This all started with an email from a publicist offering to provide me with a sample of the Kwilt Shoebox in exchange for a review. The Kwilt Shoebox is a device designed to allow you to build a “personal cloud” — it connects to your smartphone and other devices via WiFi and allows you to offload files/photos to it in order to free up storage.
Eventually I received the device. Upon opening the package, I was presented with some tasteful packaging and a series of adapters for the device. The Shoebox is designed to connect to USB storage mediums such as a flash drive or external hard drive. It only features a Micro-USB port for interfacing with peripherals, so a Micro-USB to USB-A adapter is included in the box. The Shoebox can also connect to a TV to display your photos; it comes equipped with a Mini-HDMI connector, so another adapter is included in the box.
At this point something started to feel strange. For a device designed to connect directly to storage mediums and TVs, this choice of using adapters instead of just the correct connector was odd. The placement of the ports also felt a little weird — the power and USB port utilize the same connector, and are placed directly adjacent which could cause some confusion.
The next thing that caught my eye was a large silver sticker not featured in promotional shots of the device. The sticker is plastered across the side of the Shoebox, not on the bottom like one might expect. Listed in very small print on the bottom of this sticker are the words “removing this label will void your warranty,” which is tech-speak for “something interesting is underneath here.” Naturally, I peeled it off.
Seeing what was underneath the sticker made everything click into place. The green PCB, familiar layout of pins, and the word “Raspberry” peeking out from under the red case all immediately reveal that this device is in fact a Raspberry Pi Zero W.
This is the first time I’ve ever seen a Raspberry Pi device make it into a consumer product without immediately revealing itself. I have definitely seen other RPi products before; for example, the AstroBox 3D printer interface is based around the Zero’s bigger sibling. The difference here is that AstroPrint makes it very clear that the device is powered by a Raspberry Pi — it’s targeted towards makers and individuals that would likely want to modify the hardware. The Kwilt website, however, makes no mention of the Raspberry Pi anywhere. This makes sense considering the Shoebox’s targeted market of general consumers who wouldn’t have much of a desire to hack the device.
Using the Raspberry Pi as a platform is a smart decision on the part of Kwilt for numerous reasons. It has all the necessary capabilities to fulfill the goal of the company, and all of the Zero’s ports can be utilized for real purposes meaning there’s few wasted costs. Additionally, it’s likely that FCC and other licensing is much easier given that the Raspberry Pi Zero is already licensed. And, of course, there are no custom hardware fabrication and design costs. This allows Kwilt to focus their efforts on their well-done web app and mobile app that allows customers to interface with the device.
Even the case that houses the device is created by the Raspberry Pi foundation. I totally understand Kwilt’s approach to this project — they didn’t want to deal with creating a circuit, manufacturing that circuit, packaging the circuit, and more just to realize their initial concept. Kwilt can focus purely on creating a software interface for this project which is really heart of the whole system. No hardware experience necessary.
My next thought concerned the security of such a platform. I located the IP address of the shoebox and ran a scan via nmap to get networking information about the device.
Sure enough, the Shoebox reveals to us that it’s running stock Raspian, and that port 22 is open for SSH like on a stock Raspberry Pi. Kwilt developers were smart enough to change the default SSH password away from “raspberry”, which would have granted easy access to the device.
Next, I tried interrogating my poor shoebox for a few days using Hydra. Hydra is a password cracking tool that essentially tries to brute force its way into a device by trying different passwords over and over again. I made mine a little smarter by downloading a 60Mb file containing the most frequently used passwords. I got all the way from “123456” to “nachito” without finding a valid key, so the password securing SSH is at least relatively good. An analysis of all of the traffic coming into and out of the Shoebox reveals that all essential operations are performed via HTTPS, which is also good to see.
All in all, the Shoebox appears to be a powerful device that well-utilizes the capabilities of the Raspberry Pi Zero W. The $60 price tag on the device is a significant markup over the $10 Zero W, but given that the company includes a bunch of adapters and a 32-Gb USB key and that they need to pay all their software engineers and marketers this makes sense. Obviously the Pi Zero platform is viable for consumer products, so I’m curious to see where other companies take this next.