'World's Most Secure' Email Service Is Easily Hackable

Nomx, a startup that offers an email client by the same name, bills itself as the maker of the "world's most secure email service." The startup goes on to suggest that "everything else is insecure." So it was only a matter of time before someone decided to spend some time on assessing how valid Nomx's claims are. Very misleading, it turns out. From a report on Motherboard: Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX) -- hence the brand name -- servers, which the company claims to be inherently "vulnerable." Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx's "code is riddled with bad examples of how to do things." The worst issue, Helme explained, is that the Nomx's web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website. "I could read emails, send emails, and delete emails. I could even create my own email address," Helme told Motherboard in an online chat. A report on BBC adds: Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users." Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi. Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled. "The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers. To date, no Nomx accounts have been compromised."

First HOSTS

My hosts file protects me and my email from hackers. Thanks APK!

How about Proton mail?

Anyone use proton mail? Is it as advertised?

Re:How about Proton mail?

[wardrich86]

I use it, and I haven't had any issue. It's not as nice as gmail, but if you're looking for a relatively simplistic layout, and encrypted email - Proton is solid.

Re:How about Proton mail?

[Zmobie]

You do know the summary is about Normx not Proton mail right? Are you sure you read it? They are two COMPLETELY different things. Are you referring to a review of Proton mail because I have found no such review in the 5 seconds of Google searching....

Re:How about Proton mail?

[Holi]

How do you get around the blacklists, reverse dns issues, and port blocks?

Re:How about Proton mail?

[wardrich86]

I didn't see anything in the summary or the article about Proton. To further that point, why would you use Gmail if you want something secure, and what the hell is a $5 gmail mailbox?

Re:How about Proton mail?

[Holi]

Oh sorry you are talking off topic

Re:How about Proton mail?

I use protonmail too and it seems to be about as secure as webmail could possibly be.

  The good:
-hosted in Switzerland at CERN, away from the "five eyes".
-Switzerland has data privacy in it's constitution.
-unfortunately sometimes the authorities in Switzerland will ask information about a user and protonmail has to cooperate. but this happens rarely and always shows up on their quarterly transparency report. and they /don't/ have access to old messages on your account
-your account logs every sign-in attempt and if it succeeded or failed, so you can tell if someone is trying to guess your password
-your emails are symmetrically encrypted against your password, so they can't access your old emails without you even if they tried. (and a side effect of that is if you forget your password, they can recover your account, but not your old emails)
-when two protonmail accounts email each other, it uses end-to-end encryption straight from one browser to the other
-they have an work-around for emailing insecure accounts: you can choose to just send them clear text OR you tell someone a password in advance then instead of sending them your email message, it emails them a link to an encrypted protonmail webpage with your message in it. It's awkward but it's an option.

The bad:
-They put a signature in every email "sent from protonmail secure email". If you want to delete it you need to do it manually. Disabling it is a premium feature you have to pay for. ...IMO, beats NSA spying.

Re:How about Proton mail?

[zlives]

pretty sure the monster said 3.50

Re:How about Proton mail?

[kelemvor4]

Um. you did read the review right? It's not secure AT ALL. Extremely easy to hack and has a backdoor admin account with an outrageously simple password. Do yourself a favor and spend 5 bucks a month for a gmail mailbox.

Since when has gmail not been free? LOL gmail is pretty awful, and there you go taking away the one thing it's got going for it.

Re:How about Proton mail?

Oh, one thing I forgot to mention: they have no ads at all. Not so much as a single banner ad, so there's no one pressuring them to profile their users.

Re:How about Proton mail?

[whitlocktj]

Ignore previous post, I thought the topic was still nomx.

Re:How about Proton mail?

[whitlocktj]

G suite is better than nomx. That's what my point was, supposing someone wants to use their own domain. Obviously I missed the part about Proton.

Re: How about Proton mail?

I ain't giving you no tree fiddy.

Re:How about Proton mail?

When I ran my mail server on my DSL line (before I moved to where the DSL was even slower so I switched to Comcast/Xfinity) I dealt with that by having an awesome ISP: https://sonic.net/

Re:How about Proton mail?

Bad:

Their entire security model assumes interested entities can't get a CA to sign a certificate for the protonmail domain, and inject JS into the browser session to ship off your decrypted-in-memory emails to a 3rd party.

Re:How about Proton mail?

[lucm]

It's the business version, now called G Suite. It has more features, for instance you can assign many domain names to your account or login with a dongle, so it's a good solution for a small business. Office 365 has a similar offering.

Re:How about Proton mail?

> Disabling it is a premium feature you have to pay for.

So... it's good but not "$5/month good".

sorry...

[eneville]

Sorry but most secure email server is qmail. End of. That also can run on a pi.

"world's most secure" = "hack me, I'm yours"

[evolutionary]

Claims like that are just hacker bait. First point of security, don't broadcast the strength of your security.

Re:"world's most secure" = "hack me, I'm yours"

First point of security, don't broadcast the strength of your security.

First point of marketing: don't listen to the eggheads... all they do is ruin a good selling point.

Sure...if I had physical access to the device...

[Mindragon]

https://www.nomx.com/ No nomx user was affected by this threat. No nomx user could be affected by this threat in the future. No nomx data was compromised, and the blogger has (finally) reluctantly verified this. He still has not publicly shared these statements, except via an email response to the BBC when directly asked on April 25 the response was: From the BBC to nomx: "I understand from your replies that you state categorically that no nomx accounts have been affected by this hack. I have put your questions to [blogger] who has confirmed to me that he cannot say that any have." While nomx is no longer based on Raspberry devices, we still maintain that the users' data is secured as we’ve demonstrated to the blogger, the media and our customers. For Media: We request that any media desiring to profile nomx security or this blogger to use this website with attribution to nomx (www.nomx.com) and to also include the statistics below. Due to large number of interested media, we are not able to respond to every reporter directly within the deadlines imposed and believe it is only fair to share with all media these same details. We invite all media who care to see on onsite demonstration of the nomx in action request and schedule a time in the Washington, DC or NYC areas in the coming weeks. We will provide a nomx and allow video, use of the nomx and any third parties to attempt to access the device. For Media - Some statistics: Number of nomx accounts that have been compromised since inception: 0 Number of Gmail accounts that have been compromised in the United States (from 2014): About 5 million to 24 million depending on source Number of other cloud-based emails compromised as of 2016 = 272 million Number of Yahoo accounts (including email) compromised 2013-2016: more than 1 billion The Future: nomx is now finalizing the “Cloud in Your Attic” server that also includes an internal nomx email server, and a host of other servers that maintain users’ personal data off the clouds that are regularly attacked daily. nomx ensures absolute privacy for personal and commercial email and messaging. Today's digitally connected world may feel modern, but the core of how we communicate online is based on 50-year-old code and protocols that expose every one of us to significant security risks whenever we send information across the internet. In the last two years alone, every major email service provider was hacked, exposing the private information of millions of people to cybercriminals. nomx ensures absolute security and privacy when communicating online by resolving issues with the Transmission, Routing, Acceptance, Communication header data, Encryption and Storage (TRACES) vulnerabilities that have been present in email since its creation.

Re:Sure...if I had physical access to the device..

[evolutionary]

Uh, this feels like something posted by a Nomx employee...

I know a free way to make an email server...

[evolutionary]

Just learn the basics of postfix or qmail on a FreeBSD server (you could use Debian or CentOS but, FreeBSD is supposedly best for security applications).

Re:I know a free way to make an email server...

[evolutionary]

Sorry, I should have said OpenBSD. Think OpenBSD may be better than FreeBSD both are still good but OpenBSD had move specifics for security. Sorry about that slip.

Re:I know a free way to make an email server...

[rtb61]

Instead do something that will actually work. Learn the basic of law and legislating and write laws to protect the security of email. Don't think it will work, well, how secure is snail mail, a bloody paper envelope that can be steamed upon, insecurity across the letters entire path but low and behold letters remain mostly secure. Want the same for email, encapsulate it and make it criminal offence with severe penalties to illegally open that digital envelope and when it is not addressed to you do not open it. Keep in mind opening email contents that are not addressed to you is generally not a good idea, I got a bunch of them for a while and just forwarded them to http://www.acma.gov.au/theACMA... (I wonder what happened to those, I suspect phishing attacks and who were the naughty players involved).

Re:Sure...if I had physical access to the device..

Holy wall of text, Batman!

the best part

The guy is doing his 'security research' with crappy tools on windows, so failllll

You've heard of security through obscurity

There is a new high tech method to security, make way for security through uselessness.

Come at me, hack my email, even if you read all my email it doesn't matter, it's all useless.

Re:You've heard of security through obscurity

[Archangel+Michael]

Hack me! My IP is 127.0.0.1

Good Luck!

Re:You've heard of security through obscurity

Hey! That's my IP address!

Re: You've heard of security through obscurity

No, it's my IP. First rule of hacking. Don't admit you're a hacker. Enjoy the FBI visit coming, hacker!

Re:You've heard of security through obscurity

That's eas#%&+NO CARRIER

Re: You've heard of security through obscurity

shut up i hack you

Re: This was Hillary's e-mail solution.

Hillary Swank has an email solution? Do tell! All along I thought she just had the long face.

Re: Sure...if I had physical access to the device.

I fell right asleep after he/she used brackets. Those brackets [ ] ..... zzzzzzzzzzzzzzzzzz

Nomx has a reply on their site

[zerofoo]

It appears the "hack" requires local hardware access to accomplish:

https://nomx.com/

The BBC provided the nomx devices for testing to a UK-based blogger who physically disassembled and rooted one of the nomx devices. Rooting was done, in his words, by disassembling the nomx case, physically removing memory card from the Raspberry and inserting it into his PC, and then resetting the root password. That is not an action a typical user would do, nor is it routine for a nomx device.

Re:Nomx has a reply on their site

[EvilSS]

It appears the "hack" requires local hardware access to accomplish:

https://nomx.com/

The BBC provided the nomx devices for testing to a UK-based blogger who physically disassembled and rooted one of the nomx devices. Rooting was done, in his words, by disassembling the nomx case, physically removing memory card from the Raspberry and inserting it into his PC, and then resetting the root password. That is not an action a typical user would do, nor is it routine for a nomx device.

Yea but was all that part of the exploit, or just the blogger picking apart the system to find the holes in the first place? In other words, would any of the exploits the blogger claimed to discover work on an out-of-the-box device?

Re:Nomx has a reply on their site

The statement on nomx's website is horribly misleading. None of the attacks described require physical access or rooting; the security researcher just did those things to help find things. The CSRF attacks he was performing would work on any out-of-the-box nomx device.

Re:Nomx has a reply on their site

He did that to *Discover* the vulnerabilities. Read his blog article. Theres a hardcoded admin password to the web interface, it is vulnerable to countless vulnerabilities including simple cross site attacks, and literally no real security anywhere. Total scam.

Re:Nomx has a reply on their site

+1 on this.

Re:Nomx has a reply on their site

Yes. Literally all of them.

Re:Nomx has a reply on their site

[evolutionary]

Even if the blogger's "attach" was local, the fact it came with outdated components means it is vulnerable to unpatched vulnerabilities that are know on the Internet. That alone is pretty bad. The Blogger just didn't make the attempt remotely yet. Doesn't meant it can't be done, especially with outdated security (OpenSSL , for example) components.

Re:Nomx has a reply on their site

The exploits were there in the unit shipped. He just gleaned information from "rooting" the device. It's filled to the brim with hardcoded passwords and insecure implementations.

And by rooting he means pulling out the SD card and dumping an image because this supposedly production piece of hardware was a /raspberry fucking pi/ running an old version of the platform's most popular distro.

He just plugged in a monitor and keyboard. No hunting for a JTAG. No soldiering on some level shifters to get a usable serial port. No dumping and decrypting boot loaders. Technically he rooted it but it's not like it was difficult.

Really. Just read the article. It gets much worse from there. It's a very amateur and hackish product that would barely pass as a proof-of-concept for a kickstarer let alone something you'd ship.

Re:Nomx has a reply on their site

[sbrown7792]

Blog post is a long read but good.

He reset the root account password so he could log in via ssh and poke around the filesystem. All the exploits he found were exploitable over the web interface (which is how the 'typical user' would interact with the device, using the default username/password of "admin@example.com" and "password") without the need to 'root' the system.

Re:Nomx has a reply on their site

[AmiMoJo]

According to TFA an exploit is possible via a simple iframe on a random web page. Physical access just made finding it easier.

LOL but they went to university!

All these coders and "engineers" had the correct buzzword bingo to get past the women in HR...

FAIL, you LOSERS!!!!

Re:Sure...if I had physical access to the device..

Re:Sure...if I had physical access to the device..

[whitlocktj]

You fail to realize why this response is, inadequate, fallacious, and utterly garbage. 1) Of course no nomx data was compromised, it was a test machine 2) How do they know that no nomx account has been compromised. They don't. They aren't a web service. This is a physical device, managed by individuals, not monitored by the company 3) Even if no one has been compromised, that doesn't negate the real, high risk vulnerabilities 4) Statistics don't tell a compelling story. Nomx is not used by billions of people, as such, the attack vector is statistically insignificant to warrant anyones time to attempt to hack it. Furthermore, I highly doubt they can hold up to the same standards as Google/Yahoo, or any other company they list on their website as being hacked in recent years. Typical apples to oranges. 5) 'In the last two years alone, every major email service provider was hacked' & `world's most secure email service` are unsubstatianted hasty generalizations. What's the criteria they're using exactly? 6) 'nomx ensures absolute security and privacy when communicating online by resolving issues with the Transmission, Routing, Acceptance, Communication header data, Encryption and Storage (TRACES) vulnerabilities that have been present in email since its creation.' How convenient. A snakeoil promise for problems that are extremely vague. Sounds like a strawman to me. Never even heard of the term T.R.A.C.E.S. And what exactly is it resolving with routing? Is this a router? Did they provide a new routing protocol? RIPv2 or OSPF isn't good enough for them? The BS meter is full.

Re:Sure...if I had physical access to the device..

[networkBoy]

nevermind this:

future devices would be built around different chips that would also be able to encrypt messages as they travelled.

So it's a fail right off the bat if it doesn't encrypt the mail in the first place.

Now they did it ...

"To date, no Nomx accounts have been compromised."

The I sense a great disturbance in The Force, as if millions of voices cried out, "Challenge Aceppted".

Re: A few points:

Ya kinda had me up until the part about the fax machines. Didn't the leaks show even faxes were being all caught up in the dragnet and recorded?

Re:Sure...if I had physical access to the device..

[IMightB]

What exactly does that mean... encrypt as they travel? As someone that spent nearly a decade at a SaaS email security firm, SMTPS is only PtoP. If there are points in between, there's a chance that your email will have an unencrpyted hop. otherwise your looking at GPG/SMIME solutions... based on the info provided, I don't see what they are doing any different other than providing a "dedicated" box....

Who can use this?

[Holi]

They are selling a mail server for who? It's not like you can run this device on a residential internet account, at least not here in the US. Running a server is against most major ISP's TOS and the majority block smtp ports, Since reverse DNS will not resolve correctly you will be blacklisted by every major email provider. So who exactly is this for?

Re:Who can use this?

Hillary?

Re:Who can use this?

I'm guessing they are trying to be the "gatekeeper" for the devices, so you get a (sub)domain subscription via the startup that acts to be your personal server's proxy.

Re:Who can use this?

[Holi]

No mention of anything like that on their site and their setup directions make it seem like that is not the case as you have to forward smtp ports.

Grow up & "1.37 billion chinese can't be wrong

See subject: & this is interesting (IMITATION = SINCEREST FORM OF FLATTERY) http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages// China's academy of science supercharge hosts file to save users plagued by DNS outages for a backup

APK

P.S.=> Enjoy being downmodded as a troll also fool... apk

21st century snake oil salesman

[Kjella]

Who would think that unscrupulous people would trick people... now excuse me while I help this Nigerian prince rescue his fortune.

Re:21st century snake oil salesman

[sconeu]

You laugh, but...

http://www.cnn.com/2017/04/20/africa/nigeria-spy-chief-suspended-after-cash-seizure/

You say yes, I say no

should I stay, or should I go
will it sink, or will it float
aim high, or aim low
we drive on the left, or we drive on the right
always prepared right, seatbelt fastened right
how long until the smell escapes, and where do you get the new filters
how long was I out for, and why does it hurt when I pee
metric or imperial vs imperial or metric
pikachu or team rocket
on or off
yes not no
no not yes
is yes or no equal two yesnos
sir what time is it, and do you have any grey poupon

some /. people were pointing out, I never ask any irelevant questions. while you could possibly be right about that, you know, the quality type questioning should make it evident I am equal at least to a shiny stupid new "interrogat0r 2030" but just think, I trained a Lot of pplz to eat their daily mems and probably save the lives of many many fake plastic test dummies brain cavity personally with only the one left bicep in pain, mostly, think shiny red fire engines and happy people with birds chirping. That's my wrath. Now either lead or get out of my way.

no that you see my quality production, you know you can feel like a GOD in comparison, so have a nice fork and shell each day, thank god your not a weenie

Really?

[argStyopa]

Isn't OpenPGP pretty much the best security one could reasonably hope for, for emails?

Re:Really?

[arth1]

That depends on what you mean by "reasonably".
I have worked for an entity where some e-mail communication used one-time-pads, exchanged in person. The e-mails were padded with a large but random amount of null data so the length wouldn't give anything away either, and read/written on airgapped machines, with only encrypted data leaving or entering the secure room.
That's not too much work, given that e-mail is relatively low volume, and even huge pads can easily be held on tiny pieces of media these days. Getting a microSD card from A to B is within reason, and the encryption/decryption is simplicity itself (XOR).

NoMX's Response

[randomErr]

If you go to their home page they have a long winded response. Basically what they said was:

• This was either a prototype sent to the media or early adopter edition made on RPi's for people who didn't want to wait for the final version
• The old software's vulnerability were few and you needed physical access to exploit
• The prototype version is still secure but should be upgraded
• Westand behind our claims on production grade equipment.

So take what you want from that.

Re:NoMX's Response

[sbrown7792]

The old software's vulnerability were few and you needed physical access to exploit

The researcher/blogger needed physical access to discover the exploits, but the CSRF attacks can be embedded onto any webpage, he even provides the code in his blog post.

Side note: I'd suggest watching the nomx videos about "How it Works". Quality.

Re:NoMX's Response

If he provided the code in the blog post how come no one has posted that it works?

Re:NoMX's Response

Personally, I don't want to send these folks $200 for a raspberry pi just so I can prove to myself how bad their product is...

Clever claim

[BlackPignouf]

"Everything else is insecure" is actually a pretty clever claim. It doesn't tell anything about their security.

Re:Sure...if I had physical access to the device..

From the summary: nomx is insecure. nomx is easily hacked. nomx is built on hyperbole.

Bluntly, it doesn't sound like nomx knows what the fuck they're doing.

Re:A few points:

[ctilsie242]

There is also the fact that you can spend $75 + the cost of a hard disk and buy a single drive Synology or QNAP NAS which can run as a mail server, running sendmail/postfix, dovecot IMAP, and roundcube. To boot, it can back itself up to another NAS, an external HDD, Amazon S3, etc.

I rather just have my mail handled via O365 or an Exchange hosted provider. If I have something that sensitive, I arrange to use PGP or S/MIME with the other party... or perhaps use another medium for discussion.

Re:A few points:

[unrtst]

1. Most ISPs don't allow residential customers to run an email service of their own.

Wrong. Sometimes, you may have to ask to have the port opened, but most allow it.

many domains will reject any email out-of-hand that's sent from just some random IP address

Set it up correctly. Set up the various SPF records and other such stuff. That'll greatly reduce the impact of this.
Furthermore, you *can* get your own static IPv4 IP that isn't in those blocks, and/or you can use a virtual server and forward that stuff, and/or you can use IPv6 to route around it, and/or you can use a different outbound SMTP server or forward through one. There are lots of ways around this trivial issue.

Why even bother with this when there's something like Proton Mail out there ...

Using a common service/server is one of the primary things this product is trying to avoid, as is using hardware/storage someone else owns (virtual servers / hosting / cloud / etc). There's nothing wrong with that part of the theory.

If you don't want to use a service like Proton Mail, what's wrong with using your own end-to-end encryption?

It relies on accessible and verifiable public keys and integration with the client software. That works within protonmail because all users get keys and can share public keys (AFAICT). Doing it yourself means pgp/gpg or s/mime, and both parties must have that, and there's no encryption of email headers (including TO, FROM, and SUBJECT) with those, so they won't be protected once they leave your server.

If you're really so worried about someone hacking into your communications over the Internet, then why are you even bothering with email in the first place?

What type of argument is that? Probably shouldn't use http either, nor facebook, nor any instant messenger, nor any search engine, nor the internet... heck, you should probably completely disconnect from every external line and seal yourself in a faraday cage within a bunker underground.
Email has loads of benefits and still the most widely used (head count) communication platform. It's certainly capable of sending an encrypted payload and the delivery mechanism is very well established... why not use it?

None of this means this product is good or worthwhile, but a secure communication appliance *could* be done right.

qmail

[RCourtney]

As far as I am aware, the only MTA that hasnt been hacked in a real-world situation is qmail, which is why it is still in use (and mostly unmodified - netqmail patches being the exception) since 1998.

You're welcome... apk

See above: Hosts protect vs. malicious email payloads & interesting = http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ China's academy of science supercharge hosts file to save users plagued by DNS outages for a backup - yes folks IMITATION = SINCEREST FORM OF FLATTERY...

* "1.37 BILLION CHINESE CAN'T BE WRONG" - some fool took that from +1 down to 0 insightful & then 0 troll (gosh - I wonder who did that (not)).

(However the "1st hosts" stuff isn't necessary & I'm merelyt he broker of said protective information (that also speeds you up UNLIKE ANY OTHER "so-called 'solution'"))

APK

P.S.=> Especially Chinese via academia can't be wrong (per the old adage w/ an asterisk above)... apk