A BBC Click investigation has performed extensive testing on small, personal email server, Nomx and found that its claims of providing “world’s most secure communications protocol” to protect email messages are false and that the security can be compromised.
However, Will Donaldson, CEO and CTO of Nomx, has continued to dispute that the tests done by UK researchers on its gadgets were not fair and an up-to-date version is available for testing.
A team of UK researchers from the University of Surrey along with Professor Alan Woodward and Scott Helme cracked the device’s simple passwords and hacked its hardware and software. They analysed the device and found failure on a number of security promises including outdated software. Thereafter, they issued a statement to press which claimed that the devices which were powered by the Raspberry Pi “were primarily used for demonstration and media use.”
Till date, every single major email provider has been hacked.
For the security test of Nomx, BBC provided the retail packaged device which had a starting price of $199! The Nomx personal email server costs from $199 – $399 (£155 – £310) and its publicity material claim it is designed to handle email communications for consumers. It says that using a dedicated personal server, users can help to stop messages being copied and hacked as they travel to their destination across the net.
“Rooting was done by taking the memory card from the Raspberry and inserting it into the PC, and then resetting the root password,” said, Donaldson.
“This process allowed him to access the nomx from his local network. He then created a very specialised code that was unique to the management page of the nomx device he had in his possession. This code originated from a Cross Site Request Forgery, requires users to click a link or visit a hacked website, and that link then performs actions from the users’ browsers when it downloads the package from the internet.”
“After he created the code, he loaded it to his own webpage to target the nomx device he had previously rooted and was in his possession and on his own network. He then simply modified the nomx data through a website link that he clicked himself. The act of the attack would require very detailed information about the local nomx device and a subsequent phishing link sent to the proposed victim or by visiting a third party compromised website and the victim must have been logged in to their nomx device initially and then accept the phishing link or visit the compromised website.”
The PCB inside the device took up about 25 percent of the footprint of the device. The MAC address on the bottom is also the prefix from the Raspberry Pi Foundation. They own the B8-27-EB assignment which you can search for on the IEEE website.
As the operating system for the Pi sits on a removable memory card, Mr Helme was able to download the device’s core code so he could examine it closely.
During the investigation, researchers also found that PHP file can be edited if one sees the SSH instructions.
Donaldson claimed that because of this effort, “the threat was non-existent for our users, even if they were to have an earlier version and code.” He accused Helme of not being fair or accurate in his findings, “because no nomx devices were actually compromised or could be compromised unless the users were to take those steps, which could not occur in a real-world situation outside of the lab.”