providing customers with a free 90 day trial period after sending out the promotional email.

Conclusions

In the end I never got around to test how the VPN services on the InvizBox worked as I could never figure out how to sign up for the service. I never actually purchasd a VPN router so I’m actually okay with never having one either.

The base firmware, LEDE/OpenWRT, is technically capable of connecting to any VPN service from any VPN provider. The Vilfo VPN router comes to mind. However, the firmware on the InvizBox can’t easily be configured to use another VPN service.

The InvizBox received security and firmware updates for the first two years of its life, and I appreciate that InvizBox chose to maintain it for that long. I’ll not hold it against them that they stopped providing updates after two years considering that the device was quite inexpensive. However, I don’t appreciate that they never informed me that the product was discontinued and wouldn’t receive any further updates.