Available since mid-March, Bitdefender Box 2 is a security box which, thanks to its network analysis functions, is capable of protecting all the terminals in the house: computers, smartphones, connected objects. This device is the successor to Bitdefender Box that we reviewed last July and which had not really convinced us: the features were relatively poor and not very successful.
The publisher persists and signs with a second, much more muscular version, first on the material level. The first version was content with a single core processor, 64 MB of DDR2 memory and 16 MB of storage. The new version now has a dual core processor, 1 GB of DDR3 memory and 4 GB of Flash storage. These components require more cooling, which is why the motherboard is placed in a significantly larger case, and therefore more ventilated.
This hardware upgrade allows Bitdefender to improve the analysis of vulnerabilities and to implement a whole series of new security functions: prevention against the exploitation of vulnerabilities, protection against brute force attacks, detection of anomalies, protection sensitive data and advanced parental control (available only in early 2019). On paper, Bitdefender Box 2 therefore presents itself as a real shield against piracy, much like the intrusion detection and prevention systems (IDS / IPS) found in companies. So what is it really?
Installation of the housing is no problem. Just connect it to the modem router, download the Bitdefender Central mobile app and follow the directions. In the case of an Internet box – which is the most common – Bitdefender Box 2 will clone the original Wi-Fi network which will then have to be deactivated. But nothing prevents you from creating a new Wi-Fi network, by defining a new SSID, and from preserving the old one. The latter, less secure than the new one, could then serve as a hotspot for guests, for example.
Once the installation is complete, the device will automatically identify the connected terminals and, if possible, offer to install security software from the publisher. The purchase of Bitdefender Box 2 does indeed include a one-year subscription to the Total Security offer. This gives access to the entire Bitdefender range for an unlimited number of terminals: desktop computers, laptops, tablets, smartphones.
The publisher has abandoned the development of Box Agent, a software without a graphical interface that could be installed on smartphones, tablets and computers. It was supposed to provide advanced management functionality without requiring the installation of the Bitdefender suite. But in reality, it did not work very well. So the editor simplifies things, which is great.
Everything is then managed from the Bitdefender Central application. As before, the user will be able to name the terminals and assign them to users. We also find the Internet access blocking function which, this time, really works. Stopping or re-establishing the connection is almost immediate. In addition, it is now possible to define a fixed IP address and port forwarding for each connected terminal. For certain uses, such as remote access via FTP, this is very practical.
Let’s come to the security functions. The first good news is at the level of the vulnerability scan. Previously, this function was activated automatically with a random analysis in the Bitdefender cloud. The problem is, she didn’t detect much. Now the vulnerability scan is performed directly on the device and can be started at any time for any device. We reviewed it with a Western Digital NAS (MyBook) which we knew was a real Swiss cheese. Bingo! Bitdefender Box 2 detected 48 faults there. The mobile app alerts the user and advises them to update the terminal.
Only downside, the list of flaws presented to the user generally indicates only the typology of the flaw: “memory corruption”, “denial of service”, “arbitrary code execution”, “access violation”, etc. We do not know precisely where the fault lies. At most, the system notifies us that the device accepts unencrypted credentials via HTTP. Reviewed on an OSMC multimedia box on Raspberry Pi, the vulnerability scan alerted us to an “insecure” username or password, without telling us that it was anonymous FTP access. That’s good, but some users might like to have more details.
The protection of sensitive data aims to prevent the sending of passwords, bank card numbers, geolocation data, etc. in the clear. And it works ! Bitdefender Box 2 alerted us to the mobile application of a sports club that sent login credentials from the iPhone simply by HTTP. This is very useful information because there is no other easy way to find out. The user can then act accordingly and, for example, uninstall the application.
Protection against brute force attacks also works, but only on unencrypted protocols. As a reminder, such attacks aim to break a password by trying a maximum of possible combinations. A famous example is the Mirai worm which infected a large number of devices, armed only with a list of passwords.
To review this functionality, we enabled remote access to FTP, FTPS and SSH on our multimedia box. Then we launched brute-force attacks from the Internet using the Hydra software and a list of some 20 usernames and passwords (including that of the device). Result: the attack on FTP was stopped, but not the attack on FTPS or SSH. According to the supplier, this is explained by the fact that the device is not capable of deciphering the streams. “As part of our research roadmap, we are looking for ways to improve the brute force protection engine so that it also handles encrypted connections”, specifies Bitdefender.
Below are the respective attacks on FTP, FTPS and SSH, as well as the alert received on Bitdefender Central.
In the event that malware still infects a device, Bitdefender Box 2 should be able to detect its actions thanks to its anomaly detection function. We reviewed two iconic cases: enrolling the device in DDoS attacks and using a backdoor for spying.
For the first case, we used the Metasploit software to launch, from a PC of the Wi-Fi network, a “Synflood” attack towards an external review website (which consists in permanently sending SYN requests by TCP). Result: Bitdefender Box 2 stopped the flow after a few seconds. A new filtering rule has apparently been created because the source device of the attack could no longer access the targeted website at all.
Below the alert received on Bitdefender Central, the attack executed from the PC and the traffic received on the target server:
To simulate a backdoor, we used Ncat software which allows you to create network connections between devices. We started it in listen mode on an external server. Then we tried to establish a connection from the “victim” device by giving the server the possibility of executing shell commands there. Unfortunately, Bitdefender Box 2 did not detect anything abnormal. However, this does not mean that the device is completely in the cabbage. The editor, in fact, told us that “The anomaly detection engine must first establish a baseline. He needs to see the device work for about 2 weeks to learn what normal behavior looks like. After that, yes – once there is a connection to a new IP address, a new protocol or a new behavior, they will be marked as suspicious, blocked, and the user will be informed, with a suggestion on what ‘he wishes to authorize or not’.
Regarding URL filtering, we were a little disappointed. We reviewed around 30 malicious URLs from phishtank.com. We got a 56% detection rate, which is not great. Oddly, this function was more efficient in the previous version of Bitdefender Box.
Finally, note that all of these security functions are not neutral in terms of network performance. According to our reviews, the impact on the downstream flow is negligible. The upward flow, on the other hand, was … divided by three.
In conclusion, Bitdefender Box 2 is rather a good product. This type of device will not block all possible and imaginable attacks, but its security functions are real and provide an additional and interesting line of defense for all devices in the house. The public price of 250 euros seems to us a bit excessive, however. Those who owned the first version of the device nevertheless benefit from a discount of 100 euros. Others can currently benefit from a promotional discount of 50 euros.