'World's Most Secure' Email Service Is Easily Hackable

Nomx, a startup that offers an email client by the same name, bills itself as the maker of the "world's most secure email service." The startup goes on to suggest that "everything else is insecure." So it was only a matter of time before someone decided to spend some time on assessing how valid Nomx's claims are. Very misleading, it turns out. From a report on Motherboard: Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX) -- hence the brand name -- servers, which the company claims to be inherently "vulnerable." Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx's "code is riddled with bad examples of how to do things." The worst issue, Helme explained, is that the Nomx's web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website. "I could read emails, send emails, and delete emails. I could even create my own email address," Helme told Motherboard in an online chat. A report on BBC adds: Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users." Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi. Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled. "The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers. To date, no Nomx accounts have been compromised."

First HOSTS

[Anonymous Coward]

My hosts file protects me and my email from hackers. Thanks APK!

Re:

[Archangel Michael]

Hack me! My IP is 127.0.0.1

Good Luck!

Re:

[ctilsie242]

There is also the fact that you can spend $75 + the cost of a hard disk and buy a single drive Synology or QNAP NAS which can run as a mail server, running sendmail/postfix, dovecot IMAP, and roundcube. To boot, it can back itself up to another NAS, an external HDD, Amazon S3, etc.

I rather just have my mail handled via O365 or an Exchange hosted provider. If I have something that sensitive, I arrange to use PGP or S/MIME with the other party... or perhaps use another medium for discussion.

Re:

[unrtst]

1. Most ISPs don't allow residential customers to run an email service of their own.

Wrong. Sometimes, you may have to ask to have the port opened, but most allow it.

many domains will reject any email out-of-hand that's sent from just some random IP address

Set it up correctly. Set up the various SPF records and other such stuff. That'll greatly reduce the impact of this.
Furthermore, you *can* get your own static IPv4 IP that isn't in those blocks, and/or you can use a virtual server and forward that stuff, and/or you can use IPv6 to route around it, and/or you can use a different outbound SMTP server or forward through one. There are lots of ways around this trivial issue.

Why even bother with this when there's something like Proton Mail out there ...

Using a common service/server is one of the primary things this product is trying to avoid, as is using hardware/storage someone else owns (virtual servers / hosting / cloud / etc). There's nothing wrong with that part of the theory.

If you don't want to use a service like Proton Mail, what's wrong with using your own end-to-end encryption?

It relies on accessible and verifiable public keys and integration with the client software. That works within protonmail because all users get keys and can share public keys (AFAICT). Doing it yourself means pgp/gpg or s/mime, and both parties must have that, and there's no encryption of email headers (including TO, FROM, and SUBJECT) with those, so they won't be protected once they leave your server.

If you're really so worried about someone hacking into your communications over the Internet, then why are you even bothering with email in the first place?

What type of argument is that? Probably shouldn't use http either, nor facebook, nor any instant messenger, nor any search engine, nor the internet... heck, you should probably completely disconnect from every external line and seal yourself in a faraday cage within a bunker underground.
Email has loads of benefits and still the most widely used (head count) communication platform. It's certainly capable of sending an encrypted payload and the delivery mechanism is very well established... why not use it?

None of this means this product is good or worthwhile, but a secure communication appliance *could* be done right.

How about Proton mail?

[Anonymous Coward]

Anyone use proton mail? Is it as advertised?

Re:How about Proton mail?

[wardrich86]

I use it, and I haven't had any issue. It's not as nice as gmail, but if you're looking for a relatively simplistic layout, and encrypted email - Proton is solid.

Re:

[Zmobie]

You do know the summary is about Normx not Proton mail right? Are you sure you read it? They are two COMPLETELY different things. Are you referring to a review of Proton mail because I have found no such review in the 5 seconds of Google searching....

Re:

[wardrich86]

I didn't see anything in the summary or the article about Proton. To further that point, why would you use Gmail if you want something secure, and what the hell is a $5 gmail mailbox?

Re:

[zlives]

pretty sure the monster said 3.50

Re:

[kelemvor4]

Um. you did read the review right? It's not secure AT ALL. Extremely easy to hack and has a backdoor admin account with an outrageously simple password. Do yourself a favor and spend 5 bucks a month for a gmail mailbox.

