Nomx which calls itself as world’s most secure mail service and charges $199 – $399 (£155 – £310) for the personal mail server and its publicity material claims it is designed to handle email communications for consumers has been exposed.
The flaw has been highlighted by the BBC by cracking device’s simple passwords and hacked its hardware and software. However Nomx defended itself saying that it is doubting the way the tests were carried on its devices.
Nomx said that through its dedicated personal server, users can help to stop messages being copied and hacked as they travel to their destination across the net.
BBC Click asked security researcher Scott Helme & computer security expert Prof Alan Woodward who works for the University of Surrey, to scrutinise Nomx. The test was to find whether it did let people send messages in a way that was secure against hacking and interception.
The investigation started by taking the device apart to find that it was built around a £30 Raspberry Pi computer. As the operating system for the Pi sits on a removable memory card, Mr Helme was able to download the device’s core code so he could examine it closely.
This allowed Mr Helme to run it as if he were the administrator for the device. He discovered that the software packages it used to handle mail were not proprietary and many were very old versions, five years old in one case which led to the detection of unpatched security bugs. Default passwords found in the code included “password” and “death” which were commonly used. Apart from these flaws, Mr Helme also found many problems with the web interface Nomx uses to administer the secure email service. The test proved that the service is vulnerable to several widely known and easy to execute attacks that, if exploited, would give attackers control over a target’s Nomx system.