14 DAY TRIAL // A service proclaiming to be the most secure in the world is anything but that, a researcher says, after discovering plenty of critical vulnerabilities.
Nomx, a startup that's trying to change the way we do email by setting up our own private servers, touts that its product "ensures absolute security and privacy." The reality is that we should all probably run screaming when we see such words in a product's description because it's been proven time and time again that the truth is a lot different.
Security researcher Scott Helme says the $199 device Nomx is selling is far from what it says it is. In fact, as Helme discovered, the box holds a Raspberry Pi wth outdated software and plenty of bugs. He adds that the code is riddled with "bad examples of how to do things." Ouch!
The researcher found plenty of issues with the Nomx product as a whole, but perhaps the most dangerous one was the fact that its web application came packed with a vulnerability that allowed just about anyone to take full control of the device remotely via a simple visit to a malicious website. The result was that he could read, send and delete emails, or even create a new email address.
More specifically, the Nomx web app is vulnerable to a cross-site request forgery vulnerability which is quite a common attack method. If you visit the malicious website, you'll give hackers access to your email account running on Nomx.
As Motherboard points out, the Nomx CEO was quick to slam the report, saying that newer Nomx devices don't run on Raspberry Pi and that the device Helme was given for testing purposes was rooted and old. Furthermore, in order for such an attack to work, users would have to have the email account page open.
Outdated software
According to Helme's list, the most recent version of software on the device was released in September 2016, with the oldest going back to May 2012.
"It's interesting to see such outdated versions of software on there if the device was built even remotely recently I'm not sure how you'd end up with such seriously old versions installed. I had a look for any auto-update mechanism that I could find but couldn't see anything on there," Helme notes.
Then there's the fact that every time he tried to send an email, the messages bounced back. Unless you send an email to someone else using Nomx (which is recognized via a "handshake" between the devices), the thing won't work as it should and the emails may very well end up on insecure mail servers.
Helme lists a whole list of problems he discovered in his lengthy and very detailed report.