Nomx Secure Mail Server: $ 200 Fraud



    The creators of the $ 200 portable Nomx device do not stint epithets. They claim "the most secure communication protocol in the world." The gadget supposedly provides "absolute privacy of personal and commercial communications." Merchants successfully play on the fear of users before hacking into cloud mail services, because not a single major mail provider has done without massive account leakage in recent years. They are really hacked constantly. For many users, it is very important to ensure the security of personal mail - and they are eyeing the home Nomx mail server. "The number of Gmail accounts compromised in the US (since 2014): from 5 million to 24 million. The number of compromised accounts on other cloud services in 2016: 272 million . Yahoo number of accounts (including email), compromised in 2013-2016: more than 1 billion . Number of Nomx accounts compromised since the device was released: 0 ".

    Such is the advertisement. Now businessmen can safely replace the zero on one or on the infinity sign in this ad. In fact, it turned out that the security of the mail server, to put it mildly, is exaggerated. That is, there is practically no protection.

    Security Specialist Scott Helme (Scott Helme) was one of those who were invited to analyze the protection system Nomx in the television program BBC Click . The company allocated two copies of the advertised device to this program, hoping for free PR. But it did not.

    Scott Helme said that “the most secure communication protocol in the world” is actually one big hole.

    Opening the "box" showed that it is half empty. In the corner of a large box is a Raspberry Pi board worth a few tens of dollars.



    Of course, you can easily get a flash card from the Raspberry Pi - and make a copy of the mailbox. Strangely enough, the default settings are set in the Raspbian system, and changing the password for the root is also not difficult.



    The general approach of developers to security is alarming: the old software is installed on the system:

    • Raspbian GNU / Linux 7 (wheezy) - last updated May 7, 2015
    • nginx: nginx / 1.2.1 - released on June 5, 2012
    • PHP 5.4.45-0 + deb7u5 - released on September 3, 2015
    • OpenSSL 1.0.1t of May 3, 2016
    • Dovecot 2.1.7 of May 29, 2012
    • Postfix 2.9.6 dated February 4, 2013
    • MySQL Ver 14.14 Distrib 5.5.52 dated September 6, 2016

    This is very strange, because the device probably collected relatively recently.

    Then Scott Helme discovered a number of vulnerabilities in the Nomx web application.

    The master password hash (setup password) is easily decrypted, and the minimum password length in the device is 5 characters, so he was able to easily determine the master password.



    For some reason, the device supports the installation of a mail server on a new domain only if it is purchased from a GoDaddy registrar.



    The more an expert understood this device, the more it looked like some kind of fake. For example, when establishing a “handshake” and a direct connection between two Nomx servers, no traffic was registered at all on the network .



    Testing the Nomx web application has revealed multiple XSS and CSRF vulnerabilities. An attacker can easily create and delete mailboxes, add domains, do almost anything on the victim's mail server.

    A new mailbox is created by this request:

    POST http://192.168.1.102/create-mailbox.php?domain=testingnomxsecurity.com HTTP/1.1  
    Host: 192.168.1.102  
    Cookie: PHPSESSID=39r4bb36385te1seds0dgtpt87  
    Content-Type: application/x-www-form-urlencoded  
    Content-Length: 127
    fUsername=csrf&fDomain=testingnomxsecurity.com&fPassword=csrf&fPassword2=csrf&fName=csrf&fActive=on&fMail=on&submit=Add+Mailbox

    In addition, some extraneous admin account was found on the device, which Scott did not create, and with a password password. This account gives you complete control over the device. Moreover, using CSRF through a web application, you can create your own admin account on the server.

    Scott Helme concludes that the Nomx advertising and this device itself should be considered fraud . This “box” on the Raspberry Pi does not provide any security. It simply serves as a means of withdrawing money from users who are intimidated and injected with unnecessary nonsense. The founder, executive director and technical director of the company, Will Donaldson, goes to conferences and declares “absolute security” (Nomx).


    Hacker warned Donaldson about vulnerabilities a month ago and clearly showed them to him during the Skype call. But he did not lift a finger to correct the situation or at least warn the users.

    The company Nomx on the official website peculiarly recognized the hacking of its device. A note in the official blog is titled: “ Nomx passed the security tests after the blogger announced his penetration into the Nomx". The company said that these were just demonstration copies that were handed out to journalists, and in the “real” Nomx they would refuse to use Raspberry Pi. Probably, they are going to use a more secure configuration, a fresh software with all the patches (at least to introduce an update system), and it is necessary to eliminate the vulnerability on the web page that was mentioned. After eliminating all the bugs and drastically reducing the price, maybe the Nomx mail server will have prospects as a commercially successful product, although it is unlikely that you can make something worthwhile from this fake.

    Using the example of Nomx, we see how a good idea and the right way of thinking (setting up a secure personal mail server at home) is very poorly implemented in practice. And this is not even talking about the overpriced device. Donaldson will have to do the work on the bugs, and he is unlikely to already dare to declare "the most secure communication protocol in the world."

    Also popular now: