'World's Most Secure' Email Service Is Easily Hackable

Nomx, a startup that offers an email client by the same name, bills itself as the maker of the "world's most secure email service." The startup goes on to suggest that "everything else is insecure." So it was only a matter of time before someone decided to spend some time on assessing how valid Nomx's claims are. Very misleading, it turns out. From a report on Motherboard: Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX) -- hence the brand name -- servers, which the company claims to be inherently "vulnerable." Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx's "code is riddled with bad examples of how to do things." The worst issue, Helme explained, is that the Nomx's web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website. "I could read emails, send emails, and delete emails. I could even create my own email address," Helme told Motherboard in an online chat. A report on BBC adds: Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users." Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi. Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled. "The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers. To date, no Nomx accounts have been compromised."

First HOSTS

My hosts file protects me and my email from hackers. Thanks APK!

Re:Sure...if I had physical access to the device..

[evolutionary]

Uh, this feels like something posted by a Nomx employee...

Re:Sure...if I had physical access to the device..

[whitlocktj]

You fail to realize why this response is, inadequate, fallacious, and utterly garbage. 1) Of course no nomx data was compromised, it was a test machine 2) How do they know that no nomx account has been compromised. They don't. They aren't a web service. This is a physical device, managed by individuals, not monitored by the company 3) Even if no one has been compromised, that doesn't negate the real, high risk vulnerabilities 4) Statistics don't tell a compelling story. Nomx is not used by billions of people, as such, the attack vector is statistically insignificant to warrant anyones time to attempt to hack it. Furthermore, I highly doubt they can hold up to the same standards as Google/Yahoo, or any other company they list on their website as being hacked in recent years. Typical apples to oranges. 5) 'In the last two years alone, every major email service provider was hacked' & `world's most secure email service` are unsubstatianted hasty generalizations. What's the criteria they're using exactly? 6) 'nomx ensures absolute security and privacy when communicating online by resolving issues with the Transmission, Routing, Acceptance, Communication header data, Encryption and Storage (TRACES) vulnerabilities that have been present in email since its creation.' How convenient. A snakeoil promise for problems that are extremely vague. Sounds like a strawman to me. Never even heard of the term T.R.A.C.E.S. And what exactly is it resolving with routing? Is this a router? Did they provide a new routing protocol? RIPv2 or OSPF isn't good enough for them? The BS meter is full.