Since when has gmail not been free? LOL gmail is pretty awful, and there you go taking away the one thing it's got going for it.

Re:

[lucm]

It's the business version, now called G Suite. It has more features, for instance you can assign many domain names to your account or login with a dongle, so it's a good solution for a small business. Office 365 has a similar offering.

Re:

[Holi]

How do you get around the blacklists, reverse dns issues, and port blocks?

Re:

[Holi]

Oh sorry you are talking off topic

Re:How about Proton mail?

[Anonymous Coward]

I use protonmail too and it seems to be about as secure as webmail could possibly be.

  The good:
-hosted in Switzerland at CERN, away from the "five eyes".
-Switzerland has data privacy in it's constitution.
-unfortunately sometimes the authorities in Switzerland will ask information about a user and protonmail has to cooperate. but this happens rarely and always shows up on their quarterly transparency report. and they /don't/ have access to old messages on your account
-your account logs every sign-in attempt and if it succeeded or failed, so you can tell if someone is trying to guess your password
-your emails are symmetrically encrypted against your password, so they can't access your old emails without you even if they tried. (and a side effect of that is if you forget your password, they can recover your account, but not your old emails)
-when two protonmail accounts email each other, it uses end-to-end encryption straight from one browser to the other
-they have an work-around for emailing insecure accounts: you can choose to just send them clear text OR you tell someone a password in advance then instead of sending them your email message, it emails them a link to an encrypted protonmail webpage with your message in it. It's awkward but it's an option.

The bad:
-They put a signature in every email "sent from protonmail secure email". If you want to delete it you need to do it manually. Disabling it is a premium feature you have to pay for. ...IMO, beats NSA spying.

sorry...

[eneville]

Sorry but most secure email server is qmail. End of. That also can run on a pi.

"world's most secure" = "hack me, I'm yours"

[evolutionary]

Claims like that are just hacker bait. First point of security, don't broadcast the strength of your security.

Re:

[evolutionary]

Uh, this feels like something posted by a Nomx employee...

Re:

[Tyler Whitlock]

You fail to realize why this response is, inadequate, fallacious, and utterly garbage. 1) Of course no nomx data was compromised, it was a test machine 2) How do they know that no nomx account has been compromised. They don't. They aren't a web service. This is a physical device, managed by individuals, not monitored by the company 3) Even if no one has been compromised, that doesn't negate the real, high risk vulnerabilities 4) Statistics don't tell a compelling story. Nomx is not used by billions of peopl

Re:

[networkBoy]

nevermind this:

future devices would be built around different chips that would also be able to encrypt messages as they travelled.

So it's a fail right off the bat if it doesn't encrypt the mail in the first place.

Re:Sure...if I had physical access to the device..

[IMightB]

What exactly does that mean... encrypt as they travel? As someone that spent nearly a decade at a SaaS email security firm, SMTPS is only PtoP. If there are points in between, there's a chance that your email will have an unencrpyted hop. otherwise your looking at GPG/SMIME solutions... based on the info provided, I don't see what they are doing any different other than providing a "dedicated" box....

I know a free way to make an email server...

[evolutionary]

Just learn the basics of postfix or qmail on a FreeBSD server (you could use Debian or CentOS but, FreeBSD is supposedly best for security applications).

Re:

[evolutionary]

Sorry, I should have said OpenBSD. Think OpenBSD may be better than FreeBSD both are still good but OpenBSD had move specifics for security. Sorry about that slip.

Re:

[rtb61]

Instead do something that will actually work. Learn the basic of law and legislating and write laws to protect the security of email. Don't think it will work, well, how secure is snail mail, a bloody paper envelope that can be steamed upon, insecurity across the letters entire path but low and behold letters remain mostly secure. Want the same for email, encapsulate it and make it criminal offence with severe penalties to illegally open that digital envelope and when it is not addressed to you do not open

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[EvilSS]

It appears the "hack" requires local hardware access to accomplish:

https://nomx.com/ [nomx.com]

The BBC provided the nomx devices for testing to a UK-based blogger who physically disassembled and rooted one of the nomx devices. Rooting was done, in his words, by disassembling the nomx case, physically removing memory card from the Raspberry and inserting it into his PC, and then resetting the root password. That is not an action a typical user would do, nor is it routine for a nomx device.

