Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security

'World's Most Secure' Email Service Is Easily Hackable (vice.com) 77

Nomx, a startup that offers an email client by the same name, bills itself as the maker of the "world's most secure email service." The startup goes on to suggest that "everything else is insecure." So it was only a matter of time before someone decided to spend some time on assessing how valid Nomx's claims are. Very misleading, it turns out. From a report on Motherboard: Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX) -- hence the brand name -- servers, which the company claims to be inherently "vulnerable." Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx's "code is riddled with bad examples of how to do things." The worst issue, Helme explained, is that the Nomx's web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website. "I could read emails, send emails, and delete emails. I could even create my own email address," Helme told Motherboard in an online chat. A report on BBC adds: Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users." Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi. Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled. "The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers. To date, no Nomx accounts have been compromised."
This discussion has been archived. No new comments can be posted.

'World's Most Secure' Email Service Is Easily Hackable

Comments Filter:
  • First HOSTS (Score:2, Insightful)

    by Anonymous Coward

    My hosts file protects me and my email from hackers. Thanks APK!

  • by Anonymous Coward

    Anyone use proton mail? Is it as advertised?

    • by wardrich86 ( 4092007 ) on Thursday April 27, 2017 @01:11PM (#54314469)
      I use it, and I haven't had any issue. It's not as nice as gmail, but if you're looking for a relatively simplistic layout, and encrypted email - Proton is solid.
      • by Holi ( 250190 )
        How do you get around the blacklists, reverse dns issues, and port blocks?
      • by Holi ( 250190 )
        Oh sorry you are talking off topic
      • by Anonymous Coward on Thursday April 27, 2017 @02:26PM (#54314979)

        I use protonmail too and it seems to be about as secure as webmail could possibly be.

          The good:
        -hosted in Switzerland at CERN, away from the "five eyes".
        -Switzerland has data privacy in it's constitution.
        -unfortunately sometimes the authorities in Switzerland will ask information about a user and protonmail has to cooperate. but this happens rarely and always shows up on their quarterly transparency report. and they /don't/ have access to old messages on your account
        -your account logs every sign-in attempt and if it succeeded or failed, so you can tell if someone is trying to guess your password
        -your emails are symmetrically encrypted against your password, so they can't access your old emails without you even if they tried. (and a side effect of that is if you forget your password, they can recover your account, but not your old emails)
        -when two protonmail accounts email each other, it uses end-to-end encryption straight from one browser to the other
        -they have an work-around for emailing insecure accounts: you can choose to just send them clear text OR you tell someone a password in advance then instead of sending them your email message, it emails them a link to an encrypted protonmail webpage with your message in it. It's awkward but it's an option.

        The bad:
        -They put a signature in every email "sent from protonmail secure email". If you want to delete it you need to do it manually. Disabling it is a premium feature you have to pay for. ...IMO, beats NSA spying.

  • sorry... (Score:2, Funny)

    by eneville ( 745111 )

    Sorry but most secure email server is qmail. End of. That also can run on a pi.

  • by evolutionary ( 933064 ) on Thursday April 27, 2017 @01:09PM (#54314453)
    Claims like that are just hacker bait. First point of security, don't broadcast the strength of your security.
  • Just learn the basics of postfix or qmail on a FreeBSD server (you could use Debian or CentOS but, FreeBSD is supposedly best for security applications).
    • Sorry, I should have said OpenBSD. Think OpenBSD may be better than FreeBSD both are still good but OpenBSD had move specifics for security. Sorry about that slip.
    • by rtb61 ( 674572 )

      Instead do something that will actually work. Learn the basic of law and legislating and write laws to protect the security of email. Don't think it will work, well, how secure is snail mail, a bloody paper envelope that can be steamed upon, insecurity across the letters entire path but low and behold letters remain mostly secure. Want the same for email, encapsulate it and make it criminal offence with severe penalties to illegally open that digital envelope and when it is not addressed to you do not open

  • Re: (Score:2, Interesting)

    Comment removed based on user account deletion
    • Re: (Score:2, Interesting)

      by EvilSS ( 557649 )

      It appears the "hack" requires local hardware access to accomplish:

      https://nomx.com/ [nomx.com]

      The BBC provided the nomx devices for testing to a UK-based blogger who physically disassembled and rooted one of the nomx devices. Rooting was done, in his words, by disassembling the nomx case, physically removing memory card from the Raspberry and inserting it into his PC, and then resetting the root password. That is not an action a typical user would do, nor is it routine for a nomx device.

