The project to build a tiny, anonymity-focused router known as Anonabox has overcome plenty of hurdles to get to market: critics who pointed to gaping flaws in its promised security, others who argued that it was a mere repackaging of stock Chinese hardware, and eventually Kickstarter's decision to freeze its $600,000 fundraising campaign. But even after a second, more successful fundraiser, its acquisition by a larger tech firm, and the milestone of shipping the first batches of routers to customers, it turns out that Anonabox should have listened more closely to its detractors.

Late last month, Anonabox began contacting the first round of customers who bought its tiny, $100 privacy gadget to warn them of serious security flaws in the device, and to offer to ship them a more secure replacement free of charge. While the miniature routers do direct all of a user's Internet traffic over Tor as promised, the company has confirmed to WIRED that its first batch lacked basic password protection, with no way to keep out unwanted users in Wi-Fi range. And worse yet, the faulty Anonaboxes have another bug that would allow those Wi-Fi intruders to completely hijack the device, snooping on or recording all of a user's traffic.

To be clear, password protection is a basic feature of any Wi-Fi router, from the high-end to the very cheap—not to mention one that promises total anonymity. That an ostensibly privacy-focused router lacked that fundamental protection is an incredible oversight.

The two flaws combined make the effected devices "downright dangerous to use," says the security researcher and consultant who uncovered them, Lars Thomsen. "This is worse than not using any privacy device at all. Anyone in range can listen to your traffic without you noticing," Thomsen says. "Anyone can gain access to the device and install a sniffer to capture all that traffic."

The company has confirmed to WIRED that its first batch of routers lacked basic password protection.

The company’s new CEO Marc Lewis, who was brought in to lead the project by Anonabox’s new parent company Sochule Incorporate, insists that Anonabox’s replacement scheme is merely a “free upgrade.” But we're calling it a "recall": In its current state, Anonabox gives users the privacy of Tor, but leaves them vulnerable to any eavesdropper in Wi-Fi range. Given the severity of the device’s security gaffes, affected users should treat the company’s warning as the product recall that it is, and replace their Anonaboxes immediately.

Anonabox has emphasized, however, that only a small number of its earliest devices were shipped with the security problems: 350 out of the 1,500 or so sold as part of Anonabox's Indiegogo campaign. At the time of publication, 137 of those devices have since been replaced. Since that initial batch, Anonabox says that it's patched the flaws in later devices.

"Prior to Sochule Inc’s acquisition of Anonabox and completely out of our control, a number of the first batches of Anonaboxes were shipped without a password for the Wi-Fi," reads an email sent to customers of the insecure routers starting late last month. "Anyone that has received an Anonabox device without a password may ship their device back in good working order for a new Anonabox device...We will immediately escalate your order to the front of the line for processing, return shipment, and a new Anonabox device w/ the Wi-Fi enabled WPA2-PSK encryption."

Anonabox has been criticized for its security flaws since the project first went public in October. Its promise of an easy hardware tool for anonymizing all of a user's online activities helped the project blow past its initial fundraising goal of $7,500 to reach more than $600,000 of funding in just days. But critics soon pointed out that, based on an audit of Anonabox's open source code, the device didn't enable password protection of its Wi-Fi network by default. One researcher was able to crack its hard-coded root password—which was "developer!" in all devices—so that any nearby wireless attacker could take control of the device.

Then, Kickstarter pulled Anonabox's campaign due to what it described as false claims about the project's custom-designed hardware. But Anonabox relaunched on the crowdfunding site Indiegogo, raising more than $82,000, and in March was acquired by Sochule, a tech parent company that controls several other small startups, mostly in social media.

Given the severity of the device's security gaffes, affected users should treat the company's warning as the product recall that it is, and replace their Anonaboxes immediately.

Anonabox's current security problems arose on Sunday night, when Thomsen posted an analysis of an Anonabox he had purchased. In some ways, the bugs he found were even worse than the ones attacked before it shipped. Thomsen's Anonabox not only had no Wi-Fi password by default, but it wouldn't let the user set one. Its root password was now "admin," allowing anyone in Wi-Fi range who could guess that word full control. "It was my fourth guess," says Thomsen.

Thomsen isn't an entirely objective critic: He's previously worked on a competing, anonymity-focused router known as Cloak that failed to meet its Kickstarter goal. But Steve Lord, a UK-based penetration tester and co-founder of the security conference 44Con, reviewed Thomsen's findings and agrees that anyone using that version of the Anonabox is at "extreme risk."

"This is what happens when you combine amateur hour with money," says Lord. "It's not surprising Anonabox is trying to recall it and cover their tracks. It’s a total train wreck."

Anonabox's founder August Germar and CEO Marc Lewis also confirmed Thomsen's findings in a phone interview with WIRED. They pointed out that the company had been aware of the problems for weeks. Anonabox started emailing affected users on March 23, and sent out a press release meant to address the issue on April 1. But that release stated only that Anonabox was adding new security features. It didn't explicitly state that some Anonabox devices have a security problem or that they should be replaced.

Lewis says that Anonabox has learned its lesson, and is now enlisting outside security consultants to review its products. And in the meantime, he argues that Sochule has done everything it can to patch Anonabox's bugs. "The very first thing we did when we acquired the company was put the password on there," Lewis says. "We took over a shitstorm of [public relations], and we’re trying to put best practices in place."