A service that claims to be the only way to do email in a secure way is actually riddled with flaws, opening it up to hackers, according to a researcher.
Being the owner of an email address can be a pain in the butt. Other than the barrage of back-and-forth daily messages and the reply all apocalypses, there’s always the risk that someone hacks into it and your most intimate, confidential emails all of a sudden end up on WikiLeaks.
It’s fair to say that perhaps emails aren’t the most secure way of communicating among ourselves these days. That’s why a startup called Nomx is trying to change the way we do email with something that, according to its website, “ensures absolute security and privacy.”
“DID YOU KNOW THAT EVERY SINGLE MAJOR EMAIL PROVIDER HAS BEEN HACKED?” shouts the site, whose tagline is “everything else is insecure.”
Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX)—hence the brand name—servers, which the company claims to be inherently “vulnerable.”
Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx’s “code is riddled with bad examples of how to do things.”
“I could read emails, send emails, and delete emails. I could even create my own email address.”
The worst issue, Helme explained, is that the Nomx’s web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website.
“I could read emails, send emails, and delete emails. I could even create my own email address,” Helme told Motherboard in an online chat.
Helme found that Nomx’s web app was vulnerable to what’s known as a cross-site request forgery (CSRF) vulnerability. CSRF is a common web attack that tricks a victim’s computer into running malicious code. By visiting a malicious webpage, any Nomx user could give hackers access to their email account, according to Helme.
Will Donaldson, the CEO of Nomx, dismissed Helme’s research. In a long email response, he claimed that the CSRF vulnerability only works if the target has the Nomx management page open at the time they click on the malicious link (Helme said that’s incorrect) and that “the issue was previously resolved” after Helme reported it to the company. Donaldson also added that Helme tested his attack on a device he rooted and that was old. Newer Nomx devices, he added, don’t use a Raspberry Pi
Despite saying he’d be “happy to discuss” any “particular or unique questions,” Donaldson ignored a question on whether people with the old device would receive a patch, or whether there was even a patch at all. Instead, Donaldson suggested I ask Helme whether he could “unequivocally state and prove that any actual Nomx users emails were ever hacked,” and trotted out a bunch of statistics and news articles about famous email hacks such as the Yahoo breach or a 2014 apparent Gmail hack (that wasn’t). Donaldson also didn’t tell me how many people actually use Nomx.
In any case, it isn’t entirely clear what major problem Nomx is trying to fix. Unless both people communicating via email use Nomx, their messages will eventually get routed to supposedly insecure mail servers. That’s just how email works. Moreover, as the Hillary Clinton email server fiasco showed the world—just like with crypto—it’s probably not a great idea to try to do email by yourself. Instead, as many security researchers believe, it might be better to trust a company like Google or Microsoft, who employ some of the best security engineers in the world.
“The fundamental concept is flawed. Running your own mail server is hard and this puts you at greater risk,” Helme said. “I wouldn’t recommend anyone use this device.”