      Yea but was all that part of the exploit, or just the blogger picking apart the system to find the holes in the first place? In other words, would any of the exploits the blogger claimed to discover work on an out-of-the-box device?

      • Even if the blogger's "attach" was local, the fact it came with outdated components means it is vulnerable to unpatched vulnerabilities that are know on the Internet. That alone is pretty bad. The Blogger just didn't make the attempt remotely yet. Doesn't meant it can't be done, especially with outdated security (OpenSSL , for example) components.
      • Blog post is a long read but good.

        He reset the root account password so he could log in via ssh and poke around the filesystem. All the exploits he found were exploitable over the web interface (which is how the 'typical user' would interact with the device, using the default username/password of "admin@example.com" and "password") without the need to 'root' the system.
      • by AmiMoJo ( 196126 )

        According to TFA an exploit is possible via a simple iframe on a random web page. Physical access just made finding it easier.

    • by Anonymous Coward on Thursday April 27, 2017 @02:03PM (#54314837)

      The statement on nomx's website is horribly misleading. None of the attacks described require physical access or rooting; the security researcher just did those things to help find things. The CSRF attacks he was performing would work on any out-of-the-box nomx device.

    • by Anonymous Coward

      He did that to *Discover* the vulnerabilities. Read his blog article. Theres a hardcoded admin password to the web interface, it is vulnerable to countless vulnerabilities including simple cross site attacks, and literally no real security anywhere. Total scam.

  • They are selling a mail server for who? It's not like you can run this device on a residential internet account, at least not here in the US. Running a server is against most major ISP's TOS and the majority block smtp ports, Since reverse DNS will not resolve correctly you will be blacklisted by every major email provider. So who exactly is this for?
    • Re: (Score:3, Funny)

      by Anonymous Coward
      Hillary?
  • Who would think that unscrupulous people would trick people... now excuse me while I help this Nigerian prince rescue his fortune.

  • Isn't OpenPGP pretty much the best security one could reasonably hope for, for emails?

    • by arth1 ( 260657 )

      That depends on what you mean by "reasonably".
      I have worked for an entity where some e-mail communication used one-time-pads, exchanged in person. The e-mails were padded with a large but random amount of null data so the length wouldn't give anything away either, and read/written on airgapped machines, with only encrypted data leaving or entering the secure room.
      That's not too much work, given that e-mail is relatively low volume, and even huge pads can easily be held on tiny pieces of media these days.

  • If you go to their home page they have a long winded response. Basically what they said was:
    • This was either a prototype sent to the media or early adopter edition made on RPi's for people who didn't want to wait for the final version
    • The old software's vulnerability were few and you needed physical access to exploit
    • The prototype version is still secure but should be upgraded
    • Westand behind our claims on production grade equipment.

    So take what you want from that.

    • Re:NoMX's Response (Score:5, Informative)

      by sbrown7792 ( 2027476 ) on Thursday April 27, 2017 @03:16PM (#54315293)

      The old software's vulnerability were few and you needed physical access to exploit

      The researcher/blogger needed physical access to discover the exploits, but the CSRF attacks can be embedded onto any webpage, he even provides the code in his blog post.

      Side note: I'd suggest watching the nomx videos about "How it Works". Quality.

  • by BlackPignouf ( 1017012 ) on Thursday April 27, 2017 @03:05PM (#54315231)

    "Everything else is insecure" is actually a pretty clever claim. It doesn't tell anything about their security.

  • As far as I am aware, the only MTA that hasnt been hacked in a real-world situation is qmail [wikipedia.org], which is why it is still in use (and mostly unmodified - netqmail patches being the exception) since 1998.

You know you've landed gear-up when it takes full power to taxi.

Working...