Go Back   WorldStart Tech & Computer Help Forums > Tips & Tricks

Reply
 
Thread Tools Display Modes
  #1  
Old 04-30-2017, 11:19 AM
yorkshire lass's Avatar
yorkshire lass yorkshire lass is offline
Using it or Losing it
 
Join Date: Oct 2006
Location: East Yorkshire, England
Posts: 4,389
Exclamation BBC exposes flaws in 'world's most secure' email service

BBC exposes flaws in 'world's most secure' email service
By Dan Simmons Click presenter

27 April 2017
From the section Technology



A BBC Click investigation has thrown doubt on claims that the small, personal email server Nomx can provide "absolute security".

Created by entrepreneur Will Donaldson, Nomx says it uses the "world's most secure communications protocol" to protect email messages.

But security analysts cracked the device's simple passwords and hacked its hardware and software.

Defending itself, Nomx disputed the way the tests were done on its gadget.
Hardware exposed

The Nomx personal email server costs from $199 - $399 (155 - 310) and its publicity material claims it is designed to handle email communications for consumers.

It says that using a dedicated personal server, users can help to stop messages being copied and hacked as they travel to their destination across the net.

BBC Click asked security researcher Scott Helme and computer security expert Prof Alan Woodward, from the University of Surrey, to scrutinise Nomx. They were asked to assess whether it did let people send messages in a way that was secure against hacking and interception.

The investigation started by taking the device apart to find that it was built around a 30 Raspberry Pi computer. As the operating system for the Pi sits on a removable memory card, Mr Helme was able to download the device's core code so he could examine it closely.
Image copyright Nomx
Image caption Nomx has made strong claims for the protections its devices give to customers

This allowed Mr Helme to run it as if he were the administrator for the device. He discovered that the software packages it used to handle mail were not proprietary and many were very old versions, five years old in one case, harbouring unpatched security bugs. Default passwords found in the code included "password" and "death".

Mr Helme also found many problems with the web interface Nomx uses to administer the secure email service. This was vulnerable to several widely known and easy to execute attacks that, if exploited, would give attackers control over a target's Nomx system.

He also found a way to create a hidden administrator's account on the Nomx box that would allow any attacker to fully compromise the gadget.

In addition, Mr Helme found more than 10 other issues with the Nomx box that left him "horrified" by its approach to security.

The analysis was reviewed by Paul Moore - an experienced tester of secure hardware.

Mr Moore said the Nomx was an "overpriced and outdated mail server" and used one of the "most insecure PHP applications" he had ever encountered.
Update cycle

In an emailed response to Click, Mr Donaldson thanked Mr Helme and Prof Woodward for finding and sharing information about Nomx's vulnerabilities.

Addressing the issue of old software, he said Nomx planned to let users choose which updates should be applied to their device.
Image copyright Scott Helme
Image caption Mr Helme was surprised to find the Nomx uses a Raspberry Pi computer

"We will selectively allow users to pick and choose when that becomes available but today we're not forcing any types of updates," he said, adding that updates can introduce vulnerabilities.

"Updates actually cause a cascading effect and now you're patching patches and that is not a good place to be in," he told Click.

The default names and passwords found by Mr Helme were used to make it easy for customers to set up their device and they were encouraged to change it afterwards, he said.

Mr Helme said the set-up process for the Nomx was far from easy and at no point was he told to pick a new password.

Late on 27 April, Nomx published a strong defence of its product and disputed the way in which Mr Helme tested the device. Mr Donaldson said Mr Helme's tests were unrealistic, as they involved actions no typical user would undertake.

Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users".

Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi.

Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled.

"The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers.

"To date, no Nomx accounts have been compromised."

The BBC Click show dedicated to this investigation will air on 29 April on the BBC News Channel and iPlayer, where it will also be available afterwards.
Related Topics



Email
Facebook
Messenger
Twitter
Pinterest
LinkedIn

More on this story

Aga app 'could let hackers turn off oven'
13 April 2017
Google brings AI to Raspberry Pi
25 January 2017
Sex toy with in-built camera can be 'easily hacked'
4 April 2017
'Benign' worm seeks out vulnerable smart devices
20 April 2017
TalkTalk's wi-fi hack advice is 'astonishing'
7 December 2016

Related Internet links

Scott Helme
nomx - Everything else is insecure

The BBC is not responsible for the content of external Internet sites
Technology
__________________
Windows 10 Home 64 bit.(SSD)

Firefox v 47.01
Kaspersky Internet Security 2016
Seagate expansion Drive
MBAM, SpywareBlaster, SUPERAntispyware
"Knowledge is knowing a tomato is a fruit; Wisdom is not putting it in a fruit salad."
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 10:32 PM.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright 2000-2011 WorldStart, Inc