Yea but was all that part of the exploit, or just the blogger picking apart the system to find the holes in the first place? In other words, would any of the exploits the blogger claimed to discover work on an out-of-the-box device?

Re:

[evolutionary]

Even if the blogger's "attach" was local, the fact it came with outdated components means it is vulnerable to unpatched vulnerabilities that are know on the Internet. That alone is pretty bad. The Blogger just didn't make the attempt remotely yet. Doesn't meant it can't be done, especially with outdated security (OpenSSL , for example) components.

Re:

[sbrown7792]

Blog post is a long read but good.

He reset the root account password so he could log in via ssh and poke around the filesystem. All the exploits he found were exploitable over the web interface (which is how the 'typical user' would interact with the device, using the default username/password of "admin@example.com" and "password") without the need to 'root' the system.

Re:

[AmiMoJo]

According to TFA an exploit is possible via a simple iframe on a random web page. Physical access just made finding it easier.

Re:Nomx has a reply on their site

[Anonymous Coward]

The statement on nomx's website is horribly misleading. None of the attacks described require physical access or rooting; the security researcher just did those things to help find things. The CSRF attacks he was performing would work on any out-of-the-box nomx device.

Re:

[Anonymous Coward]

He did that to *Discover* the vulnerabilities. Read his blog article. Theres a hardcoded admin password to the web interface, it is vulnerable to countless vulnerabilities including simple cross site attacks, and literally no real security anywhere. Total scam.

Who can use this?

[Holi]

They are selling a mail server for who? It's not like you can run this device on a residential internet account, at least not here in the US. Running a server is against most major ISP's TOS and the majority block smtp ports, Since reverse DNS will not resolve correctly you will be blacklisted by every major email provider. So who exactly is this for?

Re:

[Anonymous Coward]

Hillary?

Re:

[Holi]

No mention of anything like that on their site and their setup directions make it seem like that is not the case as you have to forward smtp ports.

21st century snake oil salesman

[Kjella]

Who would think that unscrupulous people would trick people... now excuse me while I help this Nigerian prince rescue his fortune.

Re:

[sconeu]

You laugh, but...

http://www.cnn.com/2017/04/20/africa/nigeria-spy-chief-suspended-after-cash-seizure/ [cnn.com]

Really?

[argStyopa]

Isn't OpenPGP pretty much the best security one could reasonably hope for, for emails?

Re:

[arth1]

That depends on what you mean by "reasonably".
I have worked for an entity where some e-mail communication used one-time-pads, exchanged in person. The e-mails were padded with a large but random amount of null data so the length wouldn't give anything away either, and read/written on airgapped machines, with only encrypted data leaving or entering the secure room.
That's not too much work, given that e-mail is relatively low volume, and even huge pads can easily be held on tiny pieces of media these days.

NoMX's Response

[randomErr]

If you go to their home page they have a long winded response. Basically what they said was:

• This was either a prototype sent to the media or early adopter edition made on RPi's for people who didn't want to wait for the final version
• The old software's vulnerability were few and you needed physical access to exploit
• The prototype version is still secure but should be upgraded
• Westand behind our claims on production grade equipment.

So take what you want from that.

Re:NoMX's Response

[sbrown7792]

The old software's vulnerability were few and you needed physical access to exploit

The researcher/blogger needed physical access to discover the exploits, but the CSRF attacks can be embedded onto any webpage, he even provides the code in his blog post.

Side note: I'd suggest watching the nomx videos about "How it Works". Quality.

Clever claim

[BlackPignouf]

"Everything else is insecure" is actually a pretty clever claim. It doesn't tell anything about their security.

qmail

[RCourtney]

As far as I am aware, the only MTA that hasnt been hacked in a real-world situation is qmail [wikipedia.org], which is why it is still in use (and mostly unmodified - netqmail patches being the exception) since 